Updated:

WordPress Vulnerability News, April 2021

Agnes Talalaev
from patchstack

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

In April we have listed 9 vulnerable plugins and themes that affected more than 1.7 million sites.

This year we have listed 115 vulnerable plugins and themes that affect more than 17 million sites.

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the Patchstack security module. It means that if you use Patchstack, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

You can find all the vulnerabilities mentioned in our WordPress vulnerability news from our vulnerability database.

Imagements

This plugin lets users use images in the comment section.

Vulnerability: Unauthenticated arbitrary file upload leading to remote code execution (RCE)
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 9.8 (critical)

Unauthenticated Arbitrary File Upload leading to Remote Code Execution (RCE) vulnerability discovered by Jin Huang in WordPress Imagements plugin (versions <= 1.2.5).

Plugin closed. Deactivate and delete.

WP Page Builder

wordpress vulnerability news

WP Page Builder is a free drag and drop WordPress page builder to create websites easily.

Vulnerability: Multiple stored cross-site scripting (XSS) vulnerabilities
Fixed in version: 1.2.4
Number of sites affected: 10 000+ 
CVSS 3.0 score: 7.4 (high)

Vulnerability: Insecure default configuration
Fixed in version: 1.2.4
Number of sites affected: 10 000+ 
CVSS 3.0 score: 5.4 (medium)

Multiple vulnerabilities discovered by WordFence in WordPress WP Page Builder plugin (versions <= 1.2.3).

Update the WordPress WP Page Builder plugin to the latest available version (at least 1.2.4).

Advanced Custom Fields PRO

Create fields in your WordPress site.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 5.9.1
Number of sites affected: 1+ million
CVSS 3.0 score: 6.8 (medium)

Reflected cross-site scripting (XSS) vulnerability discovered by Juan David Ordoñez Noriega in WordPress Advanced Custom Fields PRO plugin (versions <= 5.9.0).

Update the WordPress Advanced Custom Fields PRO plugin to the latest available version (at least 5.9.1).

Advanced Booking Calendar

Booking Calendar for Accommodations. The easy way to manage your bookings and raise your occupancy rate.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 1.6.8
Number of sites affected: 5 000+
CVSS 3.0 score: 6.2 (medium)

Authenticated reflected cross-site scripting (XSS) vulnerability discovered by iohex in WordPress Advanced Booking Calendar plugin (versions <= 1.6.7).

Update the WordPress Advanced Booking Calendar plugin to the latest available version (at least 1.6.8).

Ivory Search

wordpress vulnerability news

Ivory Search is a simple to use advanced WordPress search plugin.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 4.6.1
Number of sites affected: 60 000+
CVSS 3.0 score: 7.4 (high)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jinson Varghese Behanan in WordPress Ivory Search plugin (versions <= 4.6).

Update the WordPress Ivory Search plugin to the latest available version (at least 4.6.1).

WooCommerce Customers Manager

WCCM expands your WooCommerce installation allowing you to easily retrieve all customers stats, personal data, import, export, guest conversion, etc.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 26.7
Number of sites affected: 1 800+
CVSS 3.0 score: 6.2 (medium)

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScan Team in WordPress WooCommerce Customers Manager premium plugin (versions <= 26.6).

Update the WordPress WooCommerce Customers Manager premium plugin to the latest available version (at least 26.7).

Cooked Pro

A recipe plugin for WordPress.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.7.5.6
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jinson Varghese Behanan in WordPress Cooked Pro premium plugin (versions <= 1.7.5.5).

Update the WordPress Cooked Pro premium plugin to the latest available version (at least 1.7.5.6).

Goto - Tour & Travel WordPress theme

Goto is a theme for travel agency websites.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 2.0
Number of sites affected: 300+
CVSS 3.0 score: 7.4 (high)

Unauthenticated reflected cross-site scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress WordPress Goto premium theme (versions <= 1.9).

Update the WordPress WordPress Goto premium theme to the latest available version (at least 2.0).

Bello premium theme

wordpress vulnerability news

Bello is a premium WordPress theme professionally designed for directory & listing businesses.

Vulnerability: Unauthenticated SQL injection (SQLi)
Fixed in version: 1.5.8
The number of sites affected: 500+
CVSS 3.0 score: 7.5 (high)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.5.8
The number of sites affected: 500+
CVSS 3.0 score: 6.1 (medium)

There are unauthenticated reflected cross-site Scripting (XSS) and unauthenticated SQL injection (SQLi) vulnerabilities discovered by m0ze in the WordPress theme Bello – Directory & Listing (versions <= 1.5.7).

Update the WordPress Bello – Directory & Listing premium theme to the latest available version (at least 1.5.8).

March WordPress Vulnerability News

Findeo premium theme

Findeo is a WordPress real estate listing plugin.

Vulnerability: Authenticated insecure direct object references (IDOR)
Fixed in version: 1.3.1
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.3.1
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Multiple vulnerabilities discovered by m0ze (Patchstack Red Team) in the WordPress Findeo premium theme (versions <= 1.2.6).

Update the WordPress Findeo premium theme to the latest available version (at least 1.3.1).

WorkScout premium theme

A WordPress solution for recruiters and employment agencies.

Vulnerability: Cross-frame scripting (XFS)
Fixed in version: 2.0.32
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium)

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 2.0.32
Number of sites affected: N/A
CVSS 3.0 score: 8.2 (high)

Multiple vulnerabilities discovered by m0ze (Patchstack Red Team) in the WordPress WorkScout premium theme (versions <= 2.0.31).

Update the WordPress WorkScout premium theme to the latest available version (at least 2.0.32).

Listeo premium theme

Build a directory & classifieds website similar to Yelp, Airbnb, Booking.com, TripAdvisor, HomeAway.

Vulnerability: Multiple insecure direct object references (IDOR)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Vulnerability: Multiple authenticated persistent cross-site scripting (XSS)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 6.9 (medium)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 8.2 (high)

Multiple vulnerabilities discovered by m0ze (Patchstack Red Team) in the WordPress Listeo premium theme (versions <= 1.6.07).

Update the WordPress Listeo premium theme to the latest available version (at least 1.6.11).

Controlled Admin Access

Give a temporarily limited admin. access to themes designers, plugins developers, and support agents.

Vulnerability: Improper input validation leading to privilege escalation
Fixed in version: 1.5.6
Number of sites affected: 8 000+
CVSS 3.0 score: 8.1 (high)

Improper Input Validation leading to Privilege Escalation vulnerability discovered by NinTechNet in WordPress Controlled Admin Access plugin (versions <= 1.5.5).

Update the WordPress Controlled Admin Access plugin to the latest available version (at least 1.5.6).

Easy Form Builder

Easy Form Builder is a user-friendly form creator that allows you to create professional multistep forms within minutes.

Vulnerability: Unauthorized AJAX calls
Fixed in version: plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Unauthorized AJAX Calls vulnerability discovered by WPScan Team in WordPress Easy Form Builder plugin (versions <= 1.0).

Plugin closed. Deactivate and delete.

Quiz And Survey Master

Create quizzes, trivia quizzes, customer satisfaction surveys, and more.

Vulnerability: Authenticated SQL injection (SQLi)
Fixed in version: 7.1.14
Number of sites affected: 40 000+
CVSS 3.0 score: 8.1 (high)

Authenticated SQL injection (SQLi) vulnerability discovered by WPScan Team in WordPress Quiz And Survey Master plugin (versions <= 7.1.13).

Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 7.1.14).

Patreon WordPress

Connect your WordPress site and your Patreon to increase your patrons and pledges.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 1.7.2
Number of sites affected: 5 000+
CVSS 3.0 score: 8.8 (high)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jetpack Scan team in WordPress Patreon WordPress plugin (versions <= 1.7.1).

Update the WordPress Patreon WordPress plugin to the latest available version (at least 1.7.2).

Facebook for WordPress

This plugin will install a Facebook Pixel for your page so you can capture the actions people take when they interact with your pages, such as Lead, ViewContent, AddToCart, InitiateCheckout, and Purchase events.

Vulnerability: Cross-site request forgery (CSRF) leading to stored cross-site scripting (XSS)
Fixed in version: 3.0.4
Number of sites affected: 500 000+
CVSS 3.0 score: 8.8 (high)

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability discovered by WordFence in WordPress Facebook for WordPress plugin (versions 3.0.0 – 3.0.3).

Update the WordPress Facebook for WordPress plugin to the latest available version (at least 3.0.4).

Vulnerability: PHP object injection vulnerability
Fixed in version: 3.0.0
Number of sites affected: 500 000+
CVSS 3.0 score: 10 (critical)

PHP Object Injection vulnerability discovered by WordFence in WordPress Facebook for WordPress plugin (versions <= 2.2.2).

Update the WordPress Facebook for WordPress plugin to the latest available version (at least 3.0.0).

Thrive themes - multiple vulnerabilities

Conversion-focused WordPress themes.

Storied

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Storied premium theme to the latest available version (at least 2.0.0).

Pressive

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Pressive premium theme to the latest available version (at least 2.0.0).

Performag

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Performag premium theme to the latest available version (at least 2.0.0).

Voice

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Voice premium theme to the latest available version (at least 2.0.0).

Squared

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Squared premium theme to the latest available version (at least 2.0.0).

Squared

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Minus premium theme to the latest available version (at least 2.0.0).

Focusblog

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Focusblog premium theme to the latest available version (at least 2.0.0).

Luxe

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Luxe premium theme to the latest available version (at least 2.0.0).

Ignition

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Ignition premium theme to the latest available version (at least 2.0.0).

Rise

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Rise premium theme to the latest available version (at least 2.0.0).

Thrive plugins - multiple vulnerabilities

Conversion-focused WordPress plugins.

Thrive Dashboard

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Dashboard premium plugin to the latest available version (at least 2.3.9.3).

Thrive Architect

Vulnerability: Unauthenticated option update
Fixed in version: 2.6.7.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Architect premium plugin to the latest available version (at least 2.6.7.4).

Thrive Apprentice

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the Thrive Apprentice premium plugin to the latest available version (at least 2.3.9.4).

Thrive Quiz Builder

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Quiz Builder premium plugin to the latest available version (at least 2.3.9.4).

Thrive Ultimatum

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Ultimatum premium plugin to the latest available version (at least 2.3.9.4).

Thrive Leads Version

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Leads Version premium plugin to the latest available version (at least 2.3.9.4).

Thrive Themes Builder

Vulnerability: Unauthenticated option update
Fixed in version: 2.2.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Themes Builder premium plugin to the latest available version (at least 2.2.4)

Thrive Headline Optimizer

Vulnerability: Unauthenticated option update
Fixed in version: 1.3.7.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Headline Optimizer premium plugin to the latest available version (at least 1.3.7.3).

Thrive Comments

Vulnerability: Unauthenticated option update
Fixed in version: 1.4.15.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Comments premium plugin to the latest available version (at least 1.4.15.3).

Thrive Optimize

Vulnerability: Unauthenticated option update
Fixed in version: 1.4.13.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Optimize premium plugin to the latest available version (at least 1.4.13.3).

GiveWP – Donation Plugin and Fundraising Platform

A donation plugin for WordPress.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 2.10.0
Number of sites affected: 100 000+
CVSS 3.0 score: 6.1 (medium)

Reflected cross-site scripting (XSS) vulnerability discovered by Austin Bentley in WordPress GiveWP plugin (versions <= 2.9.7).

Update the WordPress GiveWP plugin to the latest available version (at least 2.10.0).

Controlled Admin Access

Give a temporary limited admin. access to themes designers, plugins developers, and support agents.

Vulnerability: Improper access control & privilege escalation vulnerability
Fixed in version: 1.5.2
Number of sites affected: 8 000+
CVSS 3.0 score: 8.3 (high)

Improper access control & privilege escalation vulnerability discovered by m0ze (Patchstack Red Team) in WordPress Controlled Admin Access plugin (versions <= 1.5.1).

Update the WordPress Controlled Admin Access plugin to the latest available version (at least 1.5.2).

Delightful Downloads

A downloads manager for WordPress.

Vulnerability: Path traversal vulnerability
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 7.5 (high)

This plugin has been closed as of June 11, 2020, and is not available for download. Reason: Security Issue.

BuddyPress

wordpress vulnerability news

BuddyPress helps you build a community website using WordPress.

Vulnerability: Privilege escalation vulnerability
Fixed in version: 7.2.1
Number of sites affected: N/A
CVSS 3.0 score: 7.6 (high)

Privilege escalation vulnerability discovered in WordPress BuddyPress plugin (versions <= 7.2.0).

Update the WordPress BuddyPress plugin to the latest available version (at least 7.2.1).

Elementor Website Builder

wordpress vulnerability news

A WordPress website builder.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 3.1.4
Number of sites affected: 5+ million
CVSS 3.0 score: 6.4 (medium)

Multiple authenticated stored cross-site scripting (XSS) vulnerabilities found by WordFence in WordPress Elementor Website Builder plugin (versions <= 3.1.1).

Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.1.4).

WP Super Cache

This plugin generates static html files from your dynamic WordPress blog.

Vulnerability: Authenticated remote code execution (RCE)
Fixed in version: 1.7.2
Number of sites affected: 2+ million

Authenticated Remote Code Execution (RCE) vulnerability (settings page) discovered by m0ze (Patchstack Red Team) in WordPress WP Super Cache plugin (versions <= 1.7.1).

Update the WordPress WP Super Cache plugin to the latest available version (at least 1.7.2).

Tutor LMS – eLearning and online course solution

Tutor is a WordPress LMS plugin to create & sell courses online.

Vulnerability: Unprotected AJAX action to privilege escalation
Fixed in version: 1.7.7
Number of sites affected: 20 000+

Vulnerability: Multiple Blind/Time-based SQL Injection (SQLi) vulnerabilities
Fixed in version: 1.7.7
Number of sites affected: 20 000+

Vulnerability: Multiple union SQL injection (SQLi) vulnerabilities
Fixed in version: 1.8.3
Number of sites affected: 20 000+

Update the WordPress Tutor LMS plugin to the latest available version (at least 1.8.3).

The Plus Addons for Elementor

Collection of 100+ Elementor widgets, 18+ templates, 300+ UI blocks and more.

Vulnerability: Privilege escalation vulnerability
Fixed in version: no known fix
Number of sites affected: N/A

Privilege Escalation vulnerability found by Ville Korhonen in WordPress The Plus Addons for Elementor premium plugin (versions <= 4.1.6).

2021-03-09 – we were unable to find any information about the patched version of this plugin. We recommend deactivating and uninstall this software until the patched version is available.

Five Star Restaurant Menu

Create a responsive restaurant menu and a restaurant menu ordering system.

Vulnerability: Unauthenticated Remote Code Execution (RCE)
Fixed in version: 2.2.1
Number of sites affected: 10 000+

Unauthenticated Remote Code Execution (RCE) vulnerability discovered by Nick Blundell in WordPress Five Star Restaurant Menu plugin (versions <= 2.2.0).

Update the WordPress Five Star Restaurant Menu plugin to the latest available version (at least 2.2.1).

WooCommerce Upload Files premium

Upload any file any size from the product, cart, checkout, thank you, and/or order details pages. Preview images, add additional costs, fees, and many more options.

Vulnerability: Unauthenticated arbitrary file upload
Fixed in version: 59.4
Number of sites affected: 5 000+

Unauthenticated Arbitrary File Upload vulnerability found by WordFence in WordPress WooCommerce Upload Files premium plugin (versions <= 59.3).

Update the WordPress WooCommerce Upload Files premium plugin to the latest available version (at least 59.4).

User Profile Picture

wordpress vulnerability news

Set or remove a custom profile image for a user using the standard WordPress media upload tool.

Vulnerability: Sensitive information disclosure
Fixed in version: 2.5.0
Number of sites affected: 60 000+

Sensitive Information Disclosure vulnerability found by WordFence in WordPress User Profile Picture plugin (versions <= 2.4.0).

Update the WordPress User Profile Picture plugin to the latest available version (at least 2.5.0).

Forminator

WordPress form builder.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.14.8.1
Number of sites affected: 100 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Forminator plugin (versions <= 1.14.8).

Update the WordPress Forminator plugin to the latest available version (at least 1.14.8.1).

Dokan

Marketplace plugin for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 3.2.1
Number of sites affected: 60 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Dokan plugin (versions <= 3.2.0).

Update the WordPress Dokan plugin to the latest available version (at least 3.2.1).

Defender Security – Malware Scanner, Login Security & Firewall

wordpress vulnerability news

WordPress security plugin.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 2.4.6.1
Number of sites affected: 50 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Defender Security plugin (versions <= 2.4.6).

Update the WordPress Defender Security plugin to the latest available version (at least 2.4.6.1).

Abandoned Cart Lite for WooCommerce

wordpress vulnerability news

Abandoned Cart Plugin helps you recover those carts from your WooCommerce shop.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 5.8.6
Number of sites affected: 30 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Abandoned Cart Lite for WooCommerce plugin (versions <= 5.8.5).

Update the WordPress Abandoned Cart Lite for WooCommerce plugin to the latest available version (at least 5.8.6).

Style Kits – Advanced Theme Styles for Elementor

wordpress vulnerability news

Style Kits for Elementor adds meaningful UI controls to Theme Styles for the most important variables of your layout system in Elementor.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.8.1
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Style Kits plugin (versions <= 1.8.0).

Update the WordPress Style Kits plugin to the latest available version (at least 1.8.1).

WP ERP

wordpress vulnerability news

Company and business management solution for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.7.5
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP ERP plugin (versions <= 1.7.4).

Update the WordPress WP ERP plugin to the latest available version (at least 1.7.5).

WP Project Manager

wordpress vulnerability news

A project management and task management tool for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 2.4.10
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP Project Manager plugin (versions <= 2.4.9).

Update the WordPress WP Project Manager plugin to the latest available version (at least 2.4.10).

WP Travel

WordPress Vulnerability News
WP Travel is a free travel engine for making customized travel and tour agency websites on WordPress.
Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 4.4.7
Number of sites affected: 6 000+
Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP Travel plugin (versions <= 4.4.6).
Update the WordPress WP Travel plugin to the latest available version (at least 4.4.7).

February WordPress Vulnerability News

YITH WooCommerce Gift Cards Premium

Sell gift cards in your shop to increase your earnings and attract new customers.
Vulnerability: Arbitrary file upload to remote code execution (RCE)
Fixed in version: 3.3.1
Number of sites affected: 50 000+
Arbitrary File Upload to Remote Code Execution (RCE) vulnerability found by Guy Liu in WordPress YITH WooCommerce Gift Cards plugin (versions <= 3.3.0).
Update the WordPress YITH WooCommerce Gift Cards plugin to the latest available version (at least 3.3.1).

NextGEN Gallery Pro

Gallery plugin built for WordPress.

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 3.1.11
Number of sites affected: 1+ million

Reflected Cross-Site Scripting (XSS) vulnerability found by Thura Moe Myint in WordPress NextGEN Gallery Pro premium plugin (versions <= 3.1.9).

Update the WordPress NextGEN Gallery Pro premium plugin to the latest available version (at least 3.1.11).

WordPress Mega Menu – QuadMenu

Mega Menu is designed for theme developers with customizable menu layouts and drag & drop fields.
Vulnerability: Remote code execution (RCE)
Fixed in version: 2.0.7
Number of sites affected: 20 000+

Remote Code Execution (RCE) vulnerability found by Mikel Gorraiz in WordPress QuadMenu plugin (versions <= 2.0.6).

Update the WordPress QuadMenu plugin to the latest available version (at least 2.0.7).

WP Private Content Plus

WP Private Content Plus simplifies the process for protecting your important WordPress site content from guests, members, specific user roles, or a group of selected users. 
Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 3.2
Number of sites affected: 8 000+

Cross-Site Request Forgery (CSRF) vulnerability found in WordPress WP Private Content Plus plugin (versions <= 3.1).

Update the WordPress WP Private Content Plus plugin to the latest available version (at least 3.2).

Custom Banners

Custom Banners is a WordPress plugin that allows you to easily manage several banners (ads) and display them on the front end.

Vulnerability: Cross-site request forgery (CSRF) vulnerability
Fixed in version: 3.3
Number of sites affected: 7 000+

Cross-Site Request Forgery (CSRF) vulnerability found by WPScan Team in WordPress Custom Banners plugin (versions <= 3.2.2).

Update the WordPress Custom Banners plugin to the latest available version (at least 3.3).

WordPress Backup and Migrate Plugin – Backup Guard

Backup Guard is a WordPress backup plugin.

Vulnerability: Authenticated arbitrary file upload vulnerability
Fixed in version: 1.6.0
Number of sites affected: 70 000+

Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh in WordPress Backup Guard plugin (versions <= 1.5.9).

Update the WordPress Backup Guard plugin to the latest available version (at least 1.6.0).

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Use Ninja Forms to create WordPress forms.

Vulnerability: Authenticated SendWP plugin installation and client secret key disclosure vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Authenticated OAuth connection key disclosure vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Administrator open redirect vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Cross-site request forgery (CSRF) vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Update the WordPress Ninja Forms Contact Form plugin to the latest available version (at least 3.4.34).

WP Ticket Customer Service Software & Support Ticket System

WP Ticket is a help desk software for WordPress.

Vulnerability: Cross-site scripting (XSS) 
Fixed in version: 5.6.0
Number of sites affected: 600+

Cross-Site Scripting (XSS) vulnerability found by WPScan security research team in WordPress WP Ticket Customer Service Software & Support Ticket System plugin (versions <= 5.5.1).

Update the WordPress WP Ticket Customer Service Software & Support Ticket System plugin to the latest available version (at least 5.6.0).

WordPress Vulnerability News - Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily.

Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks of this nature are almost always automated.

To be able to fight back, you have a small time window to take action. In such cases, the virtual patches have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

Patchstack gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our security engine is updated on a daily basis.

Websites with a Patchstack installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Start your 7-day free trial and join 40 000+ other developers
Share this Article
Related Articles
GET YOUR MONEY BACK GUARANTEE

Start your free 7-day trial and join 40 000+ other businesses