Updated:

WordPress Vulnerability News, May 2021

Agnes Talalaev
from patchstack

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

In May we have listed 3 vulnerable plugins that affect more than 200 000 sites.

This year we have listed 172 vulnerable plugins and themes that affect more than 32.5 million sites.

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the Patchstack security module. It means that if you use Patchstack, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

You can find all the vulnerabilities mentioned in our WordPress vulnerability news from our vulnerability database.

WP Super Edit

WP Super Edit vulnerability patchstack

WP Super Edit is designed to get control of the WordPress wysiwyg visual editor and add some functionality with more buttons and customized TinyMCE plugins.

Vulnerability: Remote file upload
Fixed in version: No known fix
Number of sites affected: 7 000+
CVSS 3.0 score: 8.6 (high – plugin does not exist, is not supported, or discontinued.)

Remote File Upload vulnerability discovered by h4shur in WordPress WP Super Edit plugin (versions <= 2.5.4).

No patched version is available at the moment. Deactivate and delete until the patched safe version available.

MalCare Security

malcare vulnerability patchstack

A security plugin for WordPress.

Vulnerability: Authenticated cross-site scripting
Fixed in version: 4.58
Number of sites affected: 100 000+
CVSS 3.0 score: 4.8 (medium – possible only with admin authentication)

Authenticated Cross-Site Scripting (XSS) vulnerability discovered by Lenon Leite in WordPress MalCare Security plugin (versions <= 4.57).

Update the WordPress MalCare Security plugin to the latest available version (at least 4.58).

Spam Protection, Antispam, Firewall by CleanTalk

A security plugin for WordPress.

Vulnerability: Unauthenticated time-based blind SQL injection (SQLi)
Fixed in version: 5.153.4
Number of sites affected: 100 000+
CVSS 3.0 score: 7.5 (high)

Unauthenticated Time-Based Blind SQL Injection (SQLi) vulnerability discovered by WordFence in WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin (versions <= 5.153.3).

Update the WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin to the latest available version (at least 5.153.4).

April WordPress Vulnerability News

WooCommerce

woocommerce vulnerability

WooCommerce is a customizable, open-source eCommerce platform built on WordPress.

Vulnerability: Authenticated persistent cross-site scripting (XSS)
Fixed in version: 5.2.0
Number of sites affected: 5+ million
CVSS 3.0 score: 5.4 (medium)

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze in WordPress WooCommerce plugin (versions <= 5.1.0).

Update the WordPress WooCommerce plugin to the latest available version (at least 5.2.0).

AcyMailing SMTP Newsletter

Use our free WordPress newsletter plugin.

Vulnerability: Unauthenticated open redirect
Fixed in version: 7.5.0
Number of sites affected: 50 000+ 
CVSS 3.0 score: 5.3 (medium)

Unauthenticated Open Redirect vulnerability discovered by Viktor Markopoulos WordPress AcyMailing SMTP Newsletter plugin (versions <= 7.4.1).

Update the WordPress AcyMailing SMTP Newsletter plugin to the latest available version (at least 7.5.0).

Goto - Tour & Travel WordPress Theme

vulnerability in Goto - Tour & Travel WordPress Theme

Goto is a travel agency WordPress theme.

Vulnerability: Unauthenticated blind SQL injection (SQLi)
Fixed in version: 2.1
Number of sites affected: 300+ 
CVSS 3.0 score: 9.8 (critical – can be exploited remotely without any authentication) 

Unauthenticated Blind SQL Injection (SQLi) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress Goto premium theme (versions <= 2.0).

Update the WordPress Goto premium theme to the latest available version (at least 2.1).

WP Super Cache

This plugin generates static HTML files from your dynamic WordPress blog.

Vulnerability: Authenticated persistent cross-site scripting (XSS)
Fixed in version: 1.7.3
Number of sites affected: 2+ million
CVSS 3.0 score: 5.4 (medium) 

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze in WordPress WP Super Cache plugin (versions <= 1.7.2).

Update the WordPress WP Super Cache plugin to the latest available version (at least 1.7.3).

WP Fastest Cache

Improve your page load time with WP Fastest Cache.

Vulnerability: Authenticated arbitrary file deletion via path traversal
Fixed in version: 0.9.1.7
Number of sites affected: 1+ million
CVSS 3.0 score: 3.8 (low) 

Authenticated arbitrary file deletion via path traversal (CVSS score 3.8) vulnerability discovered by Gen Sato in WordPress WP Fastest Cache plugin (versions <= 0.9.1.6).

Update the WordPress WP Fastest Cache plugin to the latest available version (at least 0.9.1.7).

Store Locator Plus

Store Locator Plus® has all the features you need to create a location finder on your website.

Vulnerability: Miltiple vulnerabilities
Fixed in version: Plugin temporarily closed
Number of sites affected: N/A
CVSS 3.0 score: 7.2-9.9 (high-critical) 

Multiple vulnerabilities discovered by WordPress Store Locator Plus plugin (versions <= 5.5.15).

This plugin has been closed as of April 12, 2021 and is not available for download. This closure is temporary, pending a full review.

RSS for Yandex Turbo

Database Backup for WordPress allows you easily to backup your core WordPress database tables.

Vulnerability: Stored cross-site scripting (XSS)
Fixed in version: 1.30
Number of sites affected: 50 000+
CVSS 3.0 score: 6.5 (medium) 

Stored cross-site scripting (XSS) vulnerability discovered by Himamshu Dilip Kulkarni in WordPress RSS for Yandex Turbo plugin (versions <= 1.29).

Update the WordPress RSS for Yandex Turbo plugin to the latest available version (at least 1.30).

Database Backup for WordPress

Database Backup for WordPress allows you easily to backup your core WordPress database tables.

Vulnerability: Authenticated persistent cross-site scripting (XSS)
Fixed in version: 2.4
Number of sites affected: 100 000+
CVSS 3.0 score: 6.9 (medium) 

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in Database Backup for WordPress plugin (versions <= 2.3.3).

Update the Database Backup for WordPress plugin to the latest available version (at least 2.4).

iThemes Security

IThemes offers 2FA, reCAPTCHA and other hardening tools for WordPress.

Vulnerability: Hide backend bypass
Fixed in version: 7.9.1
Number of sites affected: 1+ million
CVSS 3.0 score: 4.3 (medium) 

Hide Backend Bypass vulnerability discovered by Julio Potier (SecuPress) in WordPress iThemes Security plugin (versions <= 7.9.0).

Update the WordPress iThemes Security plugin to the latest available version (at least 7.9.1).

SEO Redirection Plugin – 301 Redirect Manager

SEO Redirection is a redirect manager.

Vulnerability: Multiple vulnerabilities
Fixed in version: 6.4
Number of sites affected: 40 000+
CVSS 3.0 score: 6.5-6.8 (medium) 

Authenticated reflected cross-site scripting (XSS) and authenticated persistent cross-site scripting (XSS) vulnerabilities discovered by m0ze (Patchstack Red Team) in WordPress SEO Redirection plugin (versions <= 6.3).

Update the WordPress SEO Redirection plugin to the latest available version (at least 6.4).

GiveWP

wordpress vulnerability news

GiveWP is a donation plugin for WordPress.

Vulnerability: Authenticated persistent cross-site scripting (XSS)
Fixed in version: 2.10.2
Number of sites affected: 100 000+
CVSS 3.0 score: 6.5 (medium) 

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress GiveWP plugin (versions <= 2.10.1).

Update the WordPress GiveWP plugin to the latest available version (at least 2.10.2).

All 404 Redirect to Homepage

By this plugin you can fix all random 404 links appear in you your website and redirect them to homepage or any other page using 301 SEO redirect.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 1.21
Number of sites affected: 200 000+
CVSS 3.0 score: 6.5 (medium) 

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress All 404 Redirect to Homepage plugin (versions <= 1.20).

Update the WordPress All 404 Redirect to Homepage plugin to the latest available version (at least 1.21).

Kaswara Modern WPBakery Page Builder Addons

Kaswara is the addon for WPBakery Page Builder WordPress plugin that addons a lot of great elements to build your unique layout.

Vulnerability: Arbitrary file upload/deletion
Fixed in version: Plugin removed from Envato repository. Deactivate and delete.
Number of sites affected: 10 000+
CVSS 3.0 score: 10 (critical) 

Arbitrary File Upload/Deletion vulnerabilities discovered by Robin Goodfellow in WordPress Modern WPBakery Page Builder Addons premium plugin (versions <= 3.0.1).

Due to the fact that this plugin has been closed and the plugin developer has been unresponsive, its strongly advised to remove this plugin completely from your WordPress site as soon as possible.

The exploited flaw makes it possible for unauthenticated attackers to upload malicious PHP files to a WordPress site and ultimately achieve remote code execution to take over the site. Read more.

Redirection for Contact Form 7

An add-on for Contact Form 7 – redirect to any page you choose.

Vulnerability: Multiple vulnerabilities
Fixed in version: 2.3.4
Number of sites affected: 200 000+
CVSS 3.0 score: 4.2-7.5 (medium and high severity) 

Multiple vulnerabilities discovered by WordFence in WordPress Redirection for Contact Form 7 plugin.

More information here.

Ultimate Maps by Supsystic

Ultimate Maps by Supsystic

Supsystic Ultimate Maps plugin was developed after the changes in Google maps pricing policy.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 1.2.5
Number of sites affected: 10 000+
CVSS 3.0 score: 5.4 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by 0xB9 in WordPress Ultimate Maps by Supsystic plugin (versions <= 1.2.4).

Update the WordPress Ultimate Maps by Supsystic to the latest available version (at least 1.2.5).

Popup by Supsystic

Popup plugin by Supsystic.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 1.10.5
Number of sites affected: 30 000+
CVSS 3.0 score: 5.4 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by 0xB9 in WordPress Popup by Supsystic plugin (versions <= 1.10.4).

Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.5).

QIWI for WooCommerce

Woocommerce payment gateway.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: Plugin does not exist, is not supported or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Frank Liauw in WordPress QIWI for WooCommerce plugin (versions <= 0.0.9).

This plugin has been closed as of April 12, 2021 and is not available for download. This closure is temporary, pending a full review.

Teamleader CRM Forms

The Teamleader CRM Forms integration is a plugin to register leads or contacts directly from your WordPress website or landing page.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: Plugin does not exist, is not supported or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Frank Liauw in WordPress Teamleader CRM Forms plugin (versions <= 2.0.0).

This plugin has been closed as of April 12, 2021 and is not available for download. This closure is temporary, pending a full review.

Invoicing with InvoiceXpress for WooCommerce – Free

“Invoicing with InvoiceXpress for WooCommerce – Free” allows you to easily create legal invoices for your WooCommerce orders.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 3.0.3
Number of sites affected: 100+
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Frank Liauw in WordPress Invoicing with InvoiceXpress for WooCommerce plugin (versions <= 3.0.2).

Update the WordPress Invoicing with InvoiceXpress for WooCommerce plugin to the latest available version (at least 3.0.3).

Shopello API

This plugin enables your WordPress website to make use of a listing shortcode.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: Plugin does not exist, is not supported or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Frank Liauw in WordPress Shopello API plugin (versions <= 2.9.0).

This plugin has been closed as of April 12, 2021 and is not available for download. This closure is temporary, pending a full review.

WordPress core 4.7-5.7

The world’s most popular website builder. 41% of the web is built on WordPress.

Vulnerability: Sensitive data exposure
Fixed in version: 5.7.1
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Vulnerability: XML external entity (XXE)
Fixed in version: 5.7.1
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium) (Affecting PHP 8) 

Sensitive data exposure and XML external entity (XXE) vulnerabilities discovered by SonarSource in WordPress core (versions 4.7-5.7.)

Update the WordPress core to the latest available version (at least 5.7.1).

Sina Extension for Elementor

This is an extension or addon for Elementor page builder. It will extend the Elementor and increase web page building experience.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 3.3.12
Number of sites affected: 10 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Sina Extension for Elementor plugin (versions <= 3.3.11).

Update the WordPress Sina Extension for Elementor plugin to the latest available version (at least 3.3.12).

Ultimate Addons For Elementor

wordpress vulnerability news

Elementor widgets, templates and blocks.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.30.0
Number of sites affected: 600 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Ultimate Addons for Elementor premium plugin (versions <= 1.29.2).

Update the WordPress Ultimate Addons for Elementor premium plugin to the latest available version (at least 1.30.0).

Elementor Addon Elements

Elementor

Add more power to your Elementor page builder experience by using our 24+ easy to use widgets and extensions.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.11.2
Number of sites affected: 100 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Elementor Addon Elements plugin (versions <= 1.11.1).

Update the WordPress Elementor Addon Elements plugin to the latest available version (at least 1.11.2).

Essential Addons for Elementor

Elementor

Enhance your Elementor page-building experience with 70+ creative elements and extensions.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 4.5.4
Number of sites affected: 1+ million
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Essential Addons for Elementor plugin (versions <= 4.5.3).

Update the WordPress Essential Addons for Elementor plugin to the latest available version (at least 4.5.4).

Elementor – Header, Footer & Blocks Template

Elementor

Elementor editor gives you the flexibility to design beautiful sections.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.5.8
Number of sites affected: 1+ million
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Elementor – Header, Footer & Blocks Template plugin (versions <= 1.5.7).

Update the WordPress Elementor – Header, Footer & Blocks Template plugin to the latest available version (at least 1.5.8).

Premium Addons for Elementor

Elementor

55+ customizable Elementor essential addons and widgets, 300+ premade Elementor templates and more.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 4.2.8
Number of sites affected: 400 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Premium Addons for Elementor plugin (versions <= 4.2.7).

Update the WordPress Premium Addons for Elementor plugin to the latest available version (at least 4.2.8).

Elements kit Elementor addons

wordpress vulnerability news

ElementsKit offers addons for Elementor Page Builder.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 2.2.0
Number of sites affected: 300 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Elements kit Elementor addons plugin (versions <= 2.1.7).

Update the WordPress Elements kit Elementor addons plugin to the latest available version (at least 2.2.0).

Livemesh Addons for Elementor

Elementor

Livemesh Addons for Elementor features a  collection of extensions that can be used in Elementor page builder.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 6.8
Number of sites affected: 100 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Livemesh Addons for Elementor plugin (versions <= 6.7.1).

Update the WordPress Livemesh Addons for Elementor plugin to the latest available version (at least 6.8).

HT Mega

wordpress vulnerability news

HTMega is a absolute addons for elementor includes 80+ elements & 360 Blocks with unlimited variations.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.5.7
Number of sites affected: 70 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress HT Mega plugin (versions <= 1.5.5).

Update the WordPress HT Mega plugin to the latest available version (at least 1.5.7).

WooLentor

Elementor

Extend Elementor with 60+ creative Elementor widgets and extensions with PowerPack Elementor addons.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.8.6
Number of sites affected: 50 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress WooLentor plugin (versions <= 1.8.5).

Update the WordPress WooLentor plugin to the latest available version (at least 1.8.6).

PowerPack Addons for Elementor

Elementor

Extend Elementor with 60+ creative Elementor widgets and extensions with PowerPack Elementor addons.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 2.3.2
Number of sites affected: 50 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress PowerPack Addons for Elementor plugin (versions <= 2.3.1).

Update the WordPress PowerPack Addons for Elementor plugin to the latest available version (at least 2.3.2).

Image Hover Effects – Elementor Addon

Elementor

Set customized hover effects for your image.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.3.4
Number of sites affected: 40 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Image Hover Effects – Elementor Addon plugin (versions <= 1.3.3).

Update the WordPress Image Hover Effects – Elementor Addon plugin to the latest available version (at least 1.3.4).

Rife Elementor Extensions & Templates

Elementor

Responsive templates for your landing pages.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.1.6
Number of sites affected: 30 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Rife Elementor Extensions & Templates plugin (versions <= 1.1.5).

Update the WordPress Rife Elementor Extensions & Templates plugin to the latest available version (at least 1.1.6).

The Plus Addons for Elementor Lite

wordpress vulnerability news

The Plus Addons for Elementor Lite give multiple options to edit WordPress site with Elementor. 

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 2.0.6
Number of sites affected: 30 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress The Plus Addons for Elementor Page Builder Lite plugin (versions <= 2.0.5).

Update the WordPress The Plus Addons for Elementor Page Builder Lite plugin to the latest available version (at least 2.0.6).

All-in-One Addons for Elementor – WidgetKit

Elementor

WidgetKit provides the set of widgets for Elementor.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 2.3.10
Number of sites affected: 20 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress WidgetKit plugin (versions <= 2.3.9).

Update the WordPress WidgetKit plugin to the latest available version (at least 2.3.10).

JetWidgets For Elementor

wordpress vulnerability news

JetWidgets provides the set of widgets for Elementor for creating content. 

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.0.9
Number of sites affected: 10 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress JetWidgets For Elementor plugin (versions <= 1.0.8).

Update the WordPress JetWidgets For Elementor plugin to the latest available version (at least 1.0.9).

DethemeKit For Elementor

Detheme Widgets for elementor.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.5.5.5
Number of sites affected: 9 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress DethemeKit For Elementor plugin (versions <= 1.5.5.4).

Update the WordPress DethemeKit For Elementor plugin to the latest available version (at least 1.5.5.5).

WP Login Security and History

Security features for WordPress login page. 

Vulnerability: Authenticated persistent XSS & XFS
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 6.2 (medium)

Vulnerability: Authenticated cross-site request forgery (CSRF)
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 5.2 (medium)

Multiple vulnerabilities discovered by m0ze in WordPress WP Login Security and History plugin (versions <= 1.0)

This plugin has been closed as of April 5, 2021 and is not available for download. This closure is temporary, pending a full review.

Content Copy Protection & Prevent Image Save

Protect your content from selection and copy.

Vulnerability: Authenticated persistent XSS & XFS
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 6.2 (medium)

Vulnerability: Authenticated cross-site request forgery (CSRF)
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 5.2 (medium)

Multiple vulnerabilities discovered by m0ze in WordPress Content Copy Protection & Prevent Image Save plugin (versions <= 1.3).

This plugin has been closed as of April 5, 2021 and is not available for download. This closure is temporary, pending a full review.

Imagements

This plugin lets users use images in the comment section.

Vulnerability: Unauthenticated arbitrary file upload leading to remote code execution (RCE)
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 9.8 (critical)

Unauthenticated Arbitrary File Upload leading to Remote Code Execution (RCE) vulnerability discovered by Jin Huang in WordPress Imagements plugin (versions <= 1.2.5).

Plugin closed. Deactivate and delete.

WP Page Builder

wordpress vulnerability news

WP Page Builder is a free drag and drop WordPress page builder to create websites easily.

Vulnerability: Multiple stored cross-site scripting (XSS) vulnerabilities
Fixed in version: 1.2.4
Number of sites affected: 10 000+ 
CVSS 3.0 score: 7.4 (high)

Vulnerability: Insecure default configuration
Fixed in version: 1.2.4
Number of sites affected: 10 000+ 
CVSS 3.0 score: 5.4 (medium)

Multiple vulnerabilities discovered by WordFence in WordPress WP Page Builder plugin (versions <= 1.2.3).

Update the WordPress WP Page Builder plugin to the latest available version (at least 1.2.4).

Advanced Custom Fields PRO

Create fields in your WordPress site.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 5.9.1
Number of sites affected: 1+ million
CVSS 3.0 score: 6.8 (medium)

Reflected cross-site scripting (XSS) vulnerability discovered by Juan David Ordoñez Noriega in WordPress Advanced Custom Fields PRO plugin (versions <= 5.9.0).

Update the WordPress Advanced Custom Fields PRO plugin to the latest available version (at least 5.9.1).

Advanced Booking Calendar

Booking Calendar for Accommodations. The easy way to manage your bookings and raise your occupancy rate.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 1.6.8
Number of sites affected: 5 000+
CVSS 3.0 score: 6.2 (medium)

Authenticated reflected cross-site scripting (XSS) vulnerability discovered by iohex in WordPress Advanced Booking Calendar plugin (versions <= 1.6.7).

Update the WordPress Advanced Booking Calendar plugin to the latest available version (at least 1.6.8).

Ivory Search

wordpress vulnerability news

Ivory Search is a simple to use advanced WordPress search plugin.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 4.6.1
Number of sites affected: 60 000+
CVSS 3.0 score: 7.4 (high)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jinson Varghese Behanan in WordPress Ivory Search plugin (versions <= 4.6).

Update the WordPress Ivory Search plugin to the latest available version (at least 4.6.1).

WooCommerce Customers Manager

WCCM expands your WooCommerce installation allowing you to easily retrieve all customers stats, personal data, import, export, guest conversion, etc.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 26.7
Number of sites affected: 1 800+
CVSS 3.0 score: 6.2 (medium)

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScan Team in WordPress WooCommerce Customers Manager premium plugin (versions <= 26.6).

Update the WordPress WooCommerce Customers Manager premium plugin to the latest available version (at least 26.7).

Cooked Pro

A recipe plugin for WordPress.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.7.5.6
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jinson Varghese Behanan in WordPress Cooked Pro premium plugin (versions <= 1.7.5.5).

Update the WordPress Cooked Pro premium plugin to the latest available version (at least 1.7.5.6).

Goto - Tour & Travel WordPress theme

Goto is a theme for travel agency websites.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 2.0
Number of sites affected: 300+
CVSS 3.0 score: 7.4 (high)

Unauthenticated reflected cross-site scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress WordPress Goto premium theme (versions <= 1.9).

Update the WordPress WordPress Goto premium theme to the latest available version (at least 2.0).

Bello premium theme

wordpress vulnerability news

Bello is a premium WordPress theme professionally designed for directory & listing businesses.

Vulnerability: Unauthenticated SQL injection (SQLi)
Fixed in version: 1.5.8
The number of sites affected: 500+
CVSS 3.0 score: 7.5 (high)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.5.8
The number of sites affected: 500+
CVSS 3.0 score: 6.1 (medium)

There are unauthenticated reflected cross-site Scripting (XSS) and unauthenticated SQL injection (SQLi) vulnerabilities discovered by m0ze in the WordPress theme Bello – Directory & Listing (versions <= 1.5.7).

Update the WordPress Bello – Directory & Listing premium theme to the latest available version (at least 1.5.8).

March WordPress Vulnerability News

Findeo premium theme

Findeo is a WordPress real estate listing plugin.

Vulnerability: Authenticated insecure direct object references (IDOR)
Fixed in version: 1.3.1
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.3.1
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Multiple vulnerabilities discovered by m0ze (Patchstack Red Team) in the WordPress Findeo premium theme (versions <= 1.2.6).

Update the WordPress Findeo premium theme to the latest available version (at least 1.3.1).

WorkScout premium theme

A WordPress solution for recruiters and employment agencies.

Vulnerability: Cross-frame scripting (XFS)
Fixed in version: 2.0.32
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium)

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 2.0.32
Number of sites affected: N/A
CVSS 3.0 score: 8.2 (high)

Multiple vulnerabilities discovered by m0ze (Patchstack Red Team) in the WordPress WorkScout premium theme (versions <= 2.0.31).

Update the WordPress WorkScout premium theme to the latest available version (at least 2.0.32).

Listeo premium theme

Build a directory & classifieds website similar to Yelp, Airbnb, Booking.com, TripAdvisor, HomeAway.

Vulnerability: Multiple insecure direct object references (IDOR)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Vulnerability: Multiple authenticated persistent cross-site scripting (XSS)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 6.9 (medium)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 8.2 (high)

Multiple vulnerabilities discovered by m0ze (Patchstack Red Team) in the WordPress Listeo premium theme (versions <= 1.6.07).

Update the WordPress Listeo premium theme to the latest available version (at least 1.6.11).

Controlled Admin Access

Give a temporarily limited admin. access to themes designers, plugins developers, and support agents.

Vulnerability: Improper input validation leading to privilege escalation
Fixed in version: 1.5.6
Number of sites affected: 8 000+
CVSS 3.0 score: 8.1 (high)

Improper Input Validation leading to Privilege Escalation vulnerability discovered by NinTechNet in WordPress Controlled Admin Access plugin (versions <= 1.5.5).

Update the WordPress Controlled Admin Access plugin to the latest available version (at least 1.5.6).

Easy Form Builder

Easy Form Builder is a user-friendly form creator that allows you to create professional multistep forms within minutes.

Vulnerability: Unauthorized AJAX calls
Fixed in version: plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Unauthorized AJAX Calls vulnerability discovered by WPScan Team in WordPress Easy Form Builder plugin (versions <= 1.0).

Plugin closed. Deactivate and delete.

Quiz And Survey Master

Create quizzes, trivia quizzes, customer satisfaction surveys, and more.

Vulnerability: Authenticated SQL injection (SQLi)
Fixed in version: 7.1.14
Number of sites affected: 40 000+
CVSS 3.0 score: 8.1 (high)

Authenticated SQL injection (SQLi) vulnerability discovered by WPScan Team in WordPress Quiz And Survey Master plugin (versions <= 7.1.13).

Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 7.1.14).

Patreon WordPress

Connect your WordPress site and your Patreon to increase your patrons and pledges.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 1.7.2
Number of sites affected: 5 000+
CVSS 3.0 score: 8.8 (high)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jetpack Scan team in WordPress Patreon WordPress plugin (versions <= 1.7.1).

Update the WordPress Patreon WordPress plugin to the latest available version (at least 1.7.2).

Facebook for WordPress

This plugin will install a Facebook Pixel for your page so you can capture the actions people take when they interact with your pages, such as Lead, ViewContent, AddToCart, InitiateCheckout, and Purchase events.

Vulnerability: Cross-site request forgery (CSRF) leading to stored cross-site scripting (XSS)
Fixed in version: 3.0.4
Number of sites affected: 500 000+
CVSS 3.0 score: 8.8 (high)

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability discovered by WordFence in WordPress Facebook for WordPress plugin (versions 3.0.0 – 3.0.3).

Update the WordPress Facebook for WordPress plugin to the latest available version (at least 3.0.4).

Vulnerability: PHP object injection vulnerability
Fixed in version: 3.0.0
Number of sites affected: 500 000+
CVSS 3.0 score: 10 (critical)

PHP Object Injection vulnerability discovered by WordFence in WordPress Facebook for WordPress plugin (versions <= 2.2.2).

Update the WordPress Facebook for WordPress plugin to the latest available version (at least 3.0.0).

Thrive themes - multiple vulnerabilities

Conversion-focused WordPress themes.

Storied

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Storied premium theme to the latest available version (at least 2.0.0).

Pressive

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Pressive premium theme to the latest available version (at least 2.0.0).

Performag

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Performag premium theme to the latest available version (at least 2.0.0).

Voice

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Voice premium theme to the latest available version (at least 2.0.0).

Squared

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Squared premium theme to the latest available version (at least 2.0.0).

Squared

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Minus premium theme to the latest available version (at least 2.0.0).

Focusblog

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Focusblog premium theme to the latest available version (at least 2.0.0).

Luxe

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Luxe premium theme to the latest available version (at least 2.0.0).

Ignition

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Ignition premium theme to the latest available version (at least 2.0.0).

Rise

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Rise premium theme to the latest available version (at least 2.0.0).

Thrive plugins - multiple vulnerabilities

Conversion-focused WordPress plugins.

Thrive Dashboard

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Dashboard premium plugin to the latest available version (at least 2.3.9.3).

Thrive Architect

Vulnerability: Unauthenticated option update
Fixed in version: 2.6.7.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Architect premium plugin to the latest available version (at least 2.6.7.4).

Thrive Apprentice

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the Thrive Apprentice premium plugin to the latest available version (at least 2.3.9.4).

Thrive Quiz Builder

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Quiz Builder premium plugin to the latest available version (at least 2.3.9.4).

Thrive Ultimatum

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Ultimatum premium plugin to the latest available version (at least 2.3.9.4).

Thrive Leads Version

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Leads Version premium plugin to the latest available version (at least 2.3.9.4).

Thrive Themes Builder

Vulnerability: Unauthenticated option update
Fixed in version: 2.2.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Themes Builder premium plugin to the latest available version (at least 2.2.4)

Thrive Headline Optimizer

Vulnerability: Unauthenticated option update
Fixed in version: 1.3.7.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Headline Optimizer premium plugin to the latest available version (at least 1.3.7.3).

Thrive Comments

Vulnerability: Unauthenticated option update
Fixed in version: 1.4.15.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Comments premium plugin to the latest available version (at least 1.4.15.3).

Thrive Optimize

Vulnerability: Unauthenticated option update
Fixed in version: 1.4.13.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Optimize premium plugin to the latest available version (at least 1.4.13.3).

GiveWP – Donation Plugin and Fundraising Platform

A donation plugin for WordPress.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 2.10.0
Number of sites affected: 100 000+
CVSS 3.0 score: 6.1 (medium)

Reflected cross-site scripting (XSS) vulnerability discovered by Austin Bentley in WordPress GiveWP plugin (versions <= 2.9.7).

Update the WordPress GiveWP plugin to the latest available version (at least 2.10.0).

Controlled Admin Access

Give a temporary limited admin. access to themes designers, plugins developers, and support agents.

Vulnerability: Improper access control & privilege escalation vulnerability
Fixed in version: 1.5.2
Number of sites affected: 8 000+
CVSS 3.0 score: 8.3 (high)

Improper access control & privilege escalation vulnerability discovered by m0ze (Patchstack Red Team) in WordPress Controlled Admin Access plugin (versions <= 1.5.1).

Update the WordPress Controlled Admin Access plugin to the latest available version (at least 1.5.2).

Delightful Downloads

A downloads manager for WordPress.

Vulnerability: Path traversal vulnerability
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 7.5 (high)

This plugin has been closed as of June 11, 2020, and is not available for download. Reason: Security Issue.

BuddyPress

wordpress vulnerability news

BuddyPress helps you build a community website using WordPress.

Vulnerability: Privilege escalation vulnerability
Fixed in version: 7.2.1
Number of sites affected: N/A
CVSS 3.0 score: 7.6 (high)

Privilege escalation vulnerability discovered in WordPress BuddyPress plugin (versions <= 7.2.0).

Update the WordPress BuddyPress plugin to the latest available version (at least 7.2.1).

Elementor Website Builder

wordpress vulnerability news

A WordPress website builder.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 3.1.4
Number of sites affected: 5+ million
CVSS 3.0 score: 6.4 (medium)

Multiple authenticated stored cross-site scripting (XSS) vulnerabilities found by WordFence in WordPress Elementor Website Builder plugin (versions <= 3.1.1).

Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.1.4).

WP Super Cache

This plugin generates static html files from your dynamic WordPress blog.

Vulnerability: Authenticated remote code execution (RCE)
Fixed in version: 1.7.2
Number of sites affected: 2+ million

Authenticated Remote Code Execution (RCE) vulnerability (settings page) discovered by m0ze (Patchstack Red Team) in WordPress WP Super Cache plugin (versions <= 1.7.1).

Update the WordPress WP Super Cache plugin to the latest available version (at least 1.7.2).

Tutor LMS – eLearning and online course solution

Tutor is a WordPress LMS plugin to create & sell courses online.

Vulnerability: Unprotected AJAX action to privilege escalation
Fixed in version: 1.7.7
Number of sites affected: 20 000+

Vulnerability: Multiple Blind/Time-based SQL Injection (SQLi) vulnerabilities
Fixed in version: 1.7.7
Number of sites affected: 20 000+

Vulnerability: Multiple union SQL injection (SQLi) vulnerabilities
Fixed in version: 1.8.3
Number of sites affected: 20 000+

Update the WordPress Tutor LMS plugin to the latest available version (at least 1.8.3).

The Plus Addons for Elementor

Collection of 100+ Elementor widgets, 18+ templates, 300+ UI blocks and more.

Vulnerability: Privilege escalation vulnerability
Fixed in version: no known fix
Number of sites affected: N/A

Privilege Escalation vulnerability found by Ville Korhonen in WordPress The Plus Addons for Elementor premium plugin (versions <= 4.1.6).

2021-03-09 – we were unable to find any information about the patched version of this plugin. We recommend deactivating and uninstall this software until the patched version is available.

Five Star Restaurant Menu

Create a responsive restaurant menu and a restaurant menu ordering system.

Vulnerability: Unauthenticated Remote Code Execution (RCE)
Fixed in version: 2.2.1
Number of sites affected: 10 000+

Unauthenticated Remote Code Execution (RCE) vulnerability discovered by Nick Blundell in WordPress Five Star Restaurant Menu plugin (versions <= 2.2.0).

Update the WordPress Five Star Restaurant Menu plugin to the latest available version (at least 2.2.1).

WooCommerce Upload Files premium

Upload any file any size from the product, cart, checkout, thank you, and/or order details pages. Preview images, add additional costs, fees, and many more options.

Vulnerability: Unauthenticated arbitrary file upload
Fixed in version: 59.4
Number of sites affected: 5 000+

Unauthenticated Arbitrary File Upload vulnerability found by WordFence in WordPress WooCommerce Upload Files premium plugin (versions <= 59.3).

Update the WordPress WooCommerce Upload Files premium plugin to the latest available version (at least 59.4).

User Profile Picture

wordpress vulnerability news

Set or remove a custom profile image for a user using the standard WordPress media upload tool.

Vulnerability: Sensitive information disclosure
Fixed in version: 2.5.0
Number of sites affected: 60 000+

Sensitive Information Disclosure vulnerability found by WordFence in WordPress User Profile Picture plugin (versions <= 2.4.0).

Update the WordPress User Profile Picture plugin to the latest available version (at least 2.5.0).

Forminator

WordPress form builder.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.14.8.1
Number of sites affected: 100 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Forminator plugin (versions <= 1.14.8).

Update the WordPress Forminator plugin to the latest available version (at least 1.14.8.1).

Dokan

Marketplace plugin for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 3.2.1
Number of sites affected: 60 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Dokan plugin (versions <= 3.2.0).

Update the WordPress Dokan plugin to the latest available version (at least 3.2.1).

Defender Security – Malware Scanner, Login Security & Firewall

wordpress vulnerability news

WordPress security plugin.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 2.4.6.1
Number of sites affected: 50 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Defender Security plugin (versions <= 2.4.6).

Update the WordPress Defender Security plugin to the latest available version (at least 2.4.6.1).

Abandoned Cart Lite for WooCommerce

wordpress vulnerability news

Abandoned Cart Plugin helps you recover those carts from your WooCommerce shop.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 5.8.6
Number of sites affected: 30 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Abandoned Cart Lite for WooCommerce plugin (versions <= 5.8.5).

Update the WordPress Abandoned Cart Lite for WooCommerce plugin to the latest available version (at least 5.8.6).

Style Kits – Advanced Theme Styles for Elementor

wordpress vulnerability news

Style Kits for Elementor adds meaningful UI controls to Theme Styles for the most important variables of your layout system in Elementor.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.8.1
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Style Kits plugin (versions <= 1.8.0).

Update the WordPress Style Kits plugin to the latest available version (at least 1.8.1).

WP ERP

wordpress vulnerability news

Company and business management solution for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.7.5
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP ERP plugin (versions <= 1.7.4).

Update the WordPress WP ERP plugin to the latest available version (at least 1.7.5).

WP Project Manager

wordpress vulnerability news

A project management and task management tool for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 2.4.10
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP Project Manager plugin (versions <= 2.4.9).

Update the WordPress WP Project Manager plugin to the latest available version (at least 2.4.10).

WP Travel

WordPress Vulnerability News
WP Travel is a free travel engine for making customized travel and tour agency websites on WordPress.
Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 4.4.7
Number of sites affected: 6 000+
Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP Travel plugin (versions <= 4.4.6).
Update the WordPress WP Travel plugin to the latest available version (at least 4.4.7).

February WordPress Vulnerability News

YITH WooCommerce Gift Cards Premium

Sell gift cards in your shop to increase your earnings and attract new customers.
Vulnerability: Arbitrary file upload to remote code execution (RCE)
Fixed in version: 3.3.1
Number of sites affected: 50 000+
Arbitrary File Upload to Remote Code Execution (RCE) vulnerability found by Guy Liu in WordPress YITH WooCommerce Gift Cards plugin (versions <= 3.3.0).
Update the WordPress YITH WooCommerce Gift Cards plugin to the latest available version (at least 3.3.1).

NextGEN Gallery Pro

Gallery plugin built for WordPress.

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 3.1.11
Number of sites affected: 1+ million

Reflected Cross-Site Scripting (XSS) vulnerability found by Thura Moe Myint in WordPress NextGEN Gallery Pro premium plugin (versions <= 3.1.9).

Update the WordPress NextGEN Gallery Pro premium plugin to the latest available version (at least 3.1.11).

WordPress Mega Menu – QuadMenu

Mega Menu is designed for theme developers with customizable menu layouts and drag & drop fields.
Vulnerability: Remote code execution (RCE)
Fixed in version: 2.0.7
Number of sites affected: 20 000+

Remote Code Execution (RCE) vulnerability found by Mikel Gorraiz in WordPress QuadMenu plugin (versions <= 2.0.6).

Update the WordPress QuadMenu plugin to the latest available version (at least 2.0.7).

WP Private Content Plus

WP Private Content Plus simplifies the process for protecting your important WordPress site content from guests, members, specific user roles, or a group of selected users. 
Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 3.2
Number of sites affected: 8 000+

Cross-Site Request Forgery (CSRF) vulnerability found in WordPress WP Private Content Plus plugin (versions <= 3.1).

Update the WordPress WP Private Content Plus plugin to the latest available version (at least 3.2).

Custom Banners

Custom Banners is a WordPress plugin that allows you to easily manage several banners (ads) and display them on the front end.

Vulnerability: Cross-site request forgery (CSRF) vulnerability
Fixed in version: 3.3
Number of sites affected: 7 000+

Cross-Site Request Forgery (CSRF) vulnerability found by WPScan Team in WordPress Custom Banners plugin (versions <= 3.2.2).

Update the WordPress Custom Banners plugin to the latest available version (at least 3.3).

WordPress Backup and Migrate Plugin – Backup Guard

Backup Guard is a WordPress backup plugin.

Vulnerability: Authenticated arbitrary file upload vulnerability
Fixed in version: 1.6.0
Number of sites affected: 70 000+

Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh in WordPress Backup Guard plugin (versions <= 1.5.9).

Update the WordPress Backup Guard plugin to the latest available version (at least 1.6.0).

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Use Ninja Forms to create WordPress forms.

Vulnerability: Authenticated SendWP plugin installation and client secret key disclosure vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Authenticated OAuth connection key disclosure vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Administrator open redirect vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Cross-site request forgery (CSRF) vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Update the WordPress Ninja Forms Contact Form plugin to the latest available version (at least 3.4.34).

WP Ticket Customer Service Software & Support Ticket System

WP Ticket is a help desk software for WordPress.

Vulnerability: Cross-site scripting (XSS) 
Fixed in version: 5.6.0
Number of sites affected: 600+

Cross-Site Scripting (XSS) vulnerability found by WPScan security research team in WordPress WP Ticket Customer Service Software & Support Ticket System plugin (versions <= 5.5.1).

Update the WordPress WP Ticket Customer Service Software & Support Ticket System plugin to the latest available version (at least 5.6.0).

WordPress Vulnerability News - Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily.

Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks of this nature are almost always automated.

To be able to fight back, you have a small time window to take action. In such cases, the virtual patches have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

Patchstack gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our security engine is updated on a daily basis.

Websites with a Patchstack installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Start your 7-day free trial and join 40 000+ other developers
Share this Article
Related Articles
GET YOUR MONEY BACK GUARANTEE

Start your free 7-day trial and join 40 000+ other businesses