Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Disaster Week is coming
March 8 – 10, 2022
A FREE ONLINE TRAINING EVENT
Are you ready if disaster strikes your WordPress website today? From running an update that breaks everything to hacks or accidentally deleting an important file, the reality is it’s not a matter of if but when something will go wrong with your site. To help you combat the threat of website disasters, we’re hosting the biggest free, online WordPress security training event of the year so that EVERYONE can have a plan if and when a website catastrophe strikes.
Can’t make the live training? and we’ll email you the replays.
WordPress Core Vulnerabilities
WordPress 5.9.1 was released on February 22, 2022 as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!
- No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
UpdraftPlus Free
- Plugin
- UpdraftPlus WordPress Backup Plugin
Essential Addons for Elementor Lite
- Plugin
- Essential Addons for Elementor
WP Statistics
- Vulnerability
- Unauthenticated Blind SQL Injection via IP; Unauthenticated Blind SQL Injection via current_page_id; Unauthenticated Blind SQL Injection via current_page_type; Multiple Unauthenticated Stored Cross-Site Scripting
Photo Gallery by 10Web
- Plugin
- Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Relevanssi
- Plugin
- Relevanssi – A Better Search
WP Content Copy Protection & No Right Click
- Plugin
- WP Content Copy Protection & No Right Click
- Vulnerability
- Settings Update via CSRF
Cookie Information
- Plugin
- Cookie Information | Free GDPR Consent Solution
Profile Builder
- Plugin
- Profile Builder – User Profile & User Registration Forms
Contact Form Submissions
Zero Spam
- Plugin
- Zero Spam for WordPress
Master Addons for Elementor
- Plugin
- Master Addons for Elementor
Hide Admin Bar Based on User Roles
- Plugin
- Hide Admin Bar Based on User Roles
Advanced Product Labels for WooCommerce
- Plugin
- Advanced Product Labels for WooCommerce
Powerkit
- Plugin
- Powerkit – Supercharge your WordPress Site
- Vulnerability
- Post Views Settings Update/Reset via CSRF
Countdown & Clock
- Plugin
- Countdown, Coming Soon, Maintenance – Countdown & Clock
WPCargo
- Plugin
- WPCargo Track & Trace
ARI Fancy Lightbox
- Plugin
- ARI Fancy Lightbox – WordPress Popup
Event Manager for WooCommerce
- Plugin
- Event Manager and Tickets Selling Plugin for WooCommerce
Patreon WordPress
- Vulnerability
- Admin+ Stored Cross-Site Scripting
WP Home Page Menu
- Plugin
- WP Home Page Menu
- Vulnerability
- Admin+ Stored Cross-Site Scripting
Kunze Law
- Vulnerability
- Admin+ Stored Cross-Site Scripting
Team Circle Image Slider With Lightbox
- Plugin
- Team Circle Image Slider With Lightbox
Login with phone number
- Plugin
- Login with phone number
- Vulnerability
- Unauthenticated Remote Plugin Deletion
Sync iCloud COS
- Vulnerability
- Admin+ Stored Cross-Site Scripting
Flexi – Guest Submit
- Plugin
- Flexi – Guest Submit
CommonsBooking
Multisite Content Copier/Updater
- Plugin
- WordPress Multisite Content Copier/Updater
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
Persian Woocommerce
- Patched in Version
- No Fix
Better WordPress Google XML Sitemaps
- Plugin
- Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News)
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- No Fix
Page Builder KingComposer
- Plugin
- Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
- Patched in Version
- No Fix
hub2word
- Plugin
- Easy Embed for HubSpot Forms, CTAs, Links, Files & add HubSpot to WP Search Results
- Patched in Version
- No Fix
Simple Theme Options
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
SEO 301 Meta
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
Simple Quotation
- Patched in Version
- No Fix
GD Mylist
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
WP Voting Contest
- Patched in Version
- No Fix
Petfinder Listings
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
- No new theme vulnerabilities were disclosed this week.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
- Site scanner for plugin and theme vulnerabilities
- File change detection
- Real-time website security dashboard
- WordPress security logs
- Trusted devices to protect from session hijacking
- reCAPTCHA
- Brute force protection
- Privilege escalation
- Compromised passwords check & refusal
Get iThemes Security Pro
The post WordPress Vulnerability Report – February 23, 2022 appeared first on iThemes.
This content was originally published here.