WordPress Vulnerability Report – February 23, 2022

Table of Contents

WordPress Vulnerability Report – February 23, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress Disaster Week is coming

March 8 – 10, 2022

A FREE ONLINE TRAINING EVENT

Are you ready if disaster strikes your WordPress website today? From running an update that breaks everything to hacks or accidentally deleting an important file, the reality is it’s not a matter of if but when something will go wrong with your site. To help you combat the threat of website disasters, we’re hosting the biggest free, online WordPress security training event of the year so that EVERYONE can have a plan if and when a website catastrophe strikes.

Can’t make the live training? and we’ll email you the replays.

WordPress Core Vulnerabilities

WordPress 5.9.1 was released on February 22, 2022 as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

UpdraftPlus Free

Product image for UpdraftPlus WordPress Backup Plugin.

Plugin
UpdraftPlus WordPress Backup Plugin
The vulnerability has been patched, so you should update to version 1.22.3.

Essential Addons for Elementor Lite

Product image for Essential Addons for Elementor.

Plugin
Essential Addons for Elementor
The vulnerability has been patched, so you should update to version 5.0.9.

WP Statistics

Product image for WP Statistics.

Vulnerability
Unauthenticated Blind SQL Injection via IP; Unauthenticated Blind SQL Injection via current_page_id; Unauthenticated Blind SQL Injection via current_page_type; Multiple Unauthenticated Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 13.1.6.

Photo Gallery by 10Web

Product image for Photo Gallery by 10Web – Mobile-Friendly Image Gallery.

Plugin
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
The vulnerability has been patched, so you should update to version 1.6.0.

Relevanssi

Product image for Relevanssi – A Better Search.

Plugin
Relevanssi – A Better Search
The vulnerability has been patched, so you should update to version 4.14.6.

WP Content Copy Protection & No Right Click

Product image for WP Content Copy Protection & No Right Click.

Plugin
WP Content Copy Protection & No Right Click
Vulnerability
Settings Update via CSRF
The vulnerability has been patched, so you should update to version 3.4.5.

Cookie Information

Product image for Cookie Information | Free GDPR Consent Solution.

Plugin
Cookie Information | Free GDPR Consent Solution
The vulnerability has been patched, so you should update to version 2.0.8.

Profile Builder

Product image for Profile Builder – User Profile & User Registration Forms.

Plugin
Profile Builder – User Profile & User Registration Forms
The vulnerability has been patched, so you should update to version 3.6.2.

Contact Form Submissions

Product image for Contact Form Submissions.

The vulnerability has been patched, so you should update to version 1.7.3.

Zero Spam

Product image for Zero Spam for WordPress.

Plugin
Zero Spam for WordPress
The vulnerability has been patched, so you should update to version 5.2.11.

Master Addons for Elementor

Product image for Master Addons for Elementor.

Plugin
Master Addons for Elementor
The vulnerability has been patched, so you should update to version 1.8.2.

Hide Admin Bar Based on User Roles

Product image for Hide Admin Bar Based on User Roles.

Plugin
Hide Admin Bar Based on User Roles
The vulnerability has been patched, so you should update to version 3.1.0.

Advanced Product Labels for WooCommerce

Product image for Advanced Product Labels for WooCommerce.

Plugin
Advanced Product Labels for WooCommerce
The vulnerability has been patched, so you should update to version 1.2.3.7.

Powerkit

Product image for Powerkit – Supercharge your WordPress Site.

Plugin
Powerkit – Supercharge your WordPress Site
Vulnerability
Post Views Settings Update/Reset via CSRF
The vulnerability has been patched, so you should update to version 2.5.9.

Countdown & Clock

Plugin
Countdown, Coming Soon, Maintenance – Countdown & Clock
The vulnerability has been patched, so you should update to version 2.2.9.

WPCargo

Product image for WPCargo Track & Trace.

Plugin
WPCargo Track & Trace
The vulnerability has been patched, so you should update to version 6.9.0.

ARI Fancy Lightbox

Product image for ARI Fancy Lightbox – WordPress Popup.

Plugin
ARI Fancy Lightbox – WordPress Popup
The vulnerability has been patched, so you should update to version 1.3.9.

Event Manager for WooCommerce

Product image for Event Manager and Tickets Selling Plugin for WooCommerce.

Plugin
Event Manager and Tickets Selling Plugin for WooCommerce
The vulnerability has been patched, so you should update to version 3.5.8.

Patreon WordPress

Product image for Patreon WordPress.

Vulnerability
Admin+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 1.8.2.

WP Home Page Menu

Product image for WP Home Page Menu.

Plugin
WP Home Page Menu
Vulnerability
Admin+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 3.1.

Kunze Law

Product image for Kunze Law.

Vulnerability
Admin+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 2.1.

Team Circle Image Slider With Lightbox

Product image for Team Circle Image Slider With Lightbox.

Plugin
Team Circle Image Slider With Lightbox
The vulnerability has been patched, so you should update to version 1.0.16.

Login with phone number

Product image for Login with phone number.

Plugin
Login with phone number
Vulnerability
Unauthenticated Remote Plugin Deletion
The vulnerability has been patched, so you should update to version 1.3.7.

Sync iCloud COS

Product image for Sync QCloud COS.

Vulnerability
Admin+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 2.0.1.

Flexi – Guest Submit

Product image for Flexi – Guest Submit.

Plugin
Flexi – Guest Submit
The vulnerability has been patched, so you should update to version 4.20.

CommonsBooking

Product image for CommonsBooking.

The vulnerability has been patched, so you should update to version 2.6.8.

Multisite Content Copier/Updater

Plugin
WordPress Multisite Content Copier/Updater
The vulnerability has been patched, so you should update to version 2.1.2.
The vulnerability has been patched, so you should update to version 2.16.5.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Persian Woocommerce

Product image for ??????? ?????.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Better WordPress Google XML Sitemaps

Plugin
Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News)
Vulnerability
Unauthenticated Stored Cross-Site Scripting
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Page Builder KingComposer

Plugin
Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

hub2word

Plugin
Easy Embed for HubSpot Forms, CTAs, Links, Files & add HubSpot to WP Search Results
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Simple Theme Options

Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

SEO 301 Meta

Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Simple Quotation

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

GD Mylist

Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Voting Contest

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Petfinder Listings

Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • No new theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices to protect from session hijacking
  • reCAPTCHA
  • Brute force protection
  • Privilege escalation
  • Compromised passwords check & refusal

Get iThemes Security Pro

Want the Weekly WordPress Vulnerability Report delivered right to your inbox? Subscribe to the weekly email.

WordPress Vulnerability Report

The post WordPress Vulnerability Report – February 23, 2022 appeared first on iThemes.

This content was originally published here.