NEWS

WordPress Vulnerabilities Digest - April 2022 Part 1

Threat Alerts / May 05, 2022
WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Advanced Custom Fields

PLUGIN Advanced Custom Fields INSTALLATIONS 2,000,000+ VULNERABILITY Contributor+ Database Information Access PATCHED IN VERSION 5.12.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.12.1.

2. Anti-Malware Security and Brute-Force Firewall

PLUGIN Anti-Malware Security and Brute-Force Firewall INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.20.96 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.20.96.

3. Spam protection, AntiSpam, FireWall by CleanTalk

PLUGIN Spam protection, AntiSpam, FireWall by CleanTalk INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.174.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.174.1.

4. Quick Adsense

PLUGIN Quick Adsense INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ Post Stats Reset PATCHED IN VERSION 2.8.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.8.2.

5. wpDataTables

PLUGIN wpDataTables Tables & Table Charts INSTALLATIONS 60,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.1.28 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.1.28.

6. Animate It!

PLUGIN Animate It! INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION 2.4.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.4.0.

7. ThirstyAffiliates Affiliate Link Manager

PLUGIN ThirstyAffiliates Affiliate Link Manager INSTALLATIONS 40,000+ VULNERABILITY Subscriber+ Arbitrary Affiliate Links Creation; Subscriber+ unauthorized image upload + CSRF PATCHED IN VERSION 3.10.5 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.10.5.

8. Weblizar Pin It Button On Image Hover And Post

PLUGIN Weblizar Pin It Button On Image Hover And Post INSTALLATIONS 30,000+ VULNERABILITY Subscriber+ Arbitrary Settings Update PATCHED IN VERSION 3.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.4.

9. Mycred

PLUGIN myCred Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ User E-mail Addresses Disclosure; Subscriber+ Import/Export to Email Address Disclosure; Subscriber+ Arbitrary Post Creation PATCHED IN VERSION 2.4.4.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.4.4.1.

10. Social comments by WpDevArt

PLUGIN Social comments by WpDevArt INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.5.0 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.5.0.

11. Donorbox

PLUGIN Donorbox Free Recurring Donation Form INSTALLATIONS 9,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 7.1.7 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 7.1.7.

12. WP YouTube Live

PLUGIN WP YouTube Live INSTALLATIONS 3,000+ VULNERABILITY Authenticated Reflected Cross-Site Scripting PATCHED IN VERSION 1.7.22 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.7.22.

13. Menubar

PLUGIN Menubar INSTALLATIONS 3,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.8.

14. Amr Users

PLUGIN amr users INSTALLATIONS 2,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 4.59.4 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.59.4.

15. Opensea

PLUGIN Opensea INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.0.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.0.3.

16. Page Restriction WordPress

PLUGIN Page Restriction WordPress (WP) Protect WP Pages/Post INSTALLATIONS 600+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.2.7 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.2.7.

17. Be POPIA Compliant

PLUGIN Be POPIA Compliant INSTALLATIONS 20+ VULNERABILITY Unauthenticated Sensitive Information Exposure PATCHED IN VERSION 1.1.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.1.6.

18. 5 Stars Rating Funnel

PLUGIN 5 Stars Rating Funnel WordPress Plugin | RRatingg INSTALLATIONS 10+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 1.2.53 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.2.53.

19. Flo Launch

PLUGIN VULNERABILITY Missing Authentication Allow Full Site Takeover PATCHED IN VERSION 2.4.1 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 2.4.1.

20. uDraw

PLUGIN Web To Print Shop : uDraw VULNERABILITY Unauthenticated Arbitrary File Access PATCHED IN VERSION 3.3.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.3.3.

21. LayerSlider

PLUGIN Layer Slider VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 7.1.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 7.1.2.

22. English WordPress Admin

PLUGIN English WordPress Admin VULNERABILITY Unauthenticated Open Redirect PATCHED IN VERSION 1.5.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.5.2.

WordPress Plugin Vulnerabilities No Known Fix

ULeak Security & Monitoring

PLUGIN ULeak Security & Monitoring Plugin VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Cab fare calculator

PLUGIN Cab fare calculator INSTALLATIONS 100+ VULNERABILITY Unauthenticated LFI PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Videos sync PDF

PLUGIN Videos sync PDF INSTALLATIONS 10+ VULNERABILITY Unauthenticated LFI PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Nimble Page Builder

PLUGIN Nimble Page Builder VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Books & Papers

PLUGIN Books & Papers VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

Clipr

PLUGIN Clipr VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

Donations

PLUGIN Donations VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Master Elements

PLUGIN Master Elements VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE Critical

The vulnerability has not been patched. You should deactivate the plugin.

Users Ultra

PLUGIN Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin VULNERABILITY Unauthenticated SQL Injection PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Advanced Page Visit Counter

PLUGIN Advanced Page Visit Counter Most Advanced WordPress Visit Counter Plugin VULNERABILITY Subscriber+ Blind SQL injection PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

DW Question & Answer Pro

PLUGIN DW Question Answer Pro VULNERABILITY Multiple CSRF; Arbitrary Comment Edition via IDOR PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Testimonial Slider

PLUGIN Testimonial Slider Free Testimonials Slider Plugin VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

Good news! No new WordPress theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list