NEWS

WordPress Vulnerabilities Digest - April 2022 Part 2

Threat Alerts / April 07, 2022
No new WordPress core vulnerabilities were disclosed this week. WordPress Plugin Vulnerabilities: All In One WP Security, SiteGround Security, Photo Gallery, HubSpot, Import and export users and customers, etc.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. All In One WP Security

PLUGIN All In One WP Security & Firewall INSTALLATIONS 1,000,000+ VULNERABILITY Authenticated Arbitrary Redirect / Reflected XSS PATCHED IN VERSION 4.4.11 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.4.11.

2. SiteGround Security

PLUGIN SiteGround Security INSTALLATIONS 400,000+ VULNERABILITY Authentication Bypass via 2-FA Authentication Setup; Authorization Weakness to Authentication Bypass via 2-FA Back-up Codes PATCHED IN VERSION 1.2.6 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 1.2.6.

3. Photo Gallery

PLUGIN Photo Gallery by 10Web Mobile-Friendly Image Gallery INSTALLATIONS 300,000+ VULNERABILITY Unauthenticated SQL Injection; Reflected Cross-Site Scripting PATCHED IN VERSION 1.6.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.6.3.

4. HubSpot

PLUGIN HubSpot CRM, Email Marketing, Live Chat, Forms & Analytics INSTALLATIONS 200,000+ VULNERABILITY Contributor+ Blind SSRF PATCHED IN VERSION 8.8.15 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 8.8.15.

5. Import and export users and customers

PLUGIN Import and export users and customers INSTALLATIONS 70,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.19.2.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.19.2.1.

6. Visual Form Builder

PLUGIN Visual Form Builder INSTALLATIONS 60,000+ VULNERABILITY Entries Deletion/Restoration via CSRF; Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.0.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.0.8.

7. Adrotate

PLUGIN AdRotate Ad manager & AdSense Ads INSTALLATIONS 40,000+ VULNERABILITY Admin+ XSS via Advert Name; Admin+ XSS via Group Name PATCHED IN VERSION 5.8.23 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 5.8.23.

8. Content Egg

PLUGIN Content Egg INSTALLATIONS 30,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.3.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.3.0.

9. Ad Invalid Click Protector (AICP)

PLUGIN Ad Invalid Click Protector (AICP) INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting; Arbitrary Ban Deletion via CSRF PATCHED IN VERSION 1.2.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.7.

10. Sitemap by click5

PLUGIN Sitemap by click5 INSTALLATIONS 7,000+ VULNERABILITY Unauthenticated Arbitrary Options Update PATCHED IN VERSION 1.0.36 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 1.0.36.

11. Import WP

PLUGIN Import WP Import and Export WordPress data to XML or CSV files INSTALLATIONS 1,000+ VULNERABILITY Admin+ Arbitrary File Upload to RCE PATCHED IN VERSION 2.4.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.4.6.

12. Wbcom Designs Plugins BuddyPress Activity Filter

PLUGIN Wbcom Designs BuddyPress Activity Filter INSTALLATIONS 1,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION 2.8.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.8.0.

13. Multiple Shipping Address Woocommerce

PLUGIN Multiple Shipping Address Woocommerce INSTALLATIONS 900+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 2.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.0.

14. Wbcom Designs Plugins BuddyPress Member Reviews

PLUGIN Wbcom Designs BuddyPress Member Reviews INSTALLATIONS 800+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION 2.7.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.7.0.

15. Wbcom Designs Plugins Private Community for BuddyPress

PLUGIN Wbcom Designs Private Community for BuddyPress INSTALLATIONS 700+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION 1.7.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.7.0.

16. SiteSuperCharger

PLUGIN SiteSuperCharger INSTALLATIONS 300+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 5.2.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 5.2.0.

17. Fast Flow

PLUGIN Fast Flow INSTALLATIONS 200+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.2.11 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.11.

18. Wbcom Designs Plugins BuddyPress Hashtags

PLUGIN BuddyPress Hashtags VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION 2.7.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.7.0.

19. Wbcom Designs Plugins BuddyPress Check-ins Pro

PLUGIN BuddyPress Check-ins Pro VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION 1.4.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.4.0.

20. Wbcom Designs Plugins BuddyPress Sticky Post

PLUGIN BuddyPress Sticky Post VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION 1.9.9 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.9.9.

WordPress Plugin Vulnerabilities No Known Fix

Wbcom Designs Plugins BuddyPress Ads

PLUGIN Wbcom Designs BuddyPress Ads INSTALLATIONS 80+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Advanced Page Visit Counter

PLUGIN Advanced Page Visit Counter Most Advanced WordPress Visit Counter Plugin VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Documentor

PLUGIN Documentor Create Product Documentation VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Event List

PLUGIN Event List VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

Tipsacarrier

PLUGIN VULNERABILITY Unauthenticated SQLi; Unauthenticated Orders Disclosure PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins BuddyPress Activity Social Share

PLUGIN Wbcom Designs BuddyPress Activity Social Share VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins BuddyPress Create Group Type

PLUGIN Wbcom Designs BuddyPress Create Group Type VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins BuddyPress Group Reviews

PLUGIN Wbcom Designs BuddyPress Group Reviews VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins BuddyPress Job Manager

PLUGIN Wbcom Designs BuddyPress Job Manager VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins BuddyPress Search

PLUGIN Wbcom Designs BuddyPress Search VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins BuddyPress Todo List

PLUGIN Wbcom Designs BuddyPress Todo List VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins Check-ins for BuddyPress Activity

PLUGIN Wbcom Designs Check-ins for BuddyPress Activity VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins Custom Email Options

PLUGIN Custom Email Options VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins Custom Font Uploader

PLUGIN Custom Font Uploader VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins Woo Audio Preview

PLUGIN Woo Audio Preview VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins Woo Document Preview

PLUGIN Woo Document Preview VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Wbcom Designs Plugins WordPress System Log

PLUGIN WordPress System Log VULNERABILITY Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

No new WordPress core vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list