WordPress Vulnerabilities Digest - April 2022 Part 3

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Elementor

PLUGIN Elementor Website Builder INSTALLATIONS 5,000,000+ VULNERABILITY Subscriber+ Arbitrary File Upload PATCHED IN VERSION 3.6.3 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 3.6.3.

2. Popup Maker

PLUGIN Popup Maker Popup for opt-ins, lead gen, & more INSTALLATIONS 700,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.16.5 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.16.5.

3. WPvivid Backup and Migration Plugin

PLUGIN Migration, Backup, Staging WPvivid INSTALLATIONS 100,000+ VULNERABILITY Admin+ Arbitrary File Download PATCHED IN VERSION 0.9.71 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 0.9.71.

4. Modern Events Calendar Lite

PLUGIN Modern Events Calendar Lite INSTALLATIONS 100,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 6.5.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 6.5.2.

5. Slide Anything

PLUGIN Slide Anything Responsive Content / HTML Slider and Carousel INSTALLATIONS 100,000+ VULNERABILITY Editor+ Stored Cross-Site Scripting PATCHED IN VERSION 2.3.44 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.3.44.

6. Multiple Plugins from Cool Plugins Cool Timeline

PLUGIN Cool Timeline INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 2.4 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.4.

7. Popup by Supsystic

PLUGIN Popup by Supsystic INSTALLATIONS 20,000+ VULNERABILITY Unauthenticated Subscriber Email Addresses Disclosure PATCHED IN VERSION 1.10.9 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.10.9.

8. Multiple Plugins from Cool Plugins Cryptocurrency Widgets Price Ticker & Coins List

PLUGIN Cryptocurrency Widgets Price Ticker & Coins List INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 2.5 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.5.

9. Multiple Plugins from Cool Plugins Events Shortcodes For The Events Calendar

PLUGIN Events Shortcodes For The Events Calendar INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 2.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.0.

10. Multiple Plugins from Cool Plugins Cryptocurrency Donation Box Bitcoin & Crypto Donations

PLUGIN Cryptocurrency Donation Box Bitcoin & Crypto Donations INSTALLATIONS 5,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 1.8 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.8.

11. Multiple Plugins from Cool Plugins Events Widgets For Elementor And The Events Calendar

PLUGIN Events Widgets For Elementor And The Events Calendar INSTALLATIONS 5,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 1.5 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.5.

12. Simple Ajax Chat

PLUGIN Simple Ajax Chat INSTALLATIONS 4,000+ VULNERABILITY Sensitive Information Disclosure; Log Clearing & Arbitrary Chat Message Deletion via CSRF PATCHED IN VERSION 20220216 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 20220216.

13. Multiple Plugins from Cool Plugins Event Single Page Templates Addon For The Events Calendar

PLUGIN Event Single Page Templates Addon For The Events Calendar INSTALLATIONS 3,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 1.6 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.6.

14. Multiple Plugins from Cool Plugins Events Search For The Events Calendar

PLUGIN Events Search For The Events Calendar INSTALLATIONS 2,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 1.2 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.2.

15. RSFirewall

PLUGIN RSFirewall! INSTALLATIONS 2,000+ VULNERABILITY IP Block Bypass PATCHED IN VERSION 1.1.25 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.1.25.

16. Multiple Plugins from Cool Plugins Event Countdown For The Events Calendar

PLUGIN Event Countdown For The Events Calendar INSTALLATIONS 2,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 1.4 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.4.

17. Multiple Plugins from Cool Plugins -Cryptocurrency Widgets For Elementor

PLUGIN Cryptocurrency Widgets For Elementor INSTALLATIONS 1,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation & Activation PATCHED IN VERSION 1.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.3.

18. Ubigeo de Peru

PLUGIN Ubigeo de Perpara Woocommerce y WordPress INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 3.6.4 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.6.4.

19. Order Listener for WooCommerce

PLUGIN Order Listener for WooCommerce Play Sounds Instantly on New Orders INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 3.2.2 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.2.2.

20. Personal Dictionary

PLUGIN Personal Dictionary INSTALLATIONS 30+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 1.3.4 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.3.4.

21. Themify

PLUGIN VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.4.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.4.0.

22. Fancy Product Designer

PLUGIN Fancy Product Designer VULNERABILITY Arbitrary File Upload via CSRF PATCHED IN VERSION 4.7.6 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 4.7.6.

23. MapSVG

PLUGIN MapSVG VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 6.2.20 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 6.2.20.

WordPress Plugin Vulnerabilities No Known Fix

WP Maintenance

PLUGIN WP Maintenance INSTALLATIONS 30,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

WP Social Buttons

PLUGIN WP Social Buttons INSTALLATIONS 400+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

IgniteUp

PLUGIN IgniteUp Coming Soon and Maintenance Mode VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

BadgeOS

PLUGIN BadgeOS VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

KB Support

PLUGIN KB Support WordPress Help Desk VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

CalderaWP License Manager

PLUGIN VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Admin Menu Editor

PLUGIN Admin Menu Editor VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Product Filter For WooCommerce Product

PLUGIN Product Filter For WooCommerce Product VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

SEMA API

PLUGIN SEMA API VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Easily Generate Rest API Url

PLUGIN Easily Generate Rest API Url VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

WP Video Gallery

PLUGIN WP Video Gallery VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

Good news! No new WordPress theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!