NEWS
WordPress Vulnerabilities Digest - April 2022 Part 4
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.
No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
1. Call Now Button
PLUGIN Call Now Button INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.1.2 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.1.2.
2. Metform Elementor Contact Form Builder
PLUGIN Metform Elementor Contact Form Builder Flexible and Design-Friendly Contact Form builder plugin for WordPress INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated API keys and Secrets Disclosure PATCHED IN VERSION 2.1.4 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 2.1.4.
3. BulletProof Security
PLUGIN BulletProof Security INSTALLATIONS 50,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 6.1 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 6.1.
4. WP Subtitle
PLUGIN WP Subtitle INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION 3.4.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.4.1.
5. ShortPixel Adaptive Images
PLUGIN ShortPixel Adaptive Images INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Arbitrary Settings Update PATCHED IN VERSION 3.4.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.4.0.
6. WPCargo Track & Trace
PLUGIN WPCargo Track & Trace INSTALLATIONS 10,000+ VULNERABILITY Reflected Cross Site Scripting; Admin+ Stored Cross Site Scripting PATCHED IN VERSION 6.9.5 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 6.9.5.
7. Gmedia Photo Gallery
PLUGIN Gmedia Photo Gallery INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.20.0 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.20.0.
8. VikBooking Hotel Booking Engine & PMS
PLUGIN VikBooking Hotel Booking Engine & PMS INSTALLATIONS 3,000+ VULNERABILITY Admin+ PHP File Upload; Stored Cross-Site Scripting via CSRF; Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.5.8 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.5.8.
9. WP YouTube Live
PLUGIN WP YouTube Live INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION 1.8.3 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.8.3.
10. ARPrice Lite
PLUGIN Pricing Table Plugin INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 3.6.1 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 3.6.1.
11. Bulk Edit and Create User Profiles
PLUGIN Bulk Edit and Create User Profiles WP Sheet Editor INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.5.14 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.5.14.
12. Night Mode
PLUGIN Night Mode INSTALLATIONS 100+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.4.0 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.4.0.
13. Country Selector
PLUGIN WordPress Country Selector VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.6.6 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.6.6.
14. WPQA
PLUGIN WPQA Builder VULNERABILITY Subscriber+ Arbitrary Profile Picture Deletion via IDOR; Subscriber+ Private Message Disclosure via IDOR; Subscriber+ Stored Cross-Site Scripting via Profile fields PATCHED IN VERSION 5.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 5.2.
15. Fusion Builder
PLUGIN Fusion Builder VULNERABILITY Unauthenticated SSRF PATCHED IN VERSION 3.6.2 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 3.6.2.
WordPress Plugin Vulnerabilities No Known Fix
WPC Smart Wishlist for WooCommerce
PLUGIN WPC Smart Wishlist for WooCommerce INSTALLATIONS 40,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
BMI BMR Calculator
PLUGIN BMI BMR Calculator VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
th23 Social
PLUGIN th23 Social VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched. You should deactivate the plugin.
Videos sync PDF
PLUGIN Videos sync PDF VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
Custom TinyMCE Shortcode Button
PLUGIN Custom TinyMCE Shortcode Button VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
Visual Slide Box Builder
PLUGIN Visual Slide Box Builder VULNERABILITY Subscriber+ SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High
The vulnerability has not been patched. You should deactivate the plugin.
ScrollReveal.js Effects
PLUGIN ScrollReveal.js Effects VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched. You should deactivate the plugin.
Tracked Tweets
PLUGIN Tracked Tweets VULNERABILITY Reflected Cross-Site Scripting; Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
External Media without Import
PLUGIN External Media without Import VULNERABILITY Subscriber+ Blind SSRF PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched. You should deactivate the plugin.
3xSocializer
PLUGIN 3xSocializer VULNERABILITY Subscriber+ SQLi PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
Advanced Image Sitemap
PLUGIN Advanced Image Sitemap VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
AGIL
PLUGIN AGIL(Automatic Grid Image Listing) VULNERABILITY Admin+ Arbitrary File Upload PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
Advanced Uploader
PLUGIN Advanced uploader VULNERABILITY Subscriber+ Arbitrary File Upload PATCHED IN VERSION No Fix SEVERITY SCORE Critical
The vulnerability has not been patched. You should deactivate the plugin.
Social Stickers
PLUGIN Social Stickers VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Theme Vulnerabilities
1. Fusion Builder
THEME Avada VULNERABILITY Unauthenticated SSRF PATCHED IN VERSION 7.6.2 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 7.6.2.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!