NEWS

WordPress Vulnerabilities Digest - August 2022 Part 1

Threat Alerts / August 11, 2022

WordPress 6.0.1 was released on July 12, 2022, as a short-cycle maintenance release with 31 bug fixes. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.1 was released on July 12, 2022, as a short-cycle maintenance release with 31 bug fixes. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Advanced Custom Fields

PLUGIN Advanced Custom Fields INSTALLATIONS 2,000,000+ VULNERABILITY Unauthenticated File Upload PATCHED IN VERSION 5.12.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.12.3.

2. Better Search and Replace

PLUGIN Better Search Replace INSTALLATIONS 1,000,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.4.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.4.1.

3. Duplicator

PLUGIN Duplicator WordPress Migration Plugin INSTALLATIONS 1,000,000+ VULNERABILITY Unauthenticated System Information Disclosure PATCHED IN VERSION 1.4.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.4.7.

4. Download Manager

PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Bypass IP Address Blocking Restriction PATCHED IN VERSION 3.2.50 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.2.50.

5. Social Chat

PLUGIN WP Social Chat Click To Chat App INSTALLATIONS 100,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 6.0.5 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 6.0.5.

6. Social Slider Feed

PLUGIN Social Slider Feed INSTALLATIONS 90,000+ VULNERABILITY Subscriber+ Stored XSS via Feeds; Reflected Cross-Site Scripting; Subscriber+ Arbitrary API Key Update to Stored XSS; Subscriber+ Arbitrary Feed Deletion PATCHED IN VERSION 2.0.5 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.0.5.

7. Feed Them Social

PLUGIN Feed Them Social for Twitter feed, Youtube and more INSTALLATIONS 70,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.0.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.0.1.

8. Simple Banner

PLUGIN Simple Banner INSTALLATIONS 50,000+ VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION 2.12.0 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.12.0.

9. WP phpMyAdmin

PLUGIN WP phpMyAdmin INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Reflected Cross-Site Scripting PATCHED IN VERSION 5.2.0.4 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 5.2.0.4.

10. Simple Job Board

PLUGIN Simple Job Board INSTALLATIONS 20,000+ VULNERABILITY Resume Disclosure via Directory Listing PATCHED IN VERSION 2.10.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.10.0.

11. Product Slider for WooCommerce

PLUGIN Product Slider for WooCommerce INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Arbitrary Options Deletion PATCHED IN VERSION 2.5.7 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.5.7.

12. Automations By Autonami

PLUGIN Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Automation Creation PATCHED IN VERSION 2.1.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.1.2.

13. Directorist

PLUGIN Directorist WordPress Business Directory Plugin with Classified Ads Listings INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Arbitrary E-mail Sending PATCHED IN VERSION 7.3.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 7.3.0.

14. WP Coder

PLUGIN WP Coder add custom html, css and js code INSTALLATIONS 10,000+ VULNERABILITY Code Deletion via CSRF PATCHED IN VERSION 2.5.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.5.3.

15. WordPress Team Members Showcase

PLUGIN Team WordPress Team Members Showcase Plugin INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Arbitrary File Read and Deletion PATCHED IN VERSION 4.1.2 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 4.1.2.

16. WP Sticky Button

PLUGIN WP Sticky Button Click to Chat INSTALLATIONS 10,000+ VULNERABILITY Unauthenticated Arbitrary Settings Update to Stored XSS PATCHED IN VERSION 1.4.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.4.1.

17. Simple SEO

PLUGIN Simple SEO INSTALLATIONS 6,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION 1.7.92 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.7.92.

18. Lana Downloads Manager

PLUGIN Lana Downloads Manager INSTALLATIONS 2,000+ VULNERABILITY Contributor+ Arbitrary File Download PATCHED IN VERSION 1.8.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.8.0.

19. Automatic pages for Privacy Policy, Terms, About, Contact us

PLUGIN Automatic pages for Privacy Policy, Terms, About, Contact us INSTALLATIONS 1,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.42 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.42.

20. Student Result or Employee Database

PLUGIN Student Result or Employee Database INSTALLATIONS 1,000+ VULNERABILITY Stored Cross Site Scripting via CSRF; Unauthorised REST Calls PATCHED IN VERSION 1.7.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.7.5.

21. Add Hierarchy (parent) to post

PLUGIN Add Hierarchy (parent) to post INSTALLATIONS 700+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.13 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.13.

22. Debug Bar

PLUGIN Debug Bar Enable WP_DEBUG from admin dashboard INSTALLATIONS 500+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.86 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.86.

23. Remove tabs and fields from WooCommerce

PLUGIN Remove tabs and fields from WooCommerce INSTALLATIONS 400+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.68 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.68.

24. Ninja Job Board

PLUGIN Ninja Job Board Ultimate WordPress Job Board Plugin INSTALLATIONS 200+ VULNERABILITY Resume Disclosure via Directory Listing PATCHED IN VERSION 1.3.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.3.

25. Profile & Dashboard fields

PLUGIN Profile & Dashboard fields [Modify/Disable/Remove] INSTALLATIONS 200+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.04 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.04.

26. Breadcrumbs Shortcode

PLUGIN Breadcrumbs Shortcode INSTALLATIONS 200+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.45 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.45.

27. External url as post Featured Image

PLUGIN External url as post Featured Image (thumbnail) INSTALLATIONS 100+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.03 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.03.

28. Require & Limit Categories, Tags, Featured Image and taxonomies

PLUGIN Require & Limit Categories, Tags, Featured Image and taxonomies INSTALLATIONS 30+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.27 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.27.

29. Download buttons for Youtube videos

PLUGIN Download buttons for Youtube videos INSTALLATIONS 20+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.04 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.04.

30. Redirect By Cookie

PLUGIN Redirect By Cookie INSTALLATIONS 20+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.07 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.07.

31. Images Asynchronous Load

PLUGIN Images Asynchronous Load INSTALLATIONS 10+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.06 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.06.

32. Comment Fields [Modify/Disable/Remove]

PLUGIN Comment Fields [Modify/Disable/Remove] VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.04 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.04.

33. LinkWorth Plugin

PLUGIN LinkWorth Plugin VULNERABILITY Arbitrary Setting Update via CSRF PATCHED IN VERSION 3.3.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.3.4.

34. WPQA

PLUGIN WPQA Builder VULNERABILITY Subscriber+ Private Message Disclosure via IDOR PATCHED IN VERSION 5.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.7.

35. Highlight Searched Terms in Results

PLUGIN Highlight Searched Terms in Results VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.04 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.04.

36. API info for Plugins & Themes from WP.ORG

PLUGIN API info for Plugins & Themes from WP.ORG VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.05 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.05.

37. Add Custom Post Type into Post Query

PLUGIN Add Custom Post Type into Post Query VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.04 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.04.

38. All custom fields & groups

PLUGIN All custom fields & groups VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.05 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.05.

39. Rezgo Online Booking

PLUGIN Rezgo Online Booking VULNERABILITY Reflected Cross-Site-Scripting PATCHED IN VERSION 4.1.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.1.8.

40. Built-in Widgets Query extend

PLUGIN Built-in Widgets Query extend (Custom Post Types & more) VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.06 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.06.

41. Find Slow Functions & Actions & Filters & Hooks (Debug Bar)

PLUGIN Find Slow Functions & Actions & Filters & Hooks (Debug Bar) VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.41 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.41.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Coming Soon Under Construction

PLUGIN Coming Soon Under Construction INSTALLATIONS 800+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

Yotpo Reviews for WooCommerce

PLUGIN Yotpo Reviews for WooCommerce (Unofficial) VULNERABILITY Arbitrary Settings Update via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium