WordPress Vulnerabilities Digest - December 2021 Part 3

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. Elementor

Plugin: Elementor Vulnerability: DOM Cross-Site-Scripting Active Installation: 5+ million Patched in Version: 3.4.8 Severity Score: High

The vulnerability is patched, so you should update to version 3.4.8.

2. UpdraftPlus

Plugin: UpdraftPlusVulnerability: Reflected Cross-Site Scripting Active Installation: 3+ million Patched in Version: 1.16.66 Severity Score: High

The vulnerability is patched, so you should update to version 1.16.66.

3. WooCommerce PDF Invoices & Packing Slips

Plugin: WooCommerce PDF Invoices & Packing SlipsVulnerability: Reflected Cross-Site Scripting Active Installation: 300,000+ Patched in Version: 2.10.5 Severity Score: High

The vulnerability is patched, so you should update to version 2.10.5.

4. PublishPress Capabilities

Plugin: PublishPress CapabilitiesVulnerability: Unauthenticated Arbitrary Options Update to Blog Compromise Active Installation: 100,000+ Patched in Version: 2.3.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.3.1.

Plugin: PublishPress CapabilitiesPro Vulnerability: Unauthenticated Arbitrary Options Update to Blog Compromise Patched in Version: 2.3.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.3.1.

5. Chaty Free

Plugin: Chaty FreeVulnerability: Reflected Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 2.8.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.3.

Plugin: Chaty ProVulnerability: Reflected Cross-Site Scripting Patched in Version: 2.8.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.2.

6. PowerPack Addons for Elementor

Plugin: PowerPack Addons for Elementor Vulnerability: Reflected Cross-Site Scripting Active Installation: 60,000+ Patched in Version: 2.6.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.6.2.

7. Booking Calendar

Plugin: Booking Calendar Vulnerability: Reflected Cross-Site Scripting Active Installation: 60,000+ Patched in Version: 8.9.2 Severity Score: High

The vulnerability is patched, so you should update to version 8.9.2.

8. 10Web Social Photo Feed

Plugin: 10Web Social Photo FeedVulnerability: Reflected Cross-Site Scripting (XSS) Active Installation: 60,000+
Patched in Version: 1.4.29 Severity Score: High

The vulnerability is patched, so you should update to version 1.4.29.

9. Site Reviews

Plugin: Site ReviewsVulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 5.17.3 Severity Score: High

The vulnerability is patched, so you should update to version 5.17.3.

10. Speed Booster Pack

Plugin: Speed Booster PackVulnerability: Admin+ SQL Injection Active Installation: 30,000+ Patched in Version: 4.3.3.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.3.3.1.

11. Multivendor Marketplace Solution for WooCommerce

Plugin: Multivendor Marketplace Solution for WooCommerce Vulnerability: Unauthenticated AJAX Calls Active Installation: 10,000+ Patched in Version: 3.8.4 Severity Score: High

The vulnerability is patched, so you should update to version 3.8.4.

12. Modal Window

Plugin: Modal Window Vulnerability: RFI leading to RCE via CSRF Active Installation: 10,000+ Patched in Version: 5.2.2 Severity Score: High

The vulnerability is patched, so you should update to version 5.2.2.

13. WP Coder

Plugin: WP Coder Vulnerability: RFI leading to RCE via CSRF Active Installation: 10,000+ Patched in Version: 2.5.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.5.2.

14. RegistrationMagic

Plugin: RegistrationMagic Vulnerability: Admin+ SQL Injection Active Installation: 10,000+ Patched in Version: 5.0.1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.0.1.6.

Plugin: RegistrationMagic Vulnerability: Authentication Bypass Active Installation: 10,000+ Patched in Version: 5.0.1.8 Severity Score: Critical

The vulnerability is patched, so you should update to version 5.0.1.8.

15. Events Made Easy

Plugin: Events Made Easy Vulnerability: Subscriber+ SQL Injection Active Installation: 6,000+ Patched in Version: 2.2.36 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.36.

16. Button Generator

Plugin: Button Generator Vulnerability: RFI leading to RCE via CSRF Active Installation: 5,000+ Patched in Version: 2.3.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.3.3.

17. Tab Accordion, FAQ

Plugin: Tab Accordion, FAQ Vulnerability: Unauthenticated AJAX Calls Active Installation: 2000+ Patched in Version: 1.3.2 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.3.2.

18. Stars Rating

Plugin: Stars Rating Vulnerability: Comments Denial of Service Active Installation: 800+ Patched in Version: 3.5.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.2.

19. WPcalc

Plugin: WPcalcVulnerability: Authenticated SQL Injection Patched in Version: No known fix plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of December 9, 2021. Uninstall and delete.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!