NEWS
WordPress Vulnerabilities Digest - December 2021 Part 5
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
1. Contact Form 7 Database Addon
Plugin: Contact Form 7 Database Addon Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 400,000+ Patched in Version: 1.2.6.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.2.6.2.
Plugin: Contact Form 7 Database Addon Vulnerability: Arbitrary Form Deletion via CSRF Active Installation: 400,000+ Patched in Version: 1.2.6.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.2.6.2.
2. Easy Forms for Mailchimp
Plugin: Easy Forms for Mailchimp Vulnerability: Reflected Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 6.8.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.8.6.
3. Relevanssi A Better Search
Plugin: Relevanssi A Better Search Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 4.14.3 Severity Score: High
The vulnerability is patched, so you should update to version 4.14.3.
4. Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue Vulnerability: Reflected Cross-Site Scripting Active Installation: 90,000+ Patched in Version: 3.1.25 Severity Score: High
The vulnerability is patched, so you should update to version 3.1.25.
5. Product Feed PRO for WooCommerce
Plugin: Product Feed PRO for WooCommerce Vulnerability: Subscriber+ Settings Update to Stored XSS Active Installation: 80,000+ Patched in Version: 11.0.7 Severity Score: High
The vulnerability is patched, so you should update to version 11.0.7.
6. Post Grid
Plugin: Post Grid Vulnerability: Contributor+ SQL Injection Active Installation: 60,000+ Patched in Version: 2.1.13 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.1.13.
7. Contact Form Entries
Plugin: Contact Form Entries Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 1.2.4 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.4.
8. Event Tickets
Plugin: Event Tickets Vulnerability: Open Redirect Active Installation: 40,000+ Patched in Version: 5.2.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 5.2.2.
9. Advanced Custom Fields: Extended
Plugin: Advanced Custom Fields: Extended Vulnerability: Admin+ SQL Injection Active Installation: 40,000+ Patched in Version: 0.8.8.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 0.8.8.7.
10. Accept Donations with PayPal
Plugin: Accept Donations with PayPal Vulnerability: Arbitrary Post Deletion via CSRF Active Installation: 30,000+ Patched in Version: 1.3.4 Severity Score: High
The vulnerability is patched, so you should update to version 1.3.4.
11. ACF Photo Gallery Field
Plugin: ACF Photo Gallery Field Vulnerability: Reflected Cross-Site Scripting Active Installation: 30,000+
Patched in Version: 1.7.5 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.7.5.
12. Simple Download Monitor
Plugin: Simple Download Monitor Vulnerability: Multiple CSRF Active Installation: 30,000+ Patched in Version: 3.9.11 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.9.11.
13. Protect WP Admin
Plugin: Protect WP Admin Vulnerability: Unauthenticated Plugin Deactivation Active Installation: 30,000+
Patched in Version: 3.6.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.6.2.
14. Backup and Staging by WP Time Capsule
Plugin: Backup and Staging by WP Time Capsule Vulnerability: Reflected Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 1.22.7 Severity Score: High
The vulnerability is patched, so you should update to version 1.22.7.
15. Event Calendar
Plugin: Event Calendar Vulnerability: Reflected Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 1.1.51 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.51.
Plugin: Event Calendar Vulnerability: Subscriber+ Event Creation Active Installation: 20,000+ Patched in Version: 1.1.51 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.1.51.
16. Five Star Restaurant Reservations
Plugin: Five Star Restaurant Reservations Vulnerability: Subscriber+ Stored Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 2.4.8 Severity Score: High
The vulnerability is patched, so you should update to version 2.4.8.
17. Asgaros Forum
Plugin: Asgaros Forum Vulnerability: Admin+ SQL Injection via forum_id Active Installation: 20,000+ Patched in Version: 1.15.15 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.15.15.
18. WP125
Plugin: WP125 Vulnerability: Arbitrary Ad Deletion via CSRF Active Installation: 10,000+ Patched in Version: 1.5.5 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.5.5.
19. Affiliates Manager
Plugin: Affiliates Manager Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 10,000+ Patched in Version: 2.9.0 Severity Score: High
The vulnerability is patched, so you should update to version 2.9.0.
20. Smart SEO Tool
Plugin: Smart SEO ToolVulnerability: Reflected Cross-Site Scripting Active Installation: 9,000+ Patched in Version: 3.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.0.6.
21. tarteaucitron.js Cookies legislation & GDPR
Plugin: tarteaucitron.js Cookies legislation & GDPR Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 7,000+ Patched in Version: 1.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.6.
Plugin: tarteaucitron.js Cookies legislation & GDPR Vulnerability: Admin + Stored Cross-Site Scripting Active Installation: 7,000+ Patched in Version: 1.6.1 Severity Score: Low
The vulnerability is patched, so you should update to version 1.6.1.
22. SEO Booster
Plugin: SEO Booster Vulnerability: Admin+ SQL Injection Active Installation: 4,000+ Patched in Version: 3.8 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.8.
23. Booking.com Banner Creator
Plugin: Booking.com Banner Creator Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 3,000+ Patched in Version: 1.4.3 Severity Score: Low
The vulnerability is patched, so you should update to version 1.4.3.
24. Profile Extra Fields
Plugin: Profile Extra Fields Vulnerability: Reflected Cross-Site Scripting Active Installation: 2,000+ Patched in Version: 1.2.4 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.4.
25. Booking.com Product Helper
Plugin: Booking.com Product Helper Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 2,000+ Patched in Version: 1.0.2 Severity Score: Low
The vulnerability is patched, so you should update to version 1.0.2.
26. SEUR Oficial
Plugin: SEUR Oficial Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 1,000+ Patched in Version: 1.7.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.7.0.
27. Spreadsheet Integration
Plugin: Spreadsheet Integration Vulnerability: CSRF Bypass Active Installation: 1,000+ Patched in Version: 3.6.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.6.0.
Plugin: Spreadsheet Integration Vulnerability: Reflected Cross-Site Scripting Active Installation: 1,000+ Patched in Version: 3.6.0 Severity Score: High
The vulnerability is patched, so you should update to version 3.6.0.
28. ClickBank Affiliate Ads
Plugin: ClickBank Affiliate Ads Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 700+ Patched in Version: 1.35 Severity Score: Low
The vulnerability is patched, so you should update to version 1.35.
Plugin: ClickBank Affiliate Ads Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 700+ Patched in Version: 1.35 Severity Score: High
The vulnerability is patched, so you should update to version 1.35.
29. Stetic
Plugin: Stetic Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 300+ Patched in Version: 1.0.9 Severity Score: High
The vulnerability is patched, so you should update to version 1.0.9.
30. Mobile Events Manager
Plugin: Mobile Events Manager Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 20+ Patched in Version: 1.4.4 Severity Score: Low
The vulnerability is patched, so you should update to version 1.4.4.
31. AnyComment
Plugin: AnyCommentVulnerability: Reflected Cross-Site Scripting Active Installation: 4,000+ Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
32. Tabs
Plugin: TabsVulnerability: Unauthenticated Arbitrary Option Update Patched in Version: 3.6.0 plugin closed Severity Score: Critical
This vulnerability has been patched. This plugin has been closed as of December 20, 2021. Uninstall and delete.
33. Shortcode Addons
Plugin: Shortcode Addons Vulnerability: Unauthenticated Arbitrary Option Update Patched in Version: 3.1.0 plugin closed Severity Score: Critical
This vulnerability has been patched. This plugin has been closed as of December 20, 2021. Uninstall and delete.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!