WordPress Vulnerabilities Digest - February 2022 Part 1

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress 5.9: Core Major Version Update Now Available

WordPress 5.9 Joshine was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this:Full Site Editing (FSE) using the WordPress block editor is here(well, if youwantto use it or your theme supports it).

WordPress 5.9 represents the largest release ofGutenbergfeatures since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes99 enhancementsand100 bug fixes.

You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.

If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.9.

WordPress Plugin Vulnerabilities

1. Essential Addons for Elementor

PLUGIN Essential Addons for Elementor INSTALLATIONS 1,000,000+ VULNERABILITY Unauthenticated LFI PATCHED IN VERSION 5.0.5 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 5.0.5.

2. Use Any Font

PLUGIN Use Any Font | Custom Font Uploader INSTALLATIONS 200,000+ VULNERABILITY Unauthenticated Arbitrary CSS Appending PATCHED IN VERSION 6.2.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 6.2.1.

3. TI WooCommerce Wishlist

PLUGIN TI WooCommerce Wishlist INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated Blind SQL Injection PATCHED IN VERSION 1.40.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.40.1.

4. StatCounter

PLUGIN StatCounter Free Real Time Visitor Stats INSTALLATIONS 100,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.0.7 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.0.7.

5. WPvivid Backup and Migration Plugin

PLUGIN Migration, Backup, Staging WPvivid Backup and Migration Plugin INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 0.9.69 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 0.9.69.

6. LearnPress

PLUGIN LearnPress WordPress LMS Plugin INSTALLATIONS 100,000+ VULNERABILITY Arbitrary Image Renaming PATCHED IN VERSION 4.1.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.1.5.

7. WP RSS Aggregator

PLUGIN WP RSS Aggregator News Feeds, Autoblogging, Youtube Video Feeds and More INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting (XSS) PATCHED IN VERSION 4.20 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.20.

8. Simple Membership

PLUGIN Simple Membership INSTALLATIONS 50,000+ VULNERABILITY Arbitrary Member Deletion via CSRF PATCHED IN VERSION 4.0.9 SEVERITY SCORE Medium The vulnerability has been patched, so you should update to version 13.0.6.

The vulnerability has been patched, so you should update to version 4.0.9.

9. Better Notifications for WP

PLUGIN Customize WordPress Emails and Alerts Better Notifications for WP INSTALLATIONS 40,000+ VULNERABILITY Email Address Disclosure PATCHED IN VERSION 1.8.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.8.7.

10. Post Snippets

PLUGIN Post Snippets INSTALLATIONS 30,000+ VULNERABILITY CSRF to Stored Cross-Site Scripting PATCHED IN VERSION 3.1.4 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.1.4.

11. Blackhole for Bad Bots

PLUGIN Blackhole for Bad Bots INSTALLATIONS 30,000+ VULNERABILITY Arbitrary IP Address Blocking via IP Spoofing PATCHED IN VERSION 3.3.2 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.3.2.

12. WP Visitor Statistics (Real Time Traffic)

PLUGIN WP Visitor Statistics (Real Time Traffic) INSTALLATIONS 20,000+ VULNERABILITY Arbitrary IP Address Exclusion to Stored XSS PATCHED IN VERSION 5.5 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 5.5.

13. WP Accessibility Helper (WAH)

PLUGIN WP Accessibility Helper (WAH) INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting (XSS) PATCHED IN VERSION 0.6.0.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.6.0.7.

14. Asgaros Forum

PLUGIN Asgaros Forum INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Blind SQL Injection PATCHED IN VERSION 2.0.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.0.0.

15. WP Google Map

PLUGIN Maps Plugin using Google Maps for WordPress WP Google Map INSTALLATIONS 20,000+ VULNERABILITY Arbitrary Post Deletion and Plugins Settings Update via CSRF PATCHED IN VERSION 1.8.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.8.4.

16. WHMCS Bridge

PLUGIN WHMCS Bridge INSTALLATIONS 10,000+ VULNERABILITY Reflected Cross-Site Scripting (XSS) PATCHED IN VERSION 6.4b SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.4b.

17. WP Review Slider

PLUGIN WP Review Slider INSTALLATIONS 10,000+ VULNERABILITY Admin+ SQL Injection PATCHED IN VERSION 11.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 11.0.

18. WP Ultimate CSV Importer

PLUGIN Easy Drag And drop All Import: WP Ultimate CSV Importer INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 6.4.3 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 6.4.3.

19. AP Custom Testimonial

PLUGIN Testimonial WordPress Plugin AP Custom Testimonial INSTALLATIONS 4,000+ VULNERABILITY Reflected Cross-Site Scripting; Admin+ SQL Injection PATCHED IN VERSION 1.4.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.4.8.

20. Logo Showcase with Slick Slider

PLUGIN Logo Showcase with Slick Slider Logo Carousel, Logo Slider & Logo Grid INSTALLATIONS 3,000+ VULNERABILITY Arbitrary Media Title/Description/Alt Text/URL Update via CSRF PATCHED IN VERSION 2.0.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.0.1.

21. WP User

PLUGIN WP User Custom Registration Forms, Login and User Profile INSTALLATIONS 2,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 7.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 7.0.

22. WS Form

PLUGIN WS Form LITE Drag & Drop Contact Form Builder for WordPress INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 1.8.176 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.8.176.

Premium Plugin Vulnerabilities

Super Forms

PLUGIN Super Forms Drag & Drop Form Builder INSTALLATIONS Unknown (Premium Plugin) VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 6.0.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.0.4.

WordPress GDPR & CCPA

PLUGIN WordPress GDPR INSTALLATIONS Unknown (Premium Plugin) VULNERABILITY Authenticated Reflected Cross-Site Scripting; Unauthenticated Reflected Cross-Site Scripting PATCHED IN VERSION 1.9.27 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.9.27.

Ti WooCommerce Wishlist Pro

PLUGIN TI WooCommerce Wishlist Pro INSTALLATIONS Unknown (Premium Plugin) VULNERABILITY Unauthenticated Blind SQL Injection PATCHED IN VERSION 1.40.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.40.1.

AdSanity

PLUGIN AdSanity INSTALLATIONS Unknown (Premium Plugin) VULNERABILITY Contributor Arbitrary File Upload PATCHED IN VERSION 1.8.2 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 1.8.2.

WordPress Plugin Vulnerabilities No Known Fix

Embed Swagger

PLUGIN Embed Swagger VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Crazy Bone

PLUGIN Crazy Bone VULNERABILITY Unauthenticated Stored XSS PATCHED IN VERSION No Fix

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Responsive Menu

PLUGIN WP Responsive Menu VULNERABILITY Subscriber Settings Update to Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!