NEWS
WordPress Vulnerabilities Digest - February 2022 Part 2
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress 5.9: Core Major Version Update Now Available
WordPress 5.9 Joshine was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this: Full Site Editing (FSE) using the WordPress block editor is here(well, if you want to use it or your theme supports it).
WordPress 5.9 represents the largest release of Gutenberg features since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes 99 enhancements and 100 bug fixes.
You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.
If you have sites that have enabled automatic background updates, they should have already updated successfully. Just verify that all your WordPress sites are on WordPress 5.9.
WordPress Plugin Vulnerabilities
1. All-in-One WP Migration
PLUGIN All-in-One WP Migration INSTALLATIONS 4,000,000+ VULNERABILITY Admin+ Arbitrary File Upload to RCE PATCHED IN VERSION 7.41 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 7.41.
2. Ad Inserter
PLUGIN Ad Inserter Ad Manager & AdSense Ads INSTALLATIONS 200,000+ VULNERABILITY Admin+ RCE / Stored XSS PATCHED IN VERSION 2.7.11 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.7.11.
3. White Label CMS
PLUGIN White Label CMS INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.2.9 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.2.9.
4. WordPress Download Manager
PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Sensitive Information Disclosure PATCHED IN VERSION 3.2.35 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 3.2.35.
5. Product Feed PRO for WooCommerce
PLUGIN Product Feed PRO for WooCommerce INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 11.2.3 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 11.2.3.
6. Advanced iFrame
PLUGIN Advanced iFrame INSTALLATIONS 70,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2022 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2022.
7. WordPress Real Cookie Banner
PLUGIN WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent INSTALLATIONS 60,000+ VULNERABILITY Settings Reset via CSRF PATCHED IN VERSION 2.14.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.14.2.
8. AdRotate
PLUGIN AdRotate Ad manager & AdSense Ads INSTALLATIONS 40,000+ VULNERABILITY Admin+ SQL Injection PATCHED IN VERSION 5.8.22 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 5.8.22.
9. Conversios.io
PLUGIN Conversios.io Google Analytics and Google Shopping plugin for WooCommerce INSTALLATIONS 40,000+ VULNERABILITY Subscriber+ SQL Injection PATCHED IN VERSION 4.6.2 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 4.6.2.
10. NotificationX
PLUGIN NotificationX Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor INSTALLATIONS 30,000+ VULNERABILITY Unauthenticated Blind SQL Injection PATCHED IN VERSION 2.3.9 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 2.3.9.
11. Contact Form & Lead Form Elementor Builder Plugin
PLUGIN Contact Form & Lead Form Elementor Builder INSTALLATIONS 20,000+ VULNERABILITY Multiple Subscriber+ Settings Update PATCHED IN VERSION 1.7.4 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.7.4.
12. Easy Pricing Tables
PLUGIN Pricing Tables WordPress Plugin Easy Pricing Tables INSTALLATIONS 20,000+ VULNERABILITY Arbitrary Post Removal via CSRF PATCHED IN VERSION 3.1.3 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.1.3.
13. Page Views Count
PLUGIN Page View Count INSTALLATIONS 20,000+ VULNERABILITY Unauthenticated SQL Injection PATCHED IN VERSION 2.4.15 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 2.4.15.
14. IP2Location Country Blocker
PLUGIN IP2Location Country Blocker INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.26.9 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.26.9.
15. RegistrationMagic
PLUGIN RegistrationMagic Custom Registration Forms, User Registration and User Login Plugin INSTALLATIONS 10,000+ VULNERABILITY Admin+ SQL Injection PATCHED IN VERSION 5.0.2.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 5.0.2.2.
16. Catch Themes Demo Import
PLUGIN Catch Themes Demo Import INSTALLATIONS 10,000+ VULNERABILITY Admin+ Remote Code Execution PATCHED IN VERSION 2.1.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.1.1.
17. MasterStudy LMS
PLUGIN MasterStudy LMS WordPress LMS Plugin INSTALLATIONS 10,000+ VULNERABILITY Unauthenticated Admin Account Creation PATCHED IN VERSION 2.7.6 SEVERITY SCORE Critical
The vulnerability has been patched, so you should update to version 2.7.6.
18. Custom Content Shortcode
PLUGIN Custom Content Shortcode INSTALLATIONS 10,000+ VULNERABILITY Unauthorised Arbitrary Post Metadata Access; Authenticated Arbitrary File Access / LFI; Authenticated Stored Cross-Site Scripting PATCHED IN VERSION 4.0.1 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 4.0.1.
19. EasyJobs
PLUGIN EasyJobs Easiest Talent Recruitment Suite Job Manager & Career Page in Elementor INSTALLATIONS 5,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.4.8 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.4.8.
20. WP Time Slots Booking Form
PLUGIN WP Time Slots Booking Form INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.1.63 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.1.63.
21. CP Blocks
PLUGIN CP Blocks INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.0.15 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.0.15.
Premium Plugin Vulnerabilities
Multisite User Sync/Unsync
PLUGIN WordPress Multisite User Sync/Unsync INSTALLATIONS Unknown; Premium Plugin VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.1.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.1.2.
Multisite Content Copier/Updater Pro
PLUGIN WordPress Multisite Content Copier/Updater INSTALLATIONS Unknown; Premium Plugin VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.1.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.1.0.
WordPress Plugin Vulnerabilities No Known Fix
Cost Calculator
PLUGIN Cost Calculator VULNERABILITY Authenticated Local File Inclusion PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Theme Vulnerabilities
No new theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!