NEWS

WordPress Vulnerabilities Digest - February 2022 Part 3

Threat Alerts / February 21, 2022

The latest version of WordPress core is WordPress 5.9. Be sure to update to WordPress 5.9 as soon as possible!

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress 5.9: Core Major Version Update Now Available

The latest version of WordPress core is WordPress 5.9. Be sure to update to WordPress 5.9 as soon as possible!

WordPress Plugin Vulnerabilities

1. WP Statistics

PLUGIN WP Statistics INSTALLATIONS 600,000+ VULNERABILITY Unauthenticated Blind SQL Injection PATCHED IN VERSION 13.1.5 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 13.1.5.

2. LoginPress

PLUGIN LoginPress | Custom Login Page Customizer INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.5.12 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.5.12.

3. WP Cerber Security, Anti-spam & Malware Scan

PLUGIN WP Cerber Security, Anti-spam & Malware Scan INSTALLATIONS 200,000+ VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 8.9.6 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 8.9.6.

4. Email Subscribers & Newsletters

PLUGIN Email Subscribers & Newsletters Simple and Effective Email Marketing WordPress Plugin INSTALLATIONS 100,000+ VULNERABILITY Subscriber+ Blind SQL injection; Unauthenticated arbitrary option update PATCHED IN VERSION 5.3.2 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 5.3.2.

5. WP-Matomo Integration (WP-Piwik)

PLUGIN WP-Matomo Integration (WP-Piwik) INSTALLATIONS 60,000+ VULNERABILITY Plugin Settings Reset via CSRF PATCHED IN VERSION 1.0.27 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.0.27.

6. Ditty (formerly Ditty News Ticker)

PLUGIN Ditty (formerly Ditty News Ticker) INSTALLATIONS 50,000+ VULNERABILITY Reflected Cross-Site Scripting (XSS) PATCHED IN VERSION 3.0.15 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.0.15.

7. WordPress File Upload

PLUGIN WordPress File Upload INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting via Malicious SVG; Contributor+ Stored Cross-Site Scripting via Shortcode PATCHED IN VERSION 4.16.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.16.3.

8. PHP Everywhere

PLUGIN PHP Everywhere INSTALLATIONS 30,000+ VULNERABILITY Contributor+ RCE via Gutenberg Block; Subscriber+ RCE via Shortcode; Contributor+ RCE via Metabox PATCHED IN VERSION 3.0.0 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 3.0.0.

9. Video Conferencing with Zoom

PLUGIN Video Conferencing with Zoom INSTALLATIONS 30,000+ VULNERABILITY E-mail Address Disclosure PATCHED IN VERSION 3.8.17 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.8.17.

10. WP Visitor Statistics (Real Time Traffic)

PLUGIN WP Visitor Statistics (Real Time Traffic) INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ SQL Injection PATCHED IN VERSION 5.6 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 5.6.

11. YOP Poll

PLUGIN YOP Poll INSTALLATIONS 20,000+ VULNERABILITY Author+ Stored Cross-Site Scripting PATCHED IN VERSION 6.3.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.3.5.

12. WP Event Manager

PLUGIN WP Event Manager Easily Build your Calendar of Events! INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.1.23 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.1.23.

13. UsersWP

PLUGIN UsersWP User Registration & User Profile INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ User Avatar Override PATCHED IN VERSION 1.2.3.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.3.1.

14. Smart Forms

PLUGIN Smart Forms when you need more than just a contact form INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Form Data Download PATCHED IN VERSION 2.6.71 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.6.71.

15. E2Pdf

PLUGIN E2Pdf Export To Pdf Tool for WordPress INSTALLATIONS 7,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting (XSS) PATCHED IN VERSION 1.16.45 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.16.45.

16. WordPress File Upload Professional

PLUGIN WordPress File Upload VULNERABILITY Contributor+ Stored Cross-Site Scripting via Malicious SVG; Contributor+ Stored Cross-Site Scripting via Shortcode PATCHED IN VERSION 4.16.3

The vulnerability has been patched, so you should update to version 4.16.3.

Premium Plugin Vulnerabilities

Fancy Product Designer

PLUGIN Fancy Product Designer INSTALLATIONS Unknown; Premium Plugin VULNERABILITY Admin+ SQL Injection PATCHED IN VERSION 4.7.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.7.5.

WordPress File Upload Professional

PLUGIN WordPress File Upload VULNERABILITY Contributor+ Stored Cross-Site Scripting via Malicious SVG; Contributor+ Stored Cross-Site Scripting via Shortcode PATCHED IN VERSION 4.16.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.16.3.

WordPress Plugin Vulnerabilities No Known Fix

Good news! No plugins with no known fix were disclosed this week.

WordPress Theme Vulnerabilities

1. ArileWP

THEME ArileWP DOWNLOADS 401,314 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION 2.9.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.9.7.

2. Travel Agency

THEME Travel Agency DOWNLOADS 213,208 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION 1.4.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.4.2.

3. Perfect Portfolio

THEME Perfect Portfolio DOWNLOADS 172,199 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION 1.1.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.1.6.

4. Rara Business

THEME Rara Business DOWNLOADS 160,126 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION 1.2.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.3.

5. AwpBusinessPress

THEME AwpBusinessPress DOWNLOADS 40,249 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION 0.2.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.2.4.

6. ConsultStreet

THEME ConsultStreet DOWNLOADS 143,798 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION 1.6.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.6.7.

7. Designexo

THEME Designexo DOWNLOADS 114,513 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION 3.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.7.

8. Travel Booking

THEME Travel Booking DOWNLOADS 38,747 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION 1.2.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.3.

WordPress Theme Vulnerabilities No Known Fix

Colorway

THEME ColorWay DOWNLOADS 1,313,341 VULNERABILITY Reflected Cross-Site Scripting via Customizer Notify PATCHED IN VERSION No Fix SEVERITY SCORE Medium