WordPress Vulnerabilities Digest - February 2022 Part 4

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 5.9.1 was released on February 22, 2022 as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. UpdraftPlus Free

PLUGIN UpdraftPlus WordPress Backup Plugin INSTALLATIONS 3,000,000+ VULNERABILITY INCORRECT AUTHORIZATION PATCHED IN VERSION 1.22.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.22.3.

2. Essential Addons for Elementor Lite

PLUGIN Essential Addons for Elementor INSTALLATIONS 1,000,000+ VULNERABILITY XSS PATCHED IN VERSION 5.0.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.0.9.

3. WP Statistics

PLUGIN WP Statistics INSTALLATIONS 600,000+ VULNERABILITY Unauthenticated Blind SQL Injection via IP; Unauthenticated Blind SQL Injection via current_page_id; Unauthenticated Blind SQL Injection via current_page_type; Multiple Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 13.1.6 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 13.1.6.

4. Photo Gallery by 10Web

PLUGIN Photo Gallery by 10Web Mobile-Friendly Image Gallery INSTALLATIONS 300,000+ VULNERABILITY Unauthenticated SQL Injection PATCHED IN VERSION 1.6.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.6.0.

5. Relevanssi

PLUGIN Relevanssi A Better Search INSTALLATIONS 100,000+ VULNERABILITY Unauthorised AJAX Calls PATCHED IN VERSION 4.14.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.14.6.

6. WP Content Copy Protection & No Right Click

PLUGIN WP Content Copy Protection & No Right Click INSTALLATIONS 100,000+ VULNERABILITY Settings Update via CSRF PATCHED IN VERSION 3.4.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.4.5.

7. Cookie Information

PLUGIN Cookie Information | Free GDPR Consent Solution INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.0.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.0.8.

8. Profile Builder

PLUGIN Profile Builder User Profile & User Registration Forms INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.6.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.6.2.

9. Contact Form Submissions

PLUGIN Contact Form Submissions INSTALLATIONS 50,000+ VULNERABILITY Unauthenticated Stored XSS PATCHED IN VERSION 1.7.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.7.3.

10. Zero Spam

PLUGIN Zero Spam for WordPress INSTALLATIONS 30,000+ VULNERABILITY Admin+ SQL Injection PATCHED IN VERSION 5.2.11 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.2.11.

11. Master Addons for Elementor

PLUGIN Master Addons for Elementor INSTALLATIONS 30,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.8.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.8.2.

12. Hide Admin Bar Based on User Roles

PLUGIN Hide Admin Bar Based on User Roles INSTALLATIONS 20,000+ VULNERABILITY Settings Update via CSRF; Subscriber+ Settings Update PATCHED IN VERSION 3.1.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.1.0.

13. Advanced Product Labels for WooCommerce

PLUGIN Advanced Product Labels for WooCommerce INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.2.3.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.3.7.

14. Powerkit

PLUGIN Powerkit Supercharge your WordPress Site INSTALLATIONS 10,000+ VULNERABILITY Post Views Settings Update/Reset via CSRF PATCHED IN VERSION 2.5.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.5.9.

15. Countdown & Clock

PLUGIN Countdown, Coming Soon, Maintenance Countdown & Clock INSTALLATIONS 10,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.2.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.2.9.

16. WPCargo

PLUGIN WPCargo Track & Trace INSTALLATIONS 10,000+ VULNERABILITY Unauthenticated RCE PATCHED IN VERSION 6.9.0 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 6.9.0.

17. ARI Fancy Lightbox

PLUGIN ARI Fancy Lightbox WordPress Popup INSTALLATIONS 10,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.3.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.9.

18. Event Manager for WooCommerce

PLUGIN Event Manager and Tickets Selling Plugin for WooCommerce INSTALLATIONS 9,000+ VULNERABILITY Contributor+ SQL Injection PATCHED IN VERSION 3.5.8 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.5.8.

19. Patreon WordPress

PLUGIN Patreon WordPress INSTALLATIONS 5,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.8.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.8.2.

20. WP Home Page Menu

PLUGIN WP Home Page Menu INSTALLATIONS 900+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.1.

21. Kunze Law

PLUGIN Kunze Law INSTALLATIONS 800+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.1.

22. Team Circle Image Slider With Lightbox

PLUGIN Team Circle Image Slider With Lightbox INSTALLATIONS 800+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.0.16 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.0.16.

23. Login with phone number

PLUGIN Login with phone number INSTALLATIONS 600+ VULNERABILITY Unauthenticated Remote Plugin Deletion PATCHED IN VERSION 1.3.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.7.

24. Sync iCloud COS

PLUGIN Sync QCloud COS INSTALLATIONS 300+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.0.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.0.1.

25. Flexi Guest Submit

PLUGIN Flexi Guest Submit INSTALLATIONS 200+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.20 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.20.

26. CommonsBooking

PLUGIN CommonsBooking INSTALLATIONS 100+ VULNERABILITY Unauthenticated SQL Injection PATCHED IN VERSION 2.6.8 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.6.8.

27. Multisite Content Copier/Updater

PLUGIN WordPress Multisite Content Copier/Updater VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.1.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.1.2.

28. Relevanssi Subscriber+

PLUGIN VULNERABILITY Unauthorised AJAX Calls PATCHED IN VERSION 2.16.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.16.5.

WordPress Plugin Vulnerabilities No Known Fix

Persian Woocommerce

PLUGIN ??????? ????? INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Better WordPress Google XML Sitemaps

PLUGIN Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News) VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Page Builder KingComposer

PLUGIN Page Builder: KingComposer Free Drag and Drop page builder by King-Theme VULNERABILITY Open Redirect PATCHED IN VERSION No Fix

The vulnerability has not been patched. You should deactivate the plugin.

hub2word

PLUGIN Easy Embed for HubSpot Forms, CTAs, Links, Files & add HubSpot to WP Search Results VULNERABILITY Subscriber+ Arbitrary Options Update PATCHED IN VERSION No Fix SEVERITY SCORE Critical

The vulnerability has not been patched. You should deactivate the plugin.

Simple Theme Options

PLUGIN Simple Theme Options VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

SEO 301 Meta

PLUGIN Seo 301 Meta VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

Simple Quotation

PLUGIN Simple Quotation VULNERABILITY Subscriber+ SQL injection; Quote Creation/Edition via CSRF to Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

GD Mylist

PLUGIN GDMylist VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

WP Voting Contest

PLUGIN WP Voting Contest VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Petfinder Listings

PLUGIN Petfinder Listings VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

No new theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!