NEWS

WordPress Vulnerabilities Digest - January 2022 Part 1

Threat Alerts / January 06, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. UpdraftPlus

Plugin: UpdraftPlus Vulnerability: Reflected Cross-Site Scripting Active Installation: 3+ million Patched in Version: 1.16.569 Severity Score: High

The vulnerability is patched, so you should update to version 1.16.59.

Plugin: UpdraftPlus Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 3+ million Patched in Version: 1.6.59 Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.59.

Plugin: UpdraftPlus Vulnerability: Admin+ Local File Inclusion Active Installation: 3+ million Patched in Version: 1.16.59 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.16.59.

2. WebP Converter for Media

Plugin: WebP Converter for Media Vulnerability: Unauthenticated Open redirect Active Installation: 100,000+ Patched in Version: 4.0.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.0.3.

3. WOOF Products Filter for WooCommerce

Plugin: WOOF Products Filter for WooCommerce Vulnerability: Reflected Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 1.2.6.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.6.3.

4. LearnPress

Plugin: LearnPress Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 4.1.3.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.3.2.

5. WP Post Page Clone

Plugin: WP Post Page Clone Vulnerability: Unauthorised Post Access Active Installation: 80,000+ Patched in Version: 1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.

6. WP Extra File Types

Plugin: WP Extra File Types Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 50,000+ Patched in Version: 0.5.1 Severity Score: High

The vulnerability is patched, so you should update to version 0.5.1.

7. Tutor LMS

Plugin: Tutor LMS Vulnerability: Subscriber+ Stored Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 1.9.12 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.12.

Plugin: Tutor LMS Vulnerability: Reflected Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 1.9.12 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.12.

8. Custom Dashboard & Login Page

Plugin: Custom Dashboard & Login Page Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 7.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.0.

9. Ultimate FAQ

Plugin: Ultimate FAQ Vulnerability: Subscriber+ Arbitrary FAQ Creation Active Installation: 30,000+ Patched in Version: 2.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.2.

10. WP User Frontend

Plugin: WP User Frontend Vulnerability: SQL Injection to Reflected Cross-Site Scripting Active Installation: 30,000+ Patched in Version: 3.5.26 Severity Score: High

The vulnerability is patched, so you should update to version 3.5.26.

11. myCred

Plugin: myCred Vulnerability: Reflected Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 2.4 Severity Score: High

The vulnerability is patched, so you should update to version 2.4.

12. Image Hover Effects Ultimate

Plugin: Image Hover Effects Ultimate Vulnerability: Reflected Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 9.7.1 Severity Score: High

The vulnerability is patched, so you should update to version 9.7.1.

13. Qubely

Plugin: Qubely Vulnerability: Subscriber+ Arbitrary FAQ Creation Active Installation: 10,000+ Patched in Version: 1.7.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.8.

14. Registration Magic

Plugin: Registration Magic Vulnerability: Reflected Cross-Site Scripting Active Installation: 10,000+ Patched in Version: 5.0.1.9 Severity Score: High

The vulnerability is patched, so you should update to version 5.0.1.9.

15. Orders Tracking for WooCommerce

Plugin: Orders Tracking for WooCommerce Vulnerability: Reflected Cross-Site Scripting Active Installation: 10,000+ Patched in Version: 1.1.10 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.10.

16. Link Library

Plugin: Link Library Vulnerability: Reflected Cross-Site Scripting Active Installation: 10,000+ Patched in Version: 7.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

Plugin: Link Library Vulnerability: Library Settings Reset via CSRF Active Installation: 10,000+ Patched in Version: 7.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

Plugin: Link Library Vulnerability: Unauthenticated Arbitrary Links Deletion Active Installation: 10,000+ Patched in Version: 7.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

17. AF Companion

Plugin: AF Companion Vulnerability: Arbitrary Plugin Installation & Activation via CSRF Active Installation: 9,000+ Patched in Version: 1.2.0 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.0.

18. KNR Author List Widget

Plugin: KNR Author List Widget Vulnerability: Unauthenticated SQL Injection Active Installation: 200+ Patched in Version: 3.0.0 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.0.0.

19. WP Cookie User Info

Plugin: WP Cookie User Info Vulnerability: Admin+ SQL Injection Active Installation: 200+ Patched in Version: 1.0.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.9.

20. LabTools

Plugin: LabToolsVulnerability: Subscriber+ Arbitrary Publication Deletion Patched in Version: No known fix plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of December 28, 2021. Uninstall and delete.

21. Domain Check

Plugin: Domain Check Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 28, 2021. Uninstall and delete.

22. Orders Tracking for WooCommerce

Plugin: Error Log Viewer Vulnerability: Arbitrary Text File Deletion via CSRF Patched in Version: No known fix plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of November 10, 2021. Uninstall and delete.

23. WP Visited Countries Reloaded

Plugin: WP Visited Countries Reloaded Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.1.1- plugin closed Severity Score: High

This vulnerability has been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

24. Learning Courses

Plugin: Learning Courses Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 5.0 plugin closed Severity Score: Low

This vulnerability has been patched. This plugin has been closed as of October 8, 2021. Uninstall and delete.

25. Perfect Survey

Plugin: Perfect Survey Vulnerability: Unauthorised AJAX Call to Stored XSS / Survey Settings Update Patched in Version: 1.5.2 plugin closed Severity Score: High