WordPress Vulnerabilities Digest - January 2022 Part 2

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

The latest version of WordPress core was released on January 6, 2022 as a short-cycle security release. Because WordPress 5.8.3 is a security release, we recommend that you update all your sites immediately.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.

If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.8.3.

WordPress Plugin Vulnerabilities

1. Complianz GDPR/CCPA Cookie Consent

PLUGIN Complianz GDPR/CCPA Cookie Consent INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 6.0.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.0.0.

2. CMP Coming Soon & Maintenance Plugin by NiteoThemes

PLUGIN CMP Coming Soon & Maintenance Plugin by NiteoThemes INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated Arbitrary CSS Update PATCHED IN VERSION 4.0.19 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 4.0.19.

3. Download Monitor

PLUGIN Download Monitor INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.4.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.4.7.

4. Remove Footer Credit

PLUGIN Remove Footer Credit INSTALLATIONS 100,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.0.11 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.0.11.

5. Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue

PLUGIN Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.1.31 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.1.31.

6. XootiX Plugins

PLUGIN Side Cart Woocommerce (Ajax) INSTALLATIONS 60,000+ VULNERABILITY CSRF to Arbitrary Options Update PATCHED IN VERSION 2.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.1.

7. MapPress Maps for WordPress

PLUGIN MapPress Maps for WordPress INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site scripting PATCHED IN VERSION 2.73.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.73.4.

8. Themify Portfolio Post

PLUGIN Themify Portfolio Post INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.1.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.1.7.

9. Permalink Manager

PLUGIN Permalink Manager Lite INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.2.15 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.2.15.

10. Quiz And Survey Master

PLUGIN Quiz And Survey Master Best Quiz, Exam and Survey Plugin for WordPress INSTALLATIONS 40,000+ VULNERABILITY CSRF<br>Reflected Cross-Site Scripting<br>Low Privilege Stored Cross-Site Scripting PATCHED IN VERSION 7.3.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 7.3.7.

11. Futurio Extra

PLUGIN Futurio Extra INSTALLATIONS 30,000+ VULNERABILITY Subscriber+ User Email Address Leakage PATCHED IN VERSION 1.6.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.6.3.

12. PHP Everywhere

PLUGIN PHP Everywhere INSTALLATIONS 30,000+ VULNERABILITY Arbitrary Settings Update via CSRF PATCHED IN VERSION 2.0.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.0.3.

13. PPOM for WooCommerce

PLUGIN PPOM for WooCommerce INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Settings Update to Stored XSS PATCHED IN VERSION 24.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 24.0.

14. Ad Invalid Click Protector (AICP)

PLUGIN Ad Invalid Click Protector (AICP) INSTALLATIONS 20,000+ VULNERABILITY Authenticated SQL Injection PATCHED IN VERSION 1.2.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.6.

15. NewStatPress

PLUGIN NewStatPress INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.3.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.6.

16. XootiX Plugins

PLUGIN Login/Signup Popup ( Inline Form + Woocommerce ) INSTALLATIONS 20,000+ VULNERABILITY Various Versions CSRF to Arbitrary Options Update PATCHED IN VERSION 2.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.3.

17. Ibtana

PLUGIN Ibtana WordPress Website Builder INSTALLATIONS 10,000+ VULNERABILITY Subscriber+Settings Update to Stored XSS PATCHED IN VERSION 1.1.4.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.1.4.9.

18. WP Ultimate CSV Importer

PLUGIN Easy Drag And drop All Import : WP Ultimate CSV Importer INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Arbitrary Option Deletion<br>Subscriber+ Arbitrary File Upload PATCHED IN VERSION 6.4.2 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 6.4.2.

19. PowerPack Lite for Beaver Builder

PLUGIN PowerPack Lite for Beaver Builder INSTALLATIONS 10,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.2.9.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.9.3.

20. WHMCS Bridge

PLUGIN WHMCS Bridge INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION 6.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.3.

21. Magee Shortcodes

PLUGIN Magee Shortcodes INSTALLATIONS 10,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.0.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.0.9.

22. WP Import Export

PLUGIN WP Import Export Lite INSTALLATIONS 10,000+ VULNERABILITY Unauthenticated Sensitive Data Disclosure PATCHED IN VERSION 3.9.16 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.9.16.

23. Adaptive Images

PLUGIN Adaptive Images for WordPress INSTALLATIONS 8,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 0.6.69 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.6.69.

24. WP-Appbox

PLUGIN WP-Appbox INSTALLATIONS 6,000+ VULNERABILITY Authenticated Local File Inclusion PATCHED IN VERSION 4.3.18 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.3.18.

25. RSVP and Event Management

PLUGIN RSVP and Event Management Plugin INSTALLATIONS 5,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.7.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.7.5.

26. XootiX Plugins Various Versions

PLUGIN Waitlist Woocommerce ( Back in stock notifier ) INSTALLATIONS 4,000+ VULNERABILITY CSRF to Arbitrary Options Update PATCHED IN VERSION 2.5.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.5.1.

27. Noptin

PLUGIN WordPress Newsletter Plugin Noptin INSTALLATIONS 4,000+ VULNERABILITY Open Redirect PATCHED IN VERSION 1.6.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.6.5.

28. Mortgage Calculators WP

PLUGIN Mortgage Calculators WP INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.56 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.56.

29. Popup | Custom Popup Builder

PLUGIN Popup | Custom Popup Builder INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated Denial of Service PATCHED IN VERSION 1.3.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.3.1.

30. Form Store to DB

PLUGIN Form Store to DB INSTALLATIONS 90+ VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 1.1.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.1.1.

Premium Plugin Vulnerabilities

Permalink Manager Pro

PLUGIN Permalink Manager Pro VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.2.15

The vulnerability has been patched, so you should update to version 2.2.15.

WP Import Export Pro

PLUGIN VULNERABILITY Unauthenticated Sensitive Data Disclosure PATCHED IN VERSION 3.9.16 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.9.16.

WordPress Plugin Vulnerabilities No Known Fix

Random Banner

PLUGIN Random Banner INSTALLATIONS N/A VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

SpiderCalendar

PLUGIN SpiderCalendar INSTALLATIONS N/A VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

No new theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!