NEWS

WordPress Vulnerabilities Digest - January 2022 Part 3

Threat Alerts / January 27, 2022

WordPress 5.9: Core Major Version Update Now Available

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress 5.9: Core Major Version Update Now Available

WordPress 5.9 Joshine was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this:Full Site Editing (FSE) using the WordPress block editor is here(well, if youwantto use it or your theme supports it).

WordPress 5.9 represents the largest release ofGutenbergfeatures since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes99 enhancementsand100 bug fixes.

You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.

If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.9.

WordPress Plugin Vulnerabilities

1. Anti-Malware Security and Brute-Force Firewall

PLUGIN Anti-Malware Security and Brute-Force Firewall INSTALLATIONS 200,000+ VULNERABILITY Admin+ Reflected Cross-Site Scripting PATCHED IN VERSION 4.20.94 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.20.94.

2. Popup Builder

PLUGIN Popup Builder Create highly converting, mobile friendly marketing popups. INSTALLATIONS 200,000+ VULNERABILITY <meta charset=utf-8?>LFI to RCE<br>Admin+ SQL Injection PATCHED IN VERSION 4.0.7 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 4.0.7.

3. Ad Inserter

PLUGIN Ad Inserter Ad Manager & AdSense Ads INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.7.10 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.7.10.

4. GiveWP

PLUGIN GiveWP Donation Plugin and Fundraising Platform INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated Reflected Cross-Site Scripting; Reflected Cross-Site Scripting via Import Tool; Reflected Cross-Site Scripting via Donation Forms Dashboard PATCHED IN VERSION 2.17.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.17.3.

5. WordPress Download Manager

PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Authenticated SQL Injection to Reflected XSS PATCHED IN VERSION 3.2.34 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.2.34.

6. Database Backup for WordPress

PLUGIN Database Backup for WordPress INSTALLATIONS 100,000+ VULNERABILITY Admin+ SQL Injection PATCHED IN VERSION 2.5.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.5.1.

7. Advanced Database Cleaner

PLUGIN Advanced Database Cleaner INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.0.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.0.4.

8. Shield Security

PLUGIN Shield Security Scanners, Security Hardening, Brute Force Protection & Firewall INSTALLATIONS 60,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 13.0.6 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 13.0.6.

9. WOOCS

PLUGIN WOOCS Currency Switcher for WooCommerce. Professional and Free multi currency plugin Pay in selected currency INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.3.7.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.7.5.

10. Image Photo Gallery Final Tiles Grid

PLUGIN Image Photo Gallery Final Tiles Grid INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION 3.5.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.5.3.

11. Classic Editor Addon

PLUGIN Classic Editor Addon INSTALLATIONS 30,000+ VULNERABILITY Arbitrary Plugin Installation from Dependency via CSRF; Subscriber+ Arbitrary Plugin Activation PATCHED IN VERSION 2.6.4 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.6.4.

12. Float Menu

PLUGIN Float menu awesome floating side menu INSTALLATIONS 20,000+ VULNERABILITY Arbitrary Menu Deletion via CSRF PATCHED IN VERSION 4.3.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.3.1.

13. FeedWordPress

PLUGIN FeedWordPress INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting (XSS) PATCHED IN VERSION 2022.0123 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2022.0123.

14. Catch Web Tools

PLUGIN Catch Web Tools INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Arbitrary Catch IDs Activation/Deactivation PATCHED IN VERSION 2.7.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.7.1.

15. WP HTML Mail

PLUGIN WordPress Email Template Designer WP HTML Mail INSTALLATIONS 20,000+ VULNERABILITY Unprotected REST-API Endpoint PATCHED IN VERSION 3.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.1.

16. Coming soon and Maintenance mode

PLUGIN Coming soon and Maintenance mode INSTALLATIONS 10,000+ VULNERABILITY Arbitrary Email Sending to Subscribed Users via CSRF; Subscriber+ Arbitrary Email Sending to Subscribed Users PATCHED IN VERSION 3.6.8 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.6.8.

17. Duplicate Page or Post

PLUGIN Duplicate Page or Post INSTALLATIONS 10,000+ VULNERABILITY Arbitrary Settings Update to Stored XSS PATCHED IN VERSION 1.5.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.5.1.

18. WP Debugging

PLUGIN WP Debugging INSTALLATIONS 5,000+ VULNERABILITY Arbitrary Plugin Installation from Dependency via CSRF PATCHED IN VERSION 2.11.7 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.11.7.

19. AnyComment

PLUGIN AnyComment INSTALLATIONS 4,000+ VULNERABILITY Comment Rating Increase/Decrease via Race Condition; Arbitrary HyperComments Import/Revert via CSRF PATCHED IN VERSION 0.2.18 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 0.2.18.

20. Ad Inserter

PLUGIN Ad Inserter Pro VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.7.10 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.7.10.

21. Five Star Business Profile and Schema

PLUGIN Five Star Business Profile and Schema INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ page creation and settings update leading to stored XSS PATCHED IN VERSION 2.1.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.1.9.

WordPress Plugin Vulnerabilities No Known Fix

The Buffer Button

PLUGIN The Buffer Button VULNERABILITY Authenticated Stored Cross Site Scripting (XSS) PATCHED IN VERSION No Fix SEVERITY SCORE Medium