NEWS

WordPress Vulnerabilities Digest - June 2022 Part 4

Threat Alerts / June 30, 2022

No new WordPress core vulnerabilities were disclosed this week. WordPress Plugin Vulnerabilities this week: Ninja Forms, WooCommerce PDF Invoices & Packing Slips, etc.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0 Arturo was released on May 24, 2022. This major version release of WordPress was built to help you unlock your creative aspirations and make your site-building experience more intuitive, including almost 1,000 enhancements and bug fixes. See whats new in WordPress 6.0.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Ninja Forms

PLUGIN Ninja Forms Contact Form The Drag and Drop Form Builder for WordPress INSTALLATIONS 1,000,000+ VULNERABILITY Unauthenticated PHP Object Injection PATCHED IN VERSION 3.6.11 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 3.6.11.

2. WooCommerce PDF Invoices & Packing Slips

PLUGIN WooCommerce PDF Invoices & Packing Slips INSTALLATIONS 300,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.15.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.15.0.

3. ShortPixel Image Optimizer

PLUGIN ShortPixel Image Optimizer INSTALLATIONS 300,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.22.10 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.22.10.

4. 404 to 301

PLUGIN 404 to 301 Redirect, Log and Notify 404 Errors INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.1.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.1.2.

5. GiveWP

PLUGIN GiveWP Donation Plugin and Fundraising Platform INSTALLATIONS 100,000+ VULNERABILITY Donor Information Disclosure PATCHED IN VERSION 2.21.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.21.0.

6. WooCommerce Menu Cart

PLUGIN WooCommerce Menu Cart INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.12.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.12.0.

7. Flexible Shipping

PLUGIN Table Rate Shipping Method for WooCommerce by Flexible Shipping INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.11.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.11.9.

8. Modula Image Gallery

PLUGIN Customizable WordPress Gallery Plugin Modula Image Gallery INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.6.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.6.7.

9. Clearfy Cache

PLUGIN Clearfy Cache WordPress optimization plugin, Minify HTML, CSS & JS, Defer INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.0.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.0.5.

10. WP All Export

PLUGIN Export any WordPress data to XML/CSV INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.3.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.6.

11. Checkout Fields Manager for WooCommerce

PLUGIN Checkout Field Manager (Checkout Manager) for WooCommerce INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.5.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.5.7.

12. Woody Code Snippets

PLUGIN Woody code snippets Insert Header Footer Code, AdSense Ads INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.4.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.4.6.

13. WordPress Real Cookie Banner

PLUGIN Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.18.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.18.2.

14. Photo Gallery by Supsystic

PLUGIN Photo Gallery by Supsystic INSTALLATIONS 50,000+ VULNERABILITY Arbitrary Settings Update via CSRF PATCHED IN VERSION 1.15.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.15.6.

15. Gravity PDF

PLUGIN Gravity PDF INSTALLATIONS 50,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 6.3.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.3.1.

16. WP Paginate

PLUGIN WP-Paginate INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.1.9 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.1.9.

17. Easy Testimonials

PLUGIN Easy Testimonials INSTALLATIONS 30,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.9.

18. Core Plugin for Kitestudio Themes

PLUGIN core plugin for kitestudio themes INSTALLATIONS 2,000+ VULNERABILITY Reflected Cross-Site-Scripting PATCHED IN VERSION 2.3.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.3.1.

19. XO Slider

PLUGIN XO Slider INSTALLATIONS 1,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION 3.3.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.3.3.

20. eaSYNC

PLUGIN Free Booking Plugin for Hotels, Restaurant and Car Rental eaSYNC INSTALLATIONS 400+ VULNERABILITY Unauthenticated Arbitrary File Upload PATCHED IN VERSION 1.1.16 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 1.1.16.

21. BuddyPress Group Reviews

PLUGIN Wbcom Designs BuddyPress Group Reviews INSTALLATIONS 300+ VULNERABILITY Subscriber+ Arbitrary Settings Update & Review Modification PATCHED IN VERSION 2.8.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.8.4.

22. WP Championship

PLUGIN wp-championship INSTALLATIONS 90+ VULNERABILITY Multiple CSRF PATCHED IN VERSION 9.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 9.3.

23. FoxyShop

PLUGIN FoxyShop VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.8.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.8.2.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Sharebar

PLUGIN Sharebar VULNERABILITY Arbitrary Settings Update to Stored XSS via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium