NEWS
WordPress Vulnerabilities Digest - March 2022 Part 1
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 5.9.1 was released on February 22, 2022, as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!
No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
WooCommerce
PLUGIN WooCommerce INSTALLATIONS 5,000,000+ VULNERABILITY Path Traversal via Importers; Subscriber+ Arbitrary Comment Deletion PATCHED IN VERSION 6.2.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 6.2.1.
Header Footer Code Manager
PLUGIN Header Footer Code Manager INSTALLATIONS 300,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.1.17 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.1.17.
Advanced Contact Form 7 DB
PLUGIN Advanced Contact form 7 DB INSTALLATIONS 90,000+ VULNERABILITY Subscriber+ Arbitrary File Deletion PATCHED IN VERSION 1.8.7 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 1.8.7.
3D FlipBook
PLUGIN 3D FlipBook PDF Flipbook Viewer, Flipbook Image Gallery INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION 1.12.1 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 1.12.1.
BulletProof Security
PLUGIN BulletProof Security INSTALLATIONS 50,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting (XSS) PATCHED IN VERSION 5.8 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 5.8.
Simple Membership
PLUGIN Simple Membership INSTALLATIONS 50,000+ VULNERABILITY Arbitrary Transaction Deletion via CSRF PATCHED IN VERSION 4.1.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.1.0.
Amelia
PLUGIN Amelia Events & Appointments Booking Calendar INSTALLATIONS 40,000+ VULNERABILITY Manager+ RCE; Arbitrary Customer Deletion via CSRF; Reflected Cross-Site Scripting PATCHED IN VERSION 1.0.46 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.0.46.
Photoswipe Masonry Gallery
PLUGIN Photoswipe Masonry Gallery INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION 1.2.15 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.2.15.
400+ Plugins, Themes Impacted by Insecure Freemius Version
This week, it was discovered that many plugins and themes are using an insecure version of the Freemius Framework, which is used to power their upsell paths from free to Pro.
As of this report, over 400 plugins and 25 themes are impacted. Because the list is so large, were reporting an abbreviated list of the plugins impacted in the table following this link.
WordPress Plugin Vulnerabilities No Known Fix
RW Divi Unite Gallery
PLUGIN RW Divi Unite Gallery VULNERABILITY Security Bypass PATCHED IN VERSION No Fix SEVERITY SCORE Critical
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Theme Vulnerabilities
Brand
THEME Brand DOWNLOADS 32,856 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
WP Sierra
THEME WP Sierra DOWNLOADS 31,752 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Hasium
THEME Hasium DOWNLOADS 22,993 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Broadcast Lite
THEME Broadcast Lite DOWNLOADS 18,658 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Speculor
THEME Speculor DOWNLOADS 17,282 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Aquarella Lite
THEME Aquarella Lite DOWNLOADS 16,577 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Meridia
THEME Meridia DOWNLOADS 16,053 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
ConsultPress Lite
THEME ConsultPress Lite DOWNLOADS 15,862 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Everse
THEME Everse DOWNLOADS 15,104 VULNERABILITY Unauthorized AJAX Calls via Freemius PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Shuban
THEME Shuban DOWNLOADS 13,771 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Purus
THEME Purus DOWNLOADS 13,553 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Elation
THEME Elation DOWNLOADS 11,843 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Purosa
THEME Purosa DOWNLOADS 10,138 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION 1.1.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.1.0.
Elasta
THEME Elasta DOWNLOADS 9,863 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION 1.0.8 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.0.8.
LearnMore
THEME LearnMore DOWNLOADS 9,621 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
NicheBase
THEME NicheBase DOWNLOADS 6,638 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION 1.2.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.2.2.
Bani
THEME Bani DOWNLOADS 6,015 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Arendelle
THEME Arendelle DOWNLOADS 5,950 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Cuisine Palace
THEME Cuisine Palace DOWNLOADS 5,651 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Nokke
THEME Nokke DOWNLOADS 3,809 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Amela
THEME Amela DOWNLOADS 3,645 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Viralike
THEME Viralike DOWNLOADS 2,510 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
Villar
THEME Villar DOWNLOADS 2,037 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION 1.0.8 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.0.8.
Unakit
THEME Unakit DOWNLOADS 1,792 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the theme.
WP Moose
THEME WP Moose DOWNLOADS 1,567 VULNERABILITY NO AUTHORISATION PATCHED IN VERSION 1.0.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.0.1.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!