NEWS
WordPress Vulnerabilities Digest - March 2022 Part 4
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fix and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!
No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
1. One Click Demo Import
PLUGIN One Click Demo Import INSTALLATIONS 1,000,000+ VULNERABILITY Admin+ Arbitrary File Upload PATCHED IN VERSION 3.1.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.1.0.
2. Favicon by RealFaviconGenerator
PLUGIN Favicon by RealFaviconGenerator INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.3.23 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.3.23.
3. Download Manager
PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated brute force of files master key PATCHED IN VERSION 3.2.39 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.2.39.
4. WPvivid Backup and Migration Plugin
PLUGIN Migration, Backup, Staging WPvivid INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 0.9.70 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 0.9.70.
5. Responsive Menu
PLUGIN Responsive Menu Create Mobile-Friendly Menu INSTALLATIONS 100,000+ VULNERABILITY Subscriber+ Arbitrary File Upload / Theme Deletion / Plugin Settings Update PATCHED IN VERSION 4.1.8 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 4.1.8.
6. LearnPress
PLUGIN LearnPress WordPress LMS Plugin INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.1.6 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.1.6.
7. Image optimization & Lazy Load
PLUGIN Image optimization & Lazy Load by Optimole INSTALLATIONS 80,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.3.2 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 3.3.2.
8. Post Grid
PLUGIN Post Grid INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting via keyword; Reflected Cross-Site Scripting via post_types PATCHED IN VERSION 2.1.16 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.1.16.
9. Super Socializer
PLUGIN Social Share, Social Login and Social Comments Plugin Super Socializer INSTALLATIONS 50,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 7.13.30 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 7.13.30.
10. Easy Smooth Scroll Links
PLUGIN Easy Smooth Scroll Links Smooth Scrolling Anchor INSTALLATIONS 50,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.23.1 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.23.1.
11. FV Flowplayer Video Player
PLUGIN FV Flowplayer Video Player INSTALLATIONS 40,000+ VULNERABILITY Author+ SQLi PATCHED IN VERSION 7.5.18.727 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 7.5.18.727.
12. Easy Social Icons
PLUGIN Easy Social Icons INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Admin+ Stored Cross-Site Scripting in add icon; Unauthenticated Arbitrary Icon Deletion PATCHED IN VERSION 3.2.1 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 3.2.1.
13. Export All URLs
PLUGIN Export All URLs INSTALLATIONS 30,000+ VULNERABILITY Private/Draft Post/Page Title Disclosure via CSRF; Reflected Cross-Site Scripting PATCHED IN VERSION 4.3 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.3.
14. iQ Block Country
PLUGIN iQ Block Country INSTALLATIONS 30,000+ VULNERABILITY Admin+ Arbitrary File Deletion via Zip Slip PATCHED IN VERSION 1.2.13 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.2.13.
15. GridKit Portfolio
PLUGIN Portfolio Gallery, Product Catalog Grid KIT Portfolio INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION 2.1.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.1.0.
16. WP Block and Stop Bad Bots
PLUGIN Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection INSTALLATIONS 10,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 6.930 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 6.930.
17. Salon booking system
PLUGIN Salon booking system INSTALLATIONS 8,000+ VULNERABILITY Customer+ Bookings/Customers Data Disclosure; Unauthenticated Sensitive Data Disclosure PATCHED IN VERSION 7.6.3 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 7.6.3.
18. Podcast Importer SecondLine
PLUGIN Podcast Importer SecondLine INSTALLATIONS 6,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.3.8 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.3.8.
19. Advanced Booking Calendar
PLUGIN Advanced Booking Calendar INSTALLATIONS 5,000+ VULNERABILITY Reflected Cross-Site Scripting; Admin+ SQLi PATCHED IN VERSION 1.7.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.7.1.
WordPress Plugin Vulnerabilities No Known Fix
Sassy Social Share
PLUGIN Social Sharing Plugin Sassy Social Share INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
NS WooCommerce Watermark
PLUGIN NS WooCommerce Watermark VULNERABILITY Abuse of Functionality PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Theme Vulnerabilities
Good news! No new WordPress theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!