NEWS

WordPress Vulnerabilities Digest - March 2022 Part 5

Threat Alerts / March 31, 2022

WordPress Plugin Vulnerabilities: Ninja Forms, Loco Translate, Safe SVG, etc.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fix and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Ninja Forms

PLUGIN Ninja Forms Contact Form The Drag and Drop Form Builder for WordPress INSTALLATIONS 1,000,000+ VULNERABILITY Unauthenticated Email Address Disclosure PATCHED IN VERSION 3.6.8-wp SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.6.8-wp.

2. Loco Translate

PLUGIN Loco Translate INSTALLATIONS 1,000,000+ VULNERABILITY Authenticated Stored Cross-Site Scripting PATCHED IN VERSION 2.6.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.6.1.

3. Safe SVG

PLUGIN Safe SVG INSTALLATIONS 600,000+ VULNERABILITY SVG Sanitization Bypass PATCHED IN VERSION 1.9.10 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.9.10.

4. Caldera Forms

PLUGIN Caldera Forms More Than Contact Forms INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.9.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.9.7.

5. WP Downgrade

PLUGIN WP Downgrade | Specific Core Version INSTALLATIONS 100,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.2.3 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.2.3.

6. Hummingbird

PLUGIN Hummingbird Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS INSTALLATIONS 100,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.3.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.3.2.

7. Easy Digital Downloads

PLUGIN Easy Digital Downloads Simple eCommerce for Selling Digital Files INSTALLATIONS 50,000+ VULNERABILITY Arbitrary Payment Note Insertion via CSRF; Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.11.6 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.11.6.

8. Woo Product Table

PLUGIN Product Table for WooCommerce (wooproducttable.com) INSTALLATIONS 8,000+ VULNERABILITY Unauthenticated Arbitrary Function Call PATCHED IN VERSION 3.1.2 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 3.1.2.

9. Shopping Cart & eCommerce Store

PLUGIN Shopping Cart & eCommerce Store INSTALLATIONS 6,000+ VULNERABILITY Arbitrary Design Settings Update via CSRF PATCHED IN VERSION 5.2.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.2.5.

10. RSVP and Event Management

PLUGIN RSVP and Event Management Plugin INSTALLATIONS 5,000+ VULNERABILITY Unauthenticated Entries Export PATCHED IN VERSION 2.7.8 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.7.8.

11. Text Hover

PLUGIN Text Hover INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 4.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.2.

12. SearchIQ

PLUGIN SearchIQ The Search Solution INSTALLATIONS 2,000+ VULNERABILITY Unauthenticated Stored XSS PATCHED IN VERSION 3.9 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.9.

13. Simple Event Planner

PLUGIN Simple Event Planner INSTALLATIONS 1,000+ VULNERABILITY Author+ Stored Cross-Site Scripting PATCHED IN VERSION 1.5.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.5.5.

14. Daily Prayer Time

PLUGIN Daily Prayer Time INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 2022.03.01 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2022.03.01.

15. GS Variation Swatches for WooCommerce

PLUGIN GS Variation Swatches for WooCommerce INSTALLATIONS 200+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.6.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.6.0.

WordPress Plugin Vulnerabilities No Known Fix

EXMAGE

PLUGIN EXMAGE WordPress Image Links INSTALLATIONS 2,000+ VULNERABILITY Admin+ Blind SSRF PATCHED IN VERSION No Fix SEVERITY SCORE Low