WordPress Vulnerabilities Digest - May 2022 Part 1

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. All-in-One WP Migration

PLUGIN All-in-One WP Migration INSTALLATIONS 4,000,000+ VULNERABILITY Admin+ File Deletion on Windows Hosts via Path Traversal PATCHED IN VERSION 7.59SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.1.2.

2. Ultimate Member

PLUGIN Ultimate Member User Profile, User Registration, Login & Membership Plugin INSTALLATIONS 200,000+VULNERABILITY Open Redirect PATCHED IN VERSION 2.3.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.3.2

3. Breeze

PLUGIN Breeze WordPress Cache Plugin INSTALLATIONS 200,000+ VULNERABILITY Subscriber+ Arbitrary Settings Update to Stored XSS PATCHED IN VERSION 2.0.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.0.3.

4. Check & Log email

PLUGIN Check & Log Email INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.0.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.0.6.

5. Google XML Sitemap Generator

PLUGIN XML Sitemap Generator for Google INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.0.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.0.4.

6. Booking Calendar

PLUGIN Booking Calendar INSTALLATIONS 60,000+ VULNERABILITY PHP Object Injection PATCHED IN VERSION 9.1.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 9.1.1.

7. Sliderby10Web

PLUGIN Sliderby10Web INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.2.52 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.2.52.

8. Tabs Responsive

PLUGIN Subscribe To Comments Reloaded INSTALLATIONS 20,000+ VULNERABILITY Multiple CSRF PATCHED IN VERSION 220502 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 220502.

9. Subscribe To Comments Reloaded

PLUGIN WP YouTube Live INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION 1.8.3 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.8.3.

10. WP Meta SEO

PLUGIN WP Meta SEO INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting via breadcrumbs PATCHED IN VERSION 4.4.7 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.4.7.

11. Tripetto

PLUGIN WordPress form builder plugin for contact forms, surveys and quizzes Tripetto INSTALLATIONS 2,000+ VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 5.2.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.2.0.

12. Nirweb support

PLUGIN Nirweb support INSTALLATIONS 900+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 2.8.2 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.8.2.

13. RSVPMaker

PLUGIN RSVPMaker INSTALLATIONS 600+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 9.2.7 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 9.2.7.

WordPress Plugin Vulnerabilities No Known Fix

WP Subscribe

PLUGIN WP Subscribe INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

Psychological tests & quizzes

PLUGIN Psychological tests & quizzes VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP-Invoice

PLUGIN WP-Invoice Web Invoice and Billing VULNERABILITY Arbitrary Settings Update via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Ravpage

PLUGIN ravpage VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Gwyns Imagemap Selector

PLUGIN Gwyns Imagemap Selector VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Coru LFMember

PLUGIN Coru LFMember VULNERABILITY Arbitrary Game Deletion/Activation via CSRF; Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Vertical scroll recent post

PLUGIN Vertical scroll recent post INSTALLATIONS 2,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Footer Text

PLUGIN Footer Text VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Turn off all comments

PLUGIN Turn off all comments VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Curtain

PLUGIN Curtain VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Contacts Manager

PLUGIN WP Contacts Manager VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE Critical

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Donate Extra

PLUGIN Donate Extra VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Domain Replace

PLUGIN Domain Replace VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Hermit

PLUGIN Hermit VULNERABILITY Arbitrary Cache/Source Deletion & Source Creation via CSRF; Unauthenticated SQLi; Subscriber+ SQLi; Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

No new WordPress theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!