NEWS
WordPress Vulnerabilities Digest - May 2022 Part 2
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.
No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
1. Smush
PLUGIN Smush Lazy Load Images, Optimize & Compress Images INSTALLATIONS 1,000,000+ VULNERABILITY Admin+ Reflected Cross-Site Scripting PATCHED IN VERSION 3.9.9 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 3.9.9.
2. Form Maker By 10Web
PLUGIN Ultimate Member User Profile, User Registration, Login & Membership Plugin INSTALLATIONS 200,000+VULNERABILITY Open Redirect PATCHED IN VERSION 2.3.2 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.14.12.
3. Change wp-admin Login
PLUGIN Change wp-admin login INSTALLATIONS 70,000+ VULNERABILITY Unauthenticated Arbitrary Settings Update PATCHED IN VERSION 1.43 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.1.0.
4. External Links in New Window / New Tab
PLUGIN Tabnabbing; Unauthenticated Stored Cross-Site Scripting INSTALLATIONS 40,000+ VULNERABILITY Tabnabbing; Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 1.0.6 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.43.
5. Team Members
PLUGIN Team Members INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 5.1.1 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 5.1.1.
6. Bulk Page Creator
PLUGIN Bulk Page Creator INSTALLATIONS 30,000+ VULNERABILITY Arbitrary Page Creation via CSRF PATCHED IN VERSION 1.1.4 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.1.4.
7. JivoChat
PLUGIN JivoChat Live Chat WP live chat plugin for WordPress INSTALLATIONS 30,000+ VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION 1.3.5.4 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.3.5.4.
8. WP 2FA
PLUGIN WP 2FA Two-factor authentication for WordPress INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.2.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.2.1.
9. VikBooking
PLUGIN VikBooking Hotel Booking Engine & PMS INSTALLATIONS 3,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.5.9 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.5.9.
10. User Meta
PLUGIN User Meta User Profile Builder and User management plugin INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.4.3 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.4.3.
11. Poll Maker
PLUGIN Poll Maker INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 4.0.2 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 4.0.2.
12. Content Mask
PLUGIN Content Mask INSTALLATIONS 1,000+ VULNERABILITY Subscriber+ Arbitrary Options Update PATCHED IN VERSION 1.8.4.1 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 1.8.4.1.
13. Enable SVG
PLUGIN Enable SVG INSTALLATIONS 500+ VULNERABILITY Author+ Stored Cross Site Scripting via SVG PATCHED IN VERSION 1.4.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.4.0.
14. StaffList
PLUGIN StaffList INSTALLATIONS 200+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.1.7 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.1.7.
WordPress Plugin Vulnerabilities No Known Fix
WP JS
PLUGIN WP JS VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Slideshow
PLUGIN Slideshow VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
No Future Posts
PLUGIN No Future Posts VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Call&Book Mobile Bar
PLUGIN Call&Book Mobile Bar VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Amazon Link
PLUGIN Amazon Link VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
IMDB info box
PLUGIN IMDB info box VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Simple Real Estate Pack
PLUGIN Simple Real Estate Pack VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
HPB Dashboard
PLUGIN HPB Dashboard VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Quotes llama
PLUGIN Quotes llama VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Andrea Pernici News Sitemap for Google
PLUGIN Andrea Pernici News Sitemap for Google VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
BannerMan
PLUGIN BannerMan VULNERABILITY Multiple Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Birthdays Widget
PLUGIN Birthdays Widget VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Easy FAQ with Expanding Text
PLUGIN Easy FAQ with Expanding Text VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
No new WordPress theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!