NEWS
WordPress Vulnerabilities Digest - November 2022 Part 1
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
On Tuesday, November 1, 2022, WordPress 6.1 “Misha” was released with several dramatic improvements. Check out the overview to prepare for what WordPress 6.1 brings to your site.
No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
1. Popup Maker
PLUGIN Popup Maker – Popup for opt-ins, lead gen, & more INSTALLATIONS 700,000+ VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION 1.16.11 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.16.11.
2. Contact Form 7 Database Addon
PLUGIN Contact Form 7 Database Addon – CFDB7 INSTALLATIONS 500,000+ VULNERABILITY CSV Injection PATCHED IN VERSION 1.2.6.5 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.2.6.5.
3. Ultimate Member
PLUGIN Ultimate Member – User Profile, User Registration, Login & Membership Plugin INSTALLATIONS 200,000+ VULNERABILITY Contributor+ LFI via Traversal; Admin+ RCE; Subscriber+ RCE; Admin+ LFI via Traversal PATCHED IN VERSION 2.5.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.5.1.
4. Web Stories
PLUGIN Web Stories INSTALLATIONS 90,000+ VULNERABILITY Subscriber+ Server Side Request Forgery PATCHED IN VERSION 1.25.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.25.0.
5. WP-Polls
PLUGIN WP-Polls INSTALLATIONS 80,000+ VULNERABILITY IP Validation Bypass PATCHED IN VERSION 2.76.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.76.0.
6. Booster for WooCommerce Free
PLUGIN Booster for WooCommerce INSTALLATIONS 70,000+ VULNERABILITY Checkout Files Deletion via CSRF; ShopManager+ Arbitrary File Download PATCHED IN VERSION 5.6.7 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 5.6.7.
7. Spacer
PLUGIN Spacer INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 3.0.7 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 3.0.7.
8. WP User Frontend
PLUGIN WP User Frontend – Membership, Profile, Registration & Post Submission Plugin for WordPress INSTALLATIONS 30,000+ VULNERABILITY Obscure Registration as Admin PATCHED IN VERSION 3.5.29 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.5.29.
9. Restaurant Menu
PLUGIN Restaurant Menu – Food Ordering System – Table Reservation INSTALLATIONS 10,000+ VULNERABILITY Unauthorized AJAX Calls; Multiple CSRF PATCHED IN VERSION 2.3.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.3.2.
10. ProfileGrid
PLUGIN ProfileGrid – User Profiles, Memberships, Groups and Communities INSTALLATIONS 8,000+ VULNERABILITY Subscriber+ Private Message Read/Edition PATCHED IN VERSION 5.0.4 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 5.0.4.
11. Testimonials
PLUGIN Testimonials INSTALLATIONS 5,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.7 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.7.
12. Event Monster
PLUGIN Event Monster – Event Management, Tickets Booking, Upcoming Event INSTALLATIONS 1,000+ VULNERABILITY Admin+ SQLi; Visitors Deletion via CSRF PATCHED IN VERSION 1.2.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.2.1.
13. My wpdb
PLUGIN My wpdb INSTALLATIONS 10+ VULNERABILITY Arbitrary SQL Query via CSRF PATCHED IN VERSION 2.5 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.5.
14. Booster for WooCommerce Premium
PLUGIN Booster Plus for WooCommerce VULNERABILITY Checkout Files Deletion via CSRF; ShopManager+ Arbitrary File Download PATCHED IN VERSION 5.6.5 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 5.6.5.
15. DeepL Pro API Translation
PLUGIN DeepL Pro API translation plugin VULNERABILITY API Key Disclosure PATCHED IN VERSION 1.7.5 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.7.5.
16. WPQA
PLUGIN WPQA Builder VULNERABILITY Follow/Unfollow via CSRF PATCHED IN VERSION 5.9 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 5.9.
WordPress Plugin Vulnerabilities – No Known Fix
Until a patch is available, immediately uninstall and delete the plugin.
Grid Kit Premium
PLUGIN Grid Kit Premium VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
Evaluate
PLUGIN Evaluate VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Login Block IPs
PLUGIN Login Block IPs VULNERABILITY IP Spoofing Bypass PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WP Best Quiz
PLUGIN WP Best Quiz VULNERABILITY Author+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
Ask Me
THEME Ask me VULNERABILITY Post Deletion via CSRF PATCHED IN VERSION 6.8.7 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 6.8.7.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!