NEWS

WordPress Vulnerabilities Digest - November 2022 Part 2

Threat Alerts / November 09, 2022
Powered by WPScan, this report covers all the recent vulnerabilities that have been discovered in WordPress plugins, themes, and core. By staying on top of this information, you'll know exactly which plugins and themes on your website need to be updated or replaced to keep your site safe.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

On Tuesday, November 1, 2022, WordPress 6.1 “Misha” was released with several dramatic improvements. Check out the overview to prepare for what WordPress 6.1 brings to your site.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Core Dropping Support for WordPress Versions 3.7. – 4.0

In more WordPress core security news, the WordPress Security Team will no longer provide security updates for WordPress core versions 3.7 – 4.0. Please make sure all your WordPress sites are running the latest version.

WordPress Plugin Vulnerabilities

1. Checkout Field Editor for WooCommerce

PLUGIN Checkout Field Editor (Checkout Manager) for WooCommerce INSTALLATIONS 400,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 1.8.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.8.0.

2. Blog2Social

PLUGIN Blog2Social: Social Media Auto Post & Scheduler INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ Settings Update PATCHED IN VERSION 6.9.12 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.9.12.

3. WP Admin UI Customize

PLUGIN WP Admin UI Customize INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.5.13 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.5.13.

4. Donations via PayPal

PLUGIN Donations via PayPal INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.9.9 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.9.9.

5. Beautiful Cookie Consent Banner

PLUGIN Beautiful Cookie Consent Banner INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 2.9.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.9.1.

6. Form Vibes

PLUGIN Form Vibes – Database Manager for Forms INSTALLATIONS 20,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.4.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.4.6.

7. Theme-Demo-Importer

PLUGIN Theme Demo Import INSTALLATIONS 10,000+ VULNERABILITY Admin+ Arbitrary File Upload PATCHED IN VERSION 1.1.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.1.1.

8. Awesome Support

PLUGIN Awesome Support – WordPress HelpDesk & Support Plugin INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Arbitrary Exported Tickets Download PATCHED IN VERSION 6.1.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.1.2.

9. Salon Booking System

PLUGIN Salon booking system INSTALLATIONS 8,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 7.9.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 7.9.4.

10. HTML Forms

PLUGIN HTML Forms INSTALLATIONS 7,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.3.25 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.25.

11. WP OAuth Server

PLUGIN WP OAuth Server (OAuth Authentication) INSTALLATIONS 4,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 4.2.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.2.2.

12. Export customers list csv for WooCommerce

PLUGIN Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list INSTALLATIONS 3,000+ VULNERABILITY CSV Injection PATCHED IN VERSION 2.0.69 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.0.69.

13. WPSmartContracts

PLUGIN WPSmartContracts INSTALLATIONS 1,000+ VULNERABILITY Author+ SQLi PATCHED IN VERSION 1.3.12 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.12.

14. OWM Weather

PLUGIN OWM Weather INSTALLATIONS 1,000+ VULNERABILITY Contributor+ SQLi PATCHED IN VERSION 5.6.9 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 5.6.9.

15. VR Calendar

PLUGIN VR Calendar INSTALLATIONS 1,000+ VULNERABILITY Calendar Deletion/Update & Settings Update via CSRF PATCHED IN VERSION 2.3.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.3.4.

16. Salat Times

PLUGIN Salat Times INSTALLATIONS 900+VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.2.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.2.2.

17. WP User Merger

PLUGIN WP User Merger INSTALLATIONS 200+ VULNERABILITY Admin+ SQLi via user_id; Admin+ SQLi via wpsu_user_id; Admin+ SQLi via ID PATCHED IN VERSION 1.5.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.5.3.

18. Jeeng Push Notifications

PLUGIN Jeeng Push Notifications INSTALLATIONS 10+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.0.4 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.0.4.

19. Find and Replace All

PLUGIN Find and Replace All by Taraprasad Swain VULNERABILITY Reflected Cross Site Scripting PATCHED IN VERSION 1.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.

20. 4ECPS Web Forms

PLUGIN 4ECPS Web Forms VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 0.2.18 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 0.2.18.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

WPGForm

PLUGIN wpgform by Mike Walsh VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Image Hover Effects Css3

PLUGIN Image Hover Effects Css3 by Nasir VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Analytics for WP

PLUGIN Analytics for WP by Aman Verma VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Find and Replace All

PLUGIN Find and Replace All by Taraprasad Swain VULNERABILITY Arbitrary Replacement via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

AM-HiLi Affiliate Manager for Publishers

PLUGIN AM-HiLi Affiliate Manager for Publishers by Ayoub Media VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Testimonial Slider

PLUGIN Testimonial Slider by DavidAnderson VULNERABILITY Stored XSS via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Showing URL in QR Code

PLUGIN Showing URL in QR Code by abkorim VULNERABILITY Stored XSS via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Long Form reCAPTCHA

PLUGIN Long Form reCAPTCHA by Ash Matadeen VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

3DPrint

PLUGIN 3DPrint VULNERABILITY Arbitrary File and Directory Deletion via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Fancier Author Box by ThematoSoup

PLUGIN Fancier Author Box by ThematoSoup VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Video Thumbnails

PLUGIN Video Thumbnails by Sutherland Boswell VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Font Awesome 4 Menus

PLUGIN Font Awesome 4 Menus by New Nine Media VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

AgentEasy Properties

PLUGIN AgentEasy Properties VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

Good news! No new WordPress theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list