NEWS

WordPress Vulnerability Report – January 2023 Part 2

Threat Alerts / January 11, 2023

Good news! No new WordPress theme vulnerabilities were disclosed this week. WordPress Plugin Vulnerabilities: Widgets for Google Reviews, Strong Testimonials, Royal Elementor Addons and others

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Widgets for Google Reviews

PLUGIN Widgets for Google Reviews PLUGIN SLUG wp-reviews-plugin-for-google INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 9.8 SEVERITY SCORE Medium CVE 2022-4470

The vulnerability has been patched, so you should update to version 9.8.

2. Strong Testimonials

PLUGIN Strong Testimonials PLUGIN SLUG strong-testimonials INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.0.3 SEVERITY SCORE Medium CVE 2022-4717

The vulnerability has been patched, so you should update to version 3.0.3.

3. Royal Elementor Addons

PLUGIN Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets) PLUGIN SLUG royal-elementor-addons INSTALLATIONS 100,000+ VULNERABILITY Menu Template Creation via CSRF; Subscriber+ Arbitrary Template Import; Subscriber+ Template Kit Import; Reflected XSS; Subscriber+ Arbitrary Plugin Deactivation; Subscriber+ Mega Menu Settings Update; Subscriber+ Arbitrary Import Deletion; Subscriber+ Arbitrary Plugin Activation; Subscriber+ Template Condition Update; Subscriber+ Arbitrary Template Activation; Subscriber+ Arbitrary Theme Activation PATCHED IN VERSION 1.3.60 SEVERITY SCORE Medium CVE 2022-4707

The vulnerability has been patched, so you should update to version 1.3.60.

4. Simple Sitemap

PLUGIN Simple Sitemap – Create a Responsive HTML Sitemap PLUGIN SLUG simple-sitemap INSTALLATIONS 90,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.5.8 SEVERITY SCORE Medium CVE 2022-4472

The vulnerability has been patched, so you should update to version 3.5.8.

5. RSS Aggregator by Feedzy

PLUGIN RSS Aggregator by Feedzy – Powerful WP Autoblogging and News Aggregator PLUGIN SLUG feedzy-rss-feeds INSTALLATIONS 50,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.1.1 SEVERITY SCORE Medium CVE 2022-4667

The vulnerability has been patched, so you should update to version 4.1.1.

6. Insert Pages

PLUGIN Insert Pages PLUGIN SLUG insert-pages INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.7.5 SEVERITY SCORE Medium CVE 2022-4483

The vulnerability has been patched, so you should update to version 3.7.5.

7. News & Blog Designer Pack

PLUGIN News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) PLUGIN SLUG blog-designer-pack INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.3 SEVERITY SCORE Medium CVE 2022-4792

The vulnerability has been patched, so you should update to version 3.3.

8. Revive Old Posts – Social Media Auto Post and Scheduling Plugin

PLUGIN Revive Old Posts – Social Media Auto Post and Scheduling Plugin PLUGIN SLUG tweet-old-post INSTALLATIONS 30,000+ VULNERABILITY PHP Object Injection PATCHED IN VERSION 9.0.11 SEVERITY SCORE Low CVE 2022-4680

The vulnerability has been patched, so you should update to version 9.0.11.

9. WP Extended Search

PLUGIN WP Extended Search PLUGIN SLUG wp-extended-search INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.1.2 SEVERITY SCORE Medium CVE 2022-4649

The vulnerability has been patched, so you should update to version 2.1.2.

10. Pricing Tables WordPress Plugin – Easy Pricing Tables

PLUGIN Pricing Tables WordPress Plugin – Easy Pricing Tables PLUGIN SLUG easy-pricing-tables INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.2.3 SEVERITY SCORE Medium CVE 2022-4654

The vulnerability has been patched, so you should update to version 3.2.3.

11. PDF.js Viewer

PLUGIN PDF.js Viewer PLUGIN SLUG pdfjs-viewer-shortcode INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.1.8 SEVERITY SCORE Medium CVE 2022-4670

The vulnerability has been patched, so you should update to version 2.1.8.

12. PPWP – WordPress Password Protect Page

PLUGIN PPWP – Password Protect Pages PLUGIN SLUG password-protect-page INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 1.8.6 SEVERITY SCORE Medium CVE 2022-4626

The vulnerability has been patched, so you should update to version 1.8.6.

13. Easy Testimonials

PLUGIN Easy Testimonials PLUGIN SLUG easy-testimonials INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.9.3 SEVERITY SCORE Medium CVE 2022-4577

The vulnerability has been patched, so you should update to version 3.9.3.

14. Page View Count

PLUGIN Page View Count PLUGIN SLUG page-views-count INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.6.1 SEVERITY SCORE Medium CVE 2023-0095

The vulnerability has been patched, so you should update to version 2.6.1.

15. Post Grid, Post Carousel, & List Category Posts

PLUGIN Post Grid, Post Carousel, & List Category Posts – by Smart Post Show PLUGIN SLUG post-carousel INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.4.19 SEVERITY SCORE Medium CVE 2023-0097

The vulnerability has been patched, so you should update to version 2.4.19.

16. PDF Viewer

PLUGIN PDF Viewer PLUGIN SLUG pdf-viewer INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.0.0 SEVERITY SCORE Medium CVE 2023-0033

The vulnerability has been patched, so you should update to version 1.0.0.

17. PixCodes

PLUGIN PixCodes PLUGIN SLUG pixcodes INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 2.3.7 SEVERITY SCORE Medium CVE 2022-4671

The vulnerability has been patched, so you should update to version 2.3.7.

18. WP-ShowHide

PLUGIN WP-ShowHide PLUGIN SLUG wp-showhide INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.05 SEVERITY SCORE Medium CVE 2022-4825

The vulnerability has been patched, so you should update to version 1.05.

19. miniOrange WordPress SAML SSO Premium

PLUGIN SAML Single Sign On – SSO Login PLUGIN SLUG miniorange-saml-20-single-sign-on INSTALLATIONS 10,000+ VULNERABILITY Open Redirect in SSO login PATCHED IN VERSION 12.1.0 SEVERITY SCORE Medium CVE 2022-4496

The vulnerability has been patched, so you should update to version 12.1.0.

20. miniOrange WordPress SAML SSO Standard PLUGIN

PLUGIN SAML Single Sign On – SSO Login PLUGIN SLUG miniorange-saml-20-single-sign-on INSTALLATIONS 10,000+ VULNERABILITY Open Redirect in SSO login PATCHED IN VERSION 16.0.8 SEVERITY SCORE Medium CVE 2022-4496

The vulnerability has been patched, so you should update to version 16.0.8.

21. miniOrange WordPress SAML SSO Premium Multisite

PLUGIN SAML Single Sign On – SSO Login PLUGIN SLUG miniorange-saml-20-single-sign-on INSTALLATIONS 10,000+ VULNERABILITY Open Redirect in SSO login PATCHED IN VERSION 20.0.7 SEVERITY SCORE Medium CVE 2022-4496

The vulnerability has been patched, so you should update to version 20.0.7.

22. CC Child Pages

PLUGIN CC Child Pages PLUGIN SLUG cc-child-pages INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.43 SEVERITY SCORE Medium CVE 2022-4776

The vulnerability has been patched, so you should update to version 1.43.

23. YourChannel: Everything you want in a YouTube plugin

PLUGIN YourChannel: Everything you want in a YouTube plugin. PLUGIN SLUG yourchannel INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.2.3 SEVERITY SCORE Medium CVE 2022-4833

The vulnerability has been patched, so you should update to version 1.2.3.

24. Bold Timeline Lite

PLUGIN Bold Timeline Lite PLUGIN SLUG bold-timeline-lite INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.1.5 SEVERITY SCORE Medium CVE 2022-4828

The vulnerability has been patched, so you should update to version 1.1.5.

25. Clean Login

PLUGIN Clean Login PLUGIN SLUG clean-login INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.13.7 SEVERITY SCORE Medium CVE 2022-4838

The vulnerability has been patched, so you should update to version 1.13.7.

26. Custom User Profile Fields for User Registration & Member Frontend Profiles with Paid Memberships Pro

PLUGIN Custom User Profile Fields for User Registration & Member Frontend Profiles with Paid Memberships Pro PLUGIN SLUG pmpro-register-helper INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.8.1 SEVERITY SCORE Medium CVE 2022-4831

The vulnerability has been patched, so you should update to version 1.8.1.

27. CPO Companion

PLUGIN CPO Companion PLUGIN SLUG cpo-companion INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS; Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.1.0 SEVERITY SCORE Low CVE 2023-0162

The vulnerability has been patched, so you should update to version 1.1.0.

28. Portfolio for Elementor, Image Gallery & Post Grid | PowerFolio

PLUGIN Portfolio for Elementor, Image Gallery & Post Grid | PowerFolio PLUGIN SLUG portfolio-elementor INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.3.1 SEVERITY SCORE Medium CVE 2022-4765

The vulnerability has been patched, so you should update to version 2.3.1.

29. Themify Shortcodes

PLUGIN Themify Shortcodes PLUGIN SLUG themify-shortcodes INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.0.8 SEVERITY SCORE Medium CVE 2022-4787

The vulnerability has been patched, so you should update to version 2.0.8.

30. Event Manager and Tickets Selling Plugin for WooCommerce

PLUGIN Event Manager and Tickets Selling Plugin for WooCommerce PLUGIN SLUG mage-eventpress INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.8.0 SEVERITY SCORE Medium CVE 2023-0144

The vulnerability has been patched, so you should update to version 3.8.0.

31. WP Social Widget

PLUGIN WP Social Widget PLUGIN SLUG wp-social-widget INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.2.4 SEVERITY SCORE Medium CVE 2023-0074

The vulnerability has been patched, so you should update to version 2.2.4.

32. Icon Widget

PLUGIN Icon Widget PLUGIN SLUG icon-widget INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.3.0 SEVERITY SCORE Medium CVE 2022-4763

The vulnerability has been patched, so you should update to version 1.3.0.

33. WP Tabs

PLUGIN WP Tabs – Responsive Tabs Plugin for WordPress PLUGIN SLUG wp-expand-tabs-free INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.1.17 SEVERITY SCORE Medium CVE 2023-0071

The vulnerability has been patched, so you should update to version 2.1.17.

34. Blog Designer – Post and Widget

PLUGIN Blog Designer – Post and Widget PLUGIN SLUG blog-designer-for-post-and-widget INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.4.1 SEVERITY SCORE Medium CVE 2022-4793

The vulnerability has been patched, so you should update to version 2.4.1.

35. Post Category Image With Grid and Slider

PLUGIN Post Category Image With Grid and Slider PLUGIN SLUG post-category-image-with-grid-and-slider INSTALLATIONS 3,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.4.8 SEVERITY SCORE Medium CVE 2022-4747

The vulnerability has been patched, so you should update to version 1.4.8.

36. Survey Maker

PLUGIN Survey Maker – Best WordPress Survey Plugin PLUGIN SLUG survey-maker INSTALLATIONS 3,000+ VULNERABILITY Unauthenticated Stored XSS PATCHED IN VERSION 3.1.4 SEVERITY SCORE High CVE 2023-0038

The vulnerability has been patched, so you should update to version 3.1.4.

37. Posts List Designer by Category

PLUGIN Posts List Designer by Category – List Category Posts Or Recent Posts PLUGIN SLUG post-list-designer INSTALLATIONS 1,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.2 SEVERITY SCORE Medium CVE 2022-4749

The vulnerability has been patched, so you should update to version 3.2.

38. Membership For WooCommerce

PLUGIN Membership For WooCommerce – Add Simple Membership Plans, Recurring Revenue, Product Tags & Send Emails To Members with WooCommerce Membership PLUGIN SLUG membership-for-woocommerce INSTALLATIONS 400+ VULNERABILITY Unauthenticated Arbitrary File Upload PATCHED IN VERSION 2.1.7 SEVERITY SCORE Critical CVE 2022-4395

The vulnerability has been patched, so you should update to version 2.1.7.

39. WooCommerce Chained Products

PLUGIN Chained Products PLUGIN SLUG woocommerce-chained-products VULNERABILITY Unauthenticated Arbitrary Options Update to ‘no’ PATCHED IN VERSION 2.12.0 SEVERITY SCORE Medium CVE 2022-4872

The vulnerability has been patched, so you should update to version 2.12.0.

40. Justified Gallery

PLUGIN Justified Gallery PLUGIN SLUG justified-gallery VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.7.1 SEVERITY SCORE Medium CVE 2022-4651

The vulnerability has been patched, so you should update to version 1.7.1.

41. AAWP

PLUGIN SLUG aawp VULNERABILITY Unsafe URL Handling PATCHED IN VERSION 3.12.3 SEVERITY SCORE Medium CVE 2022-4794

The vulnerability has been patched, so you should update to version 3.12.3.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Members Import

PLUGIN Members Import PLUGIN SLUG members-import VULNERABILITY XSS via Imported CSV PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4663