NEWS

WordPress Vulnerability Report – January 2023 Part 3

Threat Alerts / January 18, 2023

Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Be sure to update to WordPress 6.0.1 as soon as possible.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. MonsterInsights

PLUGIN MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) PLUGIN SLUG google-analytics-for-wordpress INSTALLATIONS 3,000,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 8.12.1 SEVERITY SCORE Medium CVE 2023-0081

The vulnerability has been patched, so you should update to version 8.12.1.

2. SiteGround Security

PLUGIN SiteGround Security PLUGIN SLUG sg-security INSTALLATIONS 700,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.3.1 SEVERITY SCORE Medium CVE 2023-0234

The vulnerability has been patched, so you should update to version 1.3.1.

3. ExactMetrics

PLUGIN ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) PLUGIN SLUG google-analytics-dashboard-for-wp INSTALLATIONS 700,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 7.12.1 SEVERITY SCORE Medium CVE 2023-0082

The vulnerability has been patched, so you should update to version 7.12.1.

4. Enable Media Replace

PLUGIN Enable Media Replace PLUGIN SLUG enable-media-replace INSTALLATIONS 600,000+ VULNERABILITY Author+ Arbitrary File Upload PATCHED IN VERSION 4.0.2 SEVERITY SCORE Critical CVE 2023-0255

The vulnerability has been patched, so you should update to version 4.0.2.

5. Royal Elementor Addons

PLUGIN Royal Elementor Addons and Templates PLUGIN SLUG royal-elementor-addons INSTALLATIONS 100,000+ VULNERABILITY Menu Template Creation via CSRF; ubscriber+ Arbitrary Template Import; Subscriber+ Template Kit Import; Reflected XSS; Subscriber+ Arbitrary Plugin Deactivation; Subscriber+ Mega Menu Settings Update; Subscriber+ Arbitrary Import Deletion; Subscriber+ Arbitrary Plugin Activation; Subscriber+ Template Condition Update; Subscriber+ Arbitrary Template Activation; Subscriber+ Arbitrary Theme Activation PATCHED IN VERSION 1.3.60 SEVERITY SCORE Medium CVE 2022-4707

The vulnerability has been patched, so you should update to version 1.3.60.

6. Strong Testimonials

PLUGIN Strong Testimonials PLUGIN SLUG strong-testimonials INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.0.3 SEVERITY SCORE Medium CVE 2022-4717

The vulnerability has been patched, so you should update to version 3.0.3.

7. WOOF – Products Filter for WooCommerce

PLUGIN HUSKY – Products Filter for WooCommerce Professional PLUGIN SLUG woocommerce-products-filter INSTALLATIONS 100,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 1.3.2 SEVERITY SCORE Low CVE 2022-4489

The vulnerability has been patched, so you should update to version 1.3.2.

8. WP Show Posts

PLUGIN WP Show Posts PLUGIN SLUG wp-show-posts INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.1.4 SEVERITY SCORE Medium CVE 2022-4459

The vulnerability has been patched, so you should update to version 1.1.4.

9. Contextual Related Posts

PLUGIN Contextual Related Posts PLUGIN SLUG contextual-related-posts INSTALLATIONS 70,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.3.1 SEVERITY SCORE Medium CVE 2023-0252

The vulnerability has been patched, so you should update to version 3.3.1.

10. Stream

PLUGIN Stream PLUGIN SLUG stream INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ Alert Creation PATCHED IN VERSION 3.9.2 SEVERITY SCORE Medium CVE 2022-4384

The vulnerability has been patched, so you should update to version 3.9.2.

11. Tutor LMS

PLUGIN Tutor LMS – eLearning and online course solution PLUGIN SLUG tutor INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.0.10 SEVERITY SCORE High CVE 2023-0236

The vulnerability has been patched, so you should update to version 2.0.10.

12. Happyforms

PLUGIN Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms PLUGIN SLUG happyforms INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.22.0 SEVERITY SCORE Medium CVE 2023-0096

The vulnerability has been patched, so you should update to version 1.22.0.

13. Meks Flexible Shortcodes

PLUGIN Meks Flexible Shortcodes PLUGIN SLUG meks-flexible-shortcodes INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.3.5 SEVERITY SCORE Medium CVE 2022-4562

The vulnerability has been patched, so you should update to version 1.3.5.

14. Easy Testimonials

PLUGIN Easy Testimonials PLUGIN SLUG easy-testimonials INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.9.3 SEVERITY SCORE Medium CVE 2022-4577

The vulnerability has been patched, so you should update to version 3.9.3.

15. WP Visitor Statistics (Real Time Traffic

PLUGIN WP Visitor Statistics (Real Time Traffic) PLUGIN SLUG wp-stats-manager INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 6.5 SEVERITY SCORE Medium CVE 2022-4656

The vulnerability has been patched, so you should update to version 6.5.

16. Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

PLUGIN Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

PLUGIN SLUG leaflet-maps-marker INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.12.7 SEVERITY SCORE Medium CVE 2022-4677

The vulnerability has been patched, so you should update to version 3.12.7.

17. PPWP – WordPress Password Protect Page

PLUGIN PPWP – Password Protect Pages PLUGIN SLUG password-protect-page INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 1.8.6 SEVERITY SCORE Medium CVE 2022-4626

The vulnerability has been patched, so you should update to version 1.8.6.

18. Page View Count

PLUGIN Page View Count PLUGIN SLUG page-views-count INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.6.1 SEVERITY SCORE Medium CVE 2023-0095

The vulnerability has been patched, so you should update to version 2.6.1.

19. PDF.js Viewer

PLUGIN PDF.js Viewer PLUGIN SLUG pdfjs-viewer-shortcode INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.1.8 SEVERITY SCORE Medium CVE 2022-4670

The vulnerability has been patched, so you should update to version 2.1.8.

20. Annual Archive

PLUGIN Annual Archive PLUGIN SLUG anual-archive INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.6.0 SEVERITY SCORE Medium CVE 2023-0178

The vulnerability has been patched, so you should update to version 1.6.0.

21. TemplatesNext ToolKit

PLUGIN TemplatesNext ToolKit PLUGIN SLUG templatesnext-toolkit INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.2.8 SEVERITY SCORE Medium CVE 2022-4678

The vulnerability has been patched, so you should update to version 3.2.8.

22. Html5 Audio Player

PLUGIN Html5 Audio Player – Audio Player for WordPress PLUGIN SLUG html5-audio-player INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.1.12 SEVERITY SCORE Medium CVE 2023-0170

The vulnerability has been patched, so you should update to version 2.1.12.

23. WP Customer Area

PLUGIN WP Customer Area PLUGIN SLUG customer-area INSTALLATIONS 10,000+ VULNERABILITY RCE via CSRF PATCHED IN VERSION 8.1.4 SEVERITY SCORE High CVE 2022-4745

The vulnerability has been patched, so you should update to version 8.1.4.

24. Clean Login

PLUGIN Clean Login PLUGIN SLUG clean-login INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.13.7 SEVERITY SCORE Medium CVE 2022-4838

The vulnerability has been patched, so you should update to version 1.13.7.

25. Giveaways and Contests by RafflePress

PLUGIN Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers PLUGIN SLUG rafflepress INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.11.3 SEVERITY SCORE Medium CVE 2023-0176

The vulnerability has been patched, so you should update to version 1.11.3.

26. Materialis Companion

PLUGIN Materialis Companion PLUGIN SLUG materialis-companion INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.3.40 SEVERITY SCORE Medium CVE 2022-4762

The vulnerability has been patched, so you should update to version 1.3.40.

27. Send PDF for Contact Form 7

PLUGIN Send PDF for Contact Form 7 PLUGIN SLUG send-pdf-for-contact-form-7 INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 0.9.9.2 SEVERITY SCORE Medium CVE 2023-0143

The vulnerability has been patched, so you should update to version 0.9.9.2.

28. Restaurant Menu

PLUGIN Restaurant Menu – Food Ordering System – Table Reservation PLUGIN SLUG menu-ordering-reservations INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.3.6 SEVERITY SCORE Medium CVE 2022-4657

The vulnerability has been patched, so you should update to version 2.3.6.

29. YaMaps for WordPress Plugin

PLUGIN YaMaps for WordPress Plugin PLUGIN SLUG yamaps INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 0.6.26 SEVERITY SCORE Medium CVE 2023-0270

The vulnerability has been patched, so you should update to version 0.6.26.

30. Easy Accept Payments for PayPal

PLUGIN Easy Accept Payments for PayPal PLUGIN SLUG wordpress-easy-paypal-payment-or-donation-accept-plugin INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.9.10 SEVERITY SCORE Medium CVE 2023-0275

The vulnerability has been patched, so you should update to version 4.9.10.

31. Breadcrumb

PLUGIN Breadcrumb PLUGIN SLUG breadcrumb INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.5.33 SEVERITY SCORE Medium CVE 2022-4836

The vulnerability has been patched, so you should update to version 1.5.33.

32. WP Blog and Widget

PLUGIN WP Blog and Widgets PLUGIN SLUG wp-blog-and-widgets INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.3.1 SEVERITY SCORE Medium CVE 2022-4824

The vulnerability has been patched, so you should update to version 2.3.1.

33. WP VR

PLUGIN WP VR – 360 Panorama and Virtual Tour Builder For WordPress PLUGIN SLUG wpvr INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 8.2.7 SEVERITY SCORE Medium CVE 2023-0174

The vulnerability has been patched, so you should update to version 8.2.7.

34. YourChannel: Everything you want in a YouTube plugin

PLUGIN YourChannel: Everything you want in a YouTube plugin. PLUGIN SLUG yourchannel INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode; Subscriber+ Stored XSS PATCHED IN VERSION 1.2.3 SEVERITY SCORE Medium CVE 2022-4833

The vulnerability has been patched, so you should update to version 1.2.3.

35. WP-ShowHide

PLUGIN WP-ShowHide PLUGIN SLUG wp-showhide INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.05 SEVERITY SCORE Medium CVE 2022-4825

The vulnerability has been patched, so you should update to version 1.05.

36. Simple Tooltips

PLUGIN Simple Tooltips PLUGIN SLUG simple-tooltips INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.1.4 SEVERITY SCORE Medium CVE 2022-4826

The vulnerability has been patched, so you should update to version 2.1.4.

37. jQuery T(-) Countdown Widget

PLUGIN jQuery T(-) Countdown Widget PLUGIN SLUG jquery-t-countdown-widget INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.3.24 SEVERITY SCORE Medium CVE 2023-0171

The vulnerability has been patched, so you should update to version 2.3.24.

38. Event Manager and Tickets Selling Plugin for WooCommerce

PLUGIN Event Manager and Tickets Selling Plugin for WooCommerce PLUGIN SLUG mage-eventpress INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.8.0 SEVERITY SCORE Medium CVE 2023-0144

The vulnerability has been patched, so you should update to version 3.8.0.

39. YouTube Channel

PLUGIN My YouTube Channel PLUGIN SLUG youtube-channel INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.23.0 SEVERITY SCORE Medium CVE 2022-4756

The vulnerability has been patched, so you should update to version 3.23.0.

40. EAN for WooCommerce

PLUGIN EAN for WooCommerce PLUGIN SLUG ean-for-woocommerce INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.4.3 SEVERITY SCORE Medium CVE 2023-0062

The vulnerability has been patched, so you should update to version 4.4.3.

41. WC Vendors Marketplace

PLUGIN WC Vendors Marketplace – The WooCommerce Multivendor Marketplace Solution PLUGIN SLUG wc-vendors INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.4.5 SEVERITY SCORE Medium CVE 2023-0072

The vulnerability has been patched, so you should update to version 2.4.5.

42. Judge.me Product Reviews for WooCommerce

PLUGIN Judge.me Product Reviews for WooCommerce PLUGIN SLUG judgeme-product-reviews-woocommerce INSTALLATIONS 8,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.3.21 SEVERITY SCORE Medium CVE 2023-0061

The vulnerability has been patched, so you should update to version 1.3.21.

43. Responsive Gallery Grid

PLUGIN Responsive Gallery Grid PLUGIN SLUG responsive-gallery-grid INSTALLATIONS 7,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.3.9 SEVERITY SCORE Medium CVE 2023-0060

The vulnerability has been patched, so you should update to version 2.3.9.

44. Simple URLs

PLUGIN Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management PLUGIN SLUG simple-urls INSTALLATIONS 6,000+ VULNERABILITY Subscriber+ SQLi; Multiple Reflected XSS PATCHED IN VERSION 115 SEVERITY SCORE High CVE 2023-0098

The vulnerability has been patched, so you should update to version 115.

45. Simple Membership WP

PLUGIN Simple Membership WP user Import PLUGIN SLUG simple-membership-wp-user-import INSTALLATIONS 5,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.8 SEVERITY SCORE Medium CVE 2023-0254

The vulnerability has been patched, so you should update to version 1.8.

46. WPFunnels

PLUGIN Drag & Drop Sales Funnel Builder for WordPress – WPFunnels PLUGIN SLUG wpfunnels INSTALLATIONS 3,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.6.9 SEVERITY SCORE Medium CVE 2023-0173

The vulnerability has been patched, so you should update to version 2.6.9.

47. Post Category Image With Grid and Slider

PLUGIN Post Category Image With Grid and Slider PLUGIN SLUG post-category-image-with-grid-and-slider INSTALLATIONS 3,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.4.8 SEVERITY SCORE Medium CVE 2022-4747

The vulnerability has been patched, so you should update to version 1.4.8.

48. PDF Generator for WordPress

PLUGIN PDF Generator for WordPress – Create & Customize PDF for Post, Pages and WooCommerce Products PLUGIN SLUG pdf-generator-for-wp INSTALLATIONS 1,000+ VULNERABILITY Reflected XSS PATCHED IN VERSION 1.1.2 SEVERITY SCORE High CVE 2022-4321

The vulnerability has been patched, so you should update to version 1.1.2.

49. uTubeVideo Gallery

PLUGIN uTubeVideo Gallery PLUGIN SLUG utubevideo-gallery INSTALLATIONS 500+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.0.8 SEVERITY SCORE Medium CVE 2023-0151

The vulnerability has been patched, so you should update to version 2.0.8.

50. GamiPress – Vimeo integration

PLUGIN GamiPress – Vimeo integration PLUGIN SLUG gamipress-vimeo-integration INSTALLATIONS 400+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.0.9 SEVERITY SCORE Medium CVE 2023-0154

The vulnerability has been patched, so you should update to version 1.0.9.

51. WP FullCalendar

PLUGIN WP FullCalendar PLUGIN SLUG wp-fullcalendar VULNERABILITY Unauthenticated Arbitrary Post Access PATCHED IN VERSION 1.5 SEVERITY SCORE High CVE 2022-3891

The vulnerability has been patched, so you should update to version 1.5.

52. Hide My WP

PLUGIN Hide My WP PLUGIN SLUG hide_my_wp VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 6.2.9 SEVERITY SCORE High CVE 2022-4681

The vulnerability has been patched, so you should update to version 6.2.9.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Widget Shortcode

PLUGIN Widget Shortcode PLUGIN SLUG widget-shortcode INSTALLATIONS 80,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4473

The vulnerability has not been patched. You should deactivate the plugin.

Widgets on Pages

PLUGIN Widgets on Pages PLUGIN SLUG widgets-on-pages INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4488

The vulnerability has not been patched. You should deactivate the plugin.

Rich Table of Contents

PLUGIN Rich Table of Contents PLUGIN SLUG rich-table-of-content INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4551

The vulnerability has not been patched. You should deactivate the plugin.

WordPrezi

PLUGIN WordPrezi PLUGIN SLUG wordprezi VULNERABILITY Contributor+ Strored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2023-0149