Connect with us

WordPress News

WordPress Vulnerability Report: December 2021, Part 1

Published

on

WordPress Vulnerability Report


Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

Want this report delivered to your inbox each week?

WordPress Hosting: GoDaddy Hacked

In a security disclosure published on November 21, 2021, GoDaddy says that up to 1.2 million active and inactive customers have been exposed after hackers gained access to its managed WordPress hosting platform.

We wrote a post to unpack a few of the details of the recent GoDaddy hack, how it affects customers, and our recommendations for what to do if you’re a WordPress hosting customer at GoDaddy.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

Plugin: Logo Carousel
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 3.4.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.4.2.

Plugin: Logo Carousel
Vulnerability: Unauthorised Private Post Access
Patched in Version: 3.4.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.4.2.

2. Ni WooCommerce Custom Order Status

Plugin: Ni WooCommerce Custom Order Status
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 1.9.7
Severity Score: High

The vulnerability is patched, so you should update to version 1.9.7.

3. WCFM

Plugin: WCFM
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 3.4.12
Severity Score: High

The vulnerability is patched, so you should update to version 3.4.12.

4. Everest Forms

Plugin: Everest Forms
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.8.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.8.0.

5. WP Visitor Statistics (Real Time Traffic)

Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 4.8
Severity Score: High

The vulnerability is patched, so you should update to version 4.8.

6. Kudos Donations

Plugin: Kudos Donations
Vulnerability: Arbitrary Items Deletion via CSRF
Patched in Version: 3.1.2
Severity Score: High

The vulnerability is patched, so you should update to version 3.1.2.

7. Icegram 

Plugin: Icegram 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.5
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.5.

8. Blog2Social

Plugin: Blog2Social
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.8.7
Severity Score: High

The vulnerability is patched, so you should update to version 6.8.7.

9. Paid Memberships Pro

Plugin: Paid Memberships Pro
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.6.6
Severity Score: High

The vulnerability is patched, so you should update to version 2.6.6.

10. WPFront User Role Editor

Plugin: WPFront User Role Editor
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.1.11184
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.2.1.11184.

11. Tickera 

Plugin: Tickera 
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 3.4.8.3
Severity Score: High

The vulnerability is patched, so you should update to version 3.4.8.3.

12. WP Guppy

Plugin: WP Guppy
Vulnerability: Sensitive Information Disclosure
Patched in Version: 1.3
Severity Score: High

The vulnerability is patched, so you should update to version 1.3.

13. Simple JWT Login

Plugin: Simple JWT Login
Vulnerability: Insecure Password Creation
Patched in Version: 3.3.0
Severity Score: Low

The vulnerability is patched, so you should update to version 3.3.0.

14. myCRED

Plugin: myCRED
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.7.8
Severity Score: High

The vulnerability is patched, so you should update to version 1.7.8.

15. Hide My WP

Plugin: Hide My WP
Vulnerability: Unauthenticated Plugin Deactivation
Patched in Version: 6.2.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 6.2.4.

Plugin: Hide My WP
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 6.2.4
Severity Score: High

The vulnerability is patched, so you should update to version 6.2.4.

16. Awesome Support – WordPress HelpDesk & Support Plugin

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.0.7
Severity Score: High

The vulnerability is patched, so you should update to version 6.0.7.

17. Display Post Metadata

Plugin: Display Post Metadata
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.5.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.0.

18. Floating Social Media Icon

Plugin: Floating Social Media Icon
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 27, 2021. Uninstall and delete.

19. Gwolle Guestbook

Plugin: Gwolle Guestbook
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.2.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.2.0.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro

WordPress Vulnerability Report





Source link

Continue Reading
Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.