WordPress Vulnerabilities Digest - December 2021 Part 1

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. Logo Carousel

Plugin: Logo Carousel Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 3.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.4.2.

Plugin: Logo Carousel Vulnerability: Unauthorised Private Post Access Patched in Version: 3.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.4.2.

2. Ni WooCommerce Custom Order Status

Plugin: Ni WooCommerce Custom Order Status Vulnerability: Subscriber+ SQL Injection Patched in Version: 1.9.7 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.7.

3. WCFM

Plugin: WCFM Vulnerability: Unauthenticated SQL Injection Patched in Version: 3.4.12 Severity Score: High

The vulnerability is patched, so you should update to version 3.4.12.

4. Everest Forms

Plugin: Everest Forms Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.8.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.8.0.

5. WP Visitor Statistics (Real Time Traffic)

Plugin: WP Visitor Statistics (Real Time Traffic) Vulnerability: Subscriber+ SQL Injection Patched in Version: 4.8 Severity Score: High

The vulnerability is patched, so you should update to version 4.8.

6. Kudos Donations

Plugin: Kudos Donations Vulnerability: Arbitrary Items Deletion via CSRF Patched in Version: 3.1.2 Severity Score: High

The vulnerability is patched, so you should update to version 3.1.2.

7. Icegram

Plugin: IcegramVulnerability: Reflected Cross-Site Scripting Patched in Version: 2.0.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.5.

8. Blog2Social

Plugin: Blog2Social Vulnerability: Reflected Cross-Site Scripting Patched in Version: 6.8.7 Severity Score: High

The vulnerability is patched, so you should update to version 6.8.7.

9. Paid Memberships Pro

Plugin: Paid Memberships Pro Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.6.6 Severity Score: High

The vulnerability is patched, so you should update to version 2.6.6.

10. WPFront User Role Editor

Plugin: WPFront User Role Editor Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.2.1.11184 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.2.1.11184.

11. Tickera

Plugin: TickeraVulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 3.4.8.3 Severity Score: High

The vulnerability is patched, so you should update to version 3.4.8.3.

12. WP Guppy

Plugin: WP Guppy Vulnerability: Sensitive Information Disclosure Patched in Version: 1.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.

13. Simple JWT Login

Plugin: Simple JWT Login Vulnerability: Insecure Password Creation Patched in Version: 3.3.0 Severity Score: Low

The vulnerability is patched, so you should update to version 3.3.0.

14. myCRED

Plugin: myCRED Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.7.8 Severity Score: High

The vulnerability is patched, so you should update to version 1.7.8

15. Hide My WP

Plugin: Hide My WP Vulnerability: Unauthenticated Plugin Deactivation Patched in Version: 6.2.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.2.4.

Plugin: Hide My WP Vulnerability: Unauthenticated SQL Injection Patched in Version: 6.2.4 Severity Score: High

The vulnerability is patched, so you should update to version 6.2.4.

16. Awesome Support WordPress HelpDesk & Support Plugin

Plugin: Awesome Support WordPress HelpDesk & Support Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: 6.0.7 Severity Score: High

The vulnerability is patched, so you should update to version 6.0.7.

17. Display Post Metadata

Plugin: Display Post Metadata Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.5.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.0.

18. Floating Social Media Icon

Plugin: Floating Social Media Icon Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 27, 2021. Uninstall and delete.

19. Gwolle Guestbook

Plugin: Gwolle Guestbook Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.2.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.2.0.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!