Threat Alerts / Dec 29, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. Contact Form 7 Database Addon

Plugin: Contact Form 7 Database Addon Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 400,000+ Patched in Version: 1.2.6.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.6.2.

Plugin: Contact Form 7 Database Addon Vulnerability: Arbitrary Form Deletion via CSRF Active Installation: 400,000+ Patched in Version: 1.2.6.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.6.2.

2. Easy Forms for Mailchimp

Plugin: Easy Forms for Mailchimp Vulnerability: Reflected Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 6.8.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.8.6.

3. Relevanssi – A Better Search

Plugin: Relevanssi – A Better Search Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 4.14.3 Severity Score: High

The vulnerability is patched, so you should update to version 4.14.3.

4. Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue Vulnerability: Reflected Cross-Site Scripting Active Installation: 90,000+ Patched in Version: 3.1.25 Severity Score: High

The vulnerability is patched, so you should update to version 3.1.25.

5. Product Feed PRO for WooCommerce

Plugin: Product Feed PRO for WooCommerce Vulnerability: Subscriber+ Settings Update to Stored XSS Active Installation: 80,000+ Patched in Version: 11.0.7 Severity Score: High

The vulnerability is patched, so you should update to version 11.0.7.

6. Post Grid

Plugin: Post Grid Vulnerability: Contributor+ SQL Injection Active Installation: 60,000+ Patched in Version: 2.1.13 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.13.

7. Contact Form Entries

Plugin: Contact Form Entries Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 1.2.4 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.4.

8. Event Tickets

Plugin: Event Tickets Vulnerability: Open Redirect Active Installation: 40,000+ Patched in Version: 5.2.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.2.2.

9. Advanced Custom Fields: Extended

Plugin: Advanced Custom Fields: Extended Vulnerability: Admin+ SQL Injection Active Installation: 40,000+ Patched in Version: 0.8.8.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 0.8.8.7.

10. Accept Donations with PayPal

Plugin: Accept Donations with PayPal Vulnerability: Arbitrary Post Deletion via CSRF Active Installation: 30,000+ Patched in Version: 1.3.4 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.4.

11. ACF Photo Gallery Field

Plugin: ACF Photo Gallery Field Vulnerability: Reflected Cross-Site Scripting Active Installation: 30,000+
Patched in Version: 1.7.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.5.

12. Simple Download Monitor

Plugin: Simple Download Monitor Vulnerability: Multiple CSRF Active Installation: 30,000+ Patched in Version: 3.9.11 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.9.11.

13. Protect WP Admin

Plugin: Protect WP Admin Vulnerability: Unauthenticated Plugin Deactivation Active Installation: 30,000+
Patched in Version: 3.6.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.6.2.

14. Backup and Staging by WP Time Capsule

Plugin: Backup and Staging by WP Time Capsule Vulnerability: Reflected Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 1.22.7 Severity Score: High

The vulnerability is patched, so you should update to version 1.22.7.

15. Event Calendar

Plugin: Event Calendar Vulnerability: Reflected Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 1.1.51 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.51.

Plugin: Event Calendar Vulnerability: Subscriber+ Event Creation Active Installation: 20,000+ Patched in Version: 1.1.51 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.51.

16. Five Star Restaurant Reservations 

Plugin: Five Star Restaurant Reservations Vulnerability: Subscriber+ Stored Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 2.4.8 Severity Score: High

The vulnerability is patched, so you should update to version 2.4.8.

17. Asgaros Forum

Plugin: Asgaros Forum Vulnerability: Admin+ SQL Injection via forum_id Active Installation: 20,000+ Patched in Version: 1.15.15 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.15.15.

18. WP125

Plugin: WP125 Vulnerability: Arbitrary Ad Deletion via CSRF Active Installation: 10,000+ Patched in Version: 1.5.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.5.

19. Affiliates Manager

Plugin: Affiliates Manager Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 10,000+ Patched in Version: 2.9.0 Severity Score: High

The vulnerability is patched, so you should update to version 2.9.0.

20. Smart SEO Tool 

Plugin: Smart SEO Tool Vulnerability: Reflected Cross-Site Scripting Active Installation: 9,000+ Patched in Version: 3.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.6.

21. tarteaucitron.js – Cookies legislation & GDPR

Plugin: tarteaucitron.js – Cookies legislation & GDPR Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 7,000+ Patched in Version: 1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6.

Plugin: tarteaucitron.js – Cookies legislation & GDPR Vulnerability: Admin + Stored Cross-Site Scripting Active Installation: 7,000+ Patched in Version: 1.6.1 Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.1.

22. SEO Booster

Plugin: SEO Booster Vulnerability: Admin+ SQL Injection Active Installation: 4,000+ Patched in Version: 3.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.8.

23. Booking.com Banner Creator

Plugin: Booking.com Banner Creator Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 3,000+ Patched in Version: 1.4.3 Severity Score: Low

The vulnerability is patched, so you should update to version 1.4.3.

24. Profile Extra Fields

Plugin: Profile Extra Fields Vulnerability: Reflected Cross-Site Scripting Active Installation: 2,000+ Patched in Version: 1.2.4 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.4.

25. Booking.com Product Helper

Plugin: Booking.com Product Helper Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 2,000+ Patched in Version: 1.0.2 Severity Score: Low

The vulnerability is patched, so you should update to version 1.0.2.

26. SEUR Oficial

Plugin: SEUR Oficial Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 1,000+ Patched in Version: 1.7.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.0.

27. Spreadsheet Integration

Plugin: Spreadsheet Integration Vulnerability: CSRF Bypass Active Installation: 1,000+ Patched in Version: 3.6.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.6.0.

Plugin: Spreadsheet Integration Vulnerability: Reflected Cross-Site Scripting Active Installation: 1,000+ Patched in Version: 3.6.0 Severity Score: High

The vulnerability is patched, so you should update to version 3.6.0.

28. ClickBank Affiliate Ads

Plugin: ClickBank Affiliate Ads Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 700+ Patched in Version: 1.35 Severity Score: Low

The vulnerability is patched, so you should update to version 1.35.

Plugin: ClickBank Affiliate Ads Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 700+ Patched in Version: 1.35 Severity Score: High

The vulnerability is patched, so you should update to version 1.35.

29. Stetic

Plugin: Stetic Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 300+ Patched in Version: 1.0.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.9.

30. Mobile Events Manager

Plugin: Mobile Events Manager Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 20+ Patched in Version: 1.4.4 Severity Score: Low

The vulnerability is patched, so you should update to version 1.4.4.

31. AnyComment 

Plugin: AnyComment Vulnerability: Reflected Cross-Site Scripting Active Installation: 4,000+ Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

32. Tabs

Plugin: Tabs Vulnerability: Unauthenticated Arbitrary Option Update Patched in Version: 3.6.0 – plugin closed Severity Score: Critical

This vulnerability has been patched. This plugin has been closed as of December 20, 2021. Uninstall and delete.

33. Shortcode Addons

Plugin: Shortcode Addons Vulnerability: Unauthenticated Arbitrary Option Update Patched in Version: 3.1.0 – plugin closed Severity Score: Critical

This vulnerability has been patched. This plugin has been closed as of December 20, 2021. Uninstall and delete.

 

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!