Threat Alerts / Jan 05, 2022

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. UpdraftPlus

Plugin: UpdraftPlus Vulnerability: Reflected Cross-Site Scripting Active Installation: 3+ million Patched in Version: 1.16.569 Severity Score: High

The vulnerability is patched, so you should update to version 1.16.59.

Plugin: UpdraftPlus Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 3+ million Patched in Version: 1.6.59 Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.59.

Plugin: UpdraftPlus Vulnerability: Admin+ Local File Inclusion Active Installation: 3+ million Patched in Version: 1.16.59 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.16.59.

2. WebP Converter for Media

Plugin: WebP Converter for Media Vulnerability: Unauthenticated Open redirect Active Installation: 100,000+ Patched in Version: 4.0.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.0.3.

3. WOOF – Products Filter for WooCommerce

Plugin: WOOF – Products Filter for WooCommerce Vulnerability: Reflected Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 1.2.6.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.6.3.

4. LearnPress

Plugin: LearnPress Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 4.1.3.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.3.2.

5. WP Post Page Clone

Plugin: WP Post Page Clone Vulnerability: Unauthorised Post Access Active Installation: 80,000+ Patched in Version: 1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.

6. WP Extra File Types

Plugin: WP Extra File Types Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 50,000+ Patched in Version: 0.5.1 Severity Score: High

The vulnerability is patched, so you should update to version 0.5.1.

7. Tutor LMS

Plugin: Tutor LMS Vulnerability: Subscriber+ Stored Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 1.9.12 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.12.

Plugin: Tutor LMS Vulnerability: Reflected Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 1.9.12 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.12.

8. Custom Dashboard & Login Page

Plugin: Custom Dashboard & Login Page Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 7.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.0.

9. Ultimate FAQ

Plugin: Ultimate FAQ Vulnerability: Subscriber+ Arbitrary FAQ Creation Active Installation: 30,000+ Patched in Version: 2.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.2.

10. WP User Frontend

Plugin: WP User Frontend Vulnerability: SQL Injection to Reflected Cross-Site Scripting Active Installation: 30,000+ Patched in Version: 3.5.26 Severity Score: High

The vulnerability is patched, so you should update to version 3.5.26.

11. myCred

Plugin: myCred Vulnerability: Reflected Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 2.4 Severity Score: High

The vulnerability is patched, so you should update to version 2.4.

12. Image Hover Effects Ultimate

Plugin: Image Hover Effects Ultimate Vulnerability: Reflected Cross-Site Scripting Active Installation: 20,000+ Patched in Version: 9.7.1 Severity Score: High

The vulnerability is patched, so you should update to version 9.7.1.

13. Qubely

Plugin: Qubely Vulnerability: Subscriber+ Arbitrary FAQ Creation Active Installation: 10,000+ Patched in Version: 1.7.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.8.

14. Registration Magic

Plugin: Registration Magic Vulnerability: Reflected Cross-Site Scripting Active Installation: 10,000+ Patched in Version: 5.0.1.9 Severity Score: High

The vulnerability is patched, so you should update to version 5.0.1.9.

15. Orders Tracking for WooCommerce

Plugin: Orders Tracking for WooCommerce Vulnerability: Reflected Cross-Site Scripting Active Installation: 10,000+ Patched in Version: 1.1.10 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.10.

16. Link Library

Plugin: Link Library Vulnerability: Reflected Cross-Site Scripting Active Installation: 10,000+ Patched in Version: 7.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

Plugin: Link Library Vulnerability: Library Settings Reset via CSRF Active Installation: 10,000+ Patched in Version: 7.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

Plugin: Link Library Vulnerability: Unauthenticated Arbitrary Links Deletion Active Installation: 10,000+ Patched in Version: 7.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

17. AF Companion

Plugin: AF Companion Vulnerability: Arbitrary Plugin Installation & Activation via CSRF Active Installation: 9,000+ Patched in Version: 1.2.0 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.0.

18. KNR Author List Widget 

Plugin: KNR Author List Widget Vulnerability: Unauthenticated SQL Injection Active Installation: 200+ Patched in Version: 3.0.0 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.0.0.

19. WP Cookie User Info

Plugin: WP Cookie User Info Vulnerability: Admin+ SQL Injection Active Installation: 200+ Patched in Version: 1.0.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.9.

20. LabTools

Plugin: LabTools Vulnerability: Subscriber+ Arbitrary Publication Deletion Patched in Version: No known fix – plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of December 28, 2021. Uninstall and delete.

21. Domain Check

Plugin: Domain Check Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 28, 2021. Uninstall and delete.

22. Orders Tracking for WooCommerce

Plugin: Error Log Viewer Vulnerability: Arbitrary Text File Deletion via CSRF Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of November 10, 2021. Uninstall and delete.

23. WP Visited Countries Reloaded

Plugin: WP Visited Countries Reloaded Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.1.1- plugin closed Severity Score: High

This vulnerability has been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

24. Learning Courses

Plugin: Learning Courses Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 5.0 – plugin closed Severity Score: Low

This vulnerability has been patched. This plugin has been closed as of October 8, 2021. Uninstall and delete.

25. Perfect Survey

Plugin: Perfect Survey Vulnerability: Unauthorised AJAX Call to Stored XSS / Survey Settings Update Patched in Version: 1.5.2 – plugin closed Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

Plugin: Perfect Survey Vulnerability: Unauthorised AJAX Call to Stored XSS / Survey Settings Update Patched in Version: 1.5.2 – plugin closed Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

Plugin: Perfect Survey Vulnerability: Unauthenticated SQL Injection Patched in Version: 1.5.2 – plugin closed Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

Plugin: Perfect Survey Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.5.2 – plugin closed Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

Plugin: Perfect Survey Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

26. Mediamatic

Plugin: Mediamatic Vulnerability: Subscriber+ SQL Injection Active Installation: 3,000+ Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

 

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!