NEWS

WordPress Vulnerabilities Digest - March 2022 Part 4

Threat Alerts / March 24, 2022
WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fix and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fix and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. One Click Demo Import

PLUGIN One Click Demo Import INSTALLATIONS 1,000,000+ VULNERABILITY Admin+ Arbitrary File Upload PATCHED IN VERSION 3.1.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.1.0.

2. Favicon by RealFaviconGenerator

PLUGIN Favicon by RealFaviconGenerator INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.3.23 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.23.

3. Download Manager

PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated brute force of files master key PATCHED IN VERSION 3.2.39 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.2.39.

4. WPvivid Backup and Migration Plugin

PLUGIN Migration, Backup, Staging WPvivid INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 0.9.70 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.9.70.

5. Responsive Menu

PLUGIN Responsive Menu Create Mobile-Friendly Menu INSTALLATIONS 100,000+ VULNERABILITY Subscriber+ Arbitrary File Upload / Theme Deletion / Plugin Settings Update PATCHED IN VERSION 4.1.8 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 4.1.8.

6. LearnPress

PLUGIN LearnPress WordPress LMS Plugin INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.1.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.1.6.

7. Image optimization & Lazy Load

PLUGIN Image optimization & Lazy Load by Optimole INSTALLATIONS 80,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.3.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.3.2.

8. Post Grid

PLUGIN Post Grid INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting via keyword; Reflected Cross-Site Scripting via post_types PATCHED IN VERSION 2.1.16 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.1.16.

9. Super Socializer

PLUGIN Social Share, Social Login and Social Comments Plugin Super Socializer INSTALLATIONS 50,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 7.13.30 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 7.13.30.

10. Easy Smooth Scroll Links

PLUGIN Easy Smooth Scroll Links Smooth Scrolling Anchor INSTALLATIONS 50,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.23.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.23.1.

11. FV Flowplayer Video Player

PLUGIN FV Flowplayer Video Player INSTALLATIONS 40,000+ VULNERABILITY Author+ SQLi PATCHED IN VERSION 7.5.18.727 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 7.5.18.727.

12. Easy Social Icons

PLUGIN Easy Social Icons INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Admin+ Stored Cross-Site Scripting in add icon; Unauthenticated Arbitrary Icon Deletion PATCHED IN VERSION 3.2.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.2.1.

13. Export All URLs

PLUGIN Export All URLs INSTALLATIONS 30,000+ VULNERABILITY Private/Draft Post/Page Title Disclosure via CSRF; Reflected Cross-Site Scripting PATCHED IN VERSION 4.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.3.

14. iQ Block Country

PLUGIN iQ Block Country INSTALLATIONS 30,000+ VULNERABILITY Admin+ Arbitrary File Deletion via Zip Slip PATCHED IN VERSION 1.2.13 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.13.

15. GridKit Portfolio

PLUGIN Portfolio Gallery, Product Catalog Grid KIT Portfolio INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION 2.1.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.1.0.

16. WP Block and Stop Bad Bots

PLUGIN Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection INSTALLATIONS 10,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 6.930 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 6.930.

17. Salon booking system

PLUGIN Salon booking system INSTALLATIONS 8,000+ VULNERABILITY Customer+ Bookings/Customers Data Disclosure; Unauthenticated Sensitive Data Disclosure PATCHED IN VERSION 7.6.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 7.6.3.

18. Podcast Importer SecondLine

PLUGIN Podcast Importer SecondLine INSTALLATIONS 6,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.3.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.8.

19. Advanced Booking Calendar

PLUGIN Advanced Booking Calendar INSTALLATIONS 5,000+ VULNERABILITY Reflected Cross-Site Scripting; Admin+ SQLi PATCHED IN VERSION 1.7.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.7.1.

WordPress Plugin Vulnerabilities No Known Fix

Sassy Social Share

PLUGIN Social Sharing Plugin Sassy Social Share INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

NS WooCommerce Watermark

PLUGIN NS WooCommerce Watermark VULNERABILITY Abuse of Functionality PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

Good news! No new WordPress theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list