WordPress Vulnerability Report – February 2, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Read the 2021 Annual Report

Download the Infographic

WordPress 5.9: Core Major Version Update Now Available

WordPress 5.9 “Joséphine” was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this: Full Site Editing (FSE) using the WordPress block editor is here (well, if you want to use it or your theme supports it).

WordPress 5.9 represents the largest release of Gutenberg features since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes 99 enhancements and 100 bug fixes.

In this post, we unpack what’s new and noteworthy in WordPress 5.9 so you can get the most out of the latest version of WordPress.

You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.

If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.9.

See what’s new in WordPress 5.9

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Essential Addons for Elementor

Plugin: Essential Addons for Elementor

Use Any Font

Plugin: Use Any Font | Custom Font Uploader
Vulnerability: Unauthenticated Arbitrary CSS Appending

TI WooCommerce Wishlist

Vulnerability: Unauthenticated Blind SQL Injection

StatCounter

Plugin: StatCounter – Free Real Time Visitor Stats
Vulnerability: Admin+ Stored Cross-Site Scripting

WPvivid Backup and Migration Plugin

Plugin: Migration, Backup, Staging – WPvivid Backup and Migration Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting

LearnPress

Plugin: LearnPress – WordPress LMS Plugin

WP RSS Aggregator

Vulnerability: Reflected Cross-Site Scripting (XSS)

Simple Membership

Vulnerability: Arbitrary Member Deletion via CSRF

Better Notifications for WP

Plugin: Customize WordPress Emails and Alerts – Better Notifications for WP

Post Snippets

Vulnerability: CSRF to Stored Cross-Site Scripting

Blackhole for Bad Bots

Plugin: Blackhole for Bad Bots
Vulnerability: Arbitrary IP Address Blocking via IP Spoofing

WP Visitor Statistics (Real Time Traffic)

Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Arbitrary IP Address Exclusion to Stored XSS

WP Accessibility Helper (WAH)

Plugin: WP Accessibility Helper (WAH)
Vulnerability: Reflected Cross-Site Scripting (XSS)

Asgaros Forum

WP Google Map

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map
Vulnerability: Arbitrary Post Deletion and Plugin’s Settings Update via CSRF

WHMCS Bridge

Vulnerability: Reflected Cross-Site Scripting (XSS)

WP Review Slider

WP Ultimate CSV Importer

Plugin: Easy Drag And drop All Import : WP Ultimate CSV Importer
Vulnerability: Admin+ Stored Cross-Site Scripting

AP Custom Testimonial

Plugin: Testimonial WordPress Plugin – AP Custom Testimonial
Vulnerability: Reflected Cross-Site Scripting; Admin+ SQL Injection

Logo Showcase with Slick Slider

Plugin: Logo Showcase with Slick Slider – Logo Carousel, Logo Slider & Logo Grid
Vulnerability: Arbitrary Media Title/Description/Alt Text/URL Update via CSRF

WP User

Plugin: WP User – Custom Registration Forms, Login and User Profile

WS Form

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Vulnerability: Admin+ Stored Cross-Site Scripting; Unauthenticated Stored Cross-Site Scripting

Premium Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure

Super Forms

Plugin: Super Forms – Drag & Drop Form Builder

WordPress GDPR & CCPA

Vulnerability: Authenticated Reflected Cross-Site Scripting; Unauthenticated Reflected Cross-Site Scripting

Ti WooCommerce Wishlist Pro

Plugin: TI WooCommerce Wishlist Pro
Vulnerability: Unauthenticated Blind SQL Injection

AdSanity

Vulnerability: Contributor Arbitrary File Upload

WordPress Plugin Vulnerabilities – No Known Fix

Embed Swagger

Patched in Version: No Fix

Crazy Bone

Patched in Version: No Fix

WP Responsive Menu

Patched in Version: No Fix

WordPress Theme Vulnerabilities

No new theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Activate File Change Detection

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.