WordPress Vulnerability Report – February 9, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress 5.9: Core Major Version Update Now Available

WordPress 5.9 “Joséphine” was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this: Full Site Editing (FSE) using the WordPress block editor is here (well, if you want to use it or your theme supports it).

WordPress 5.9 represents the largest release of Gutenberg features since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes 99 enhancements and 100 bug fixes.

In this post, we unpack what’s new and noteworthy in WordPress 5.9 so you can get the most out of the latest version of WordPress.

You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.

If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.9.

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

All-in-One WP Migration

Plugin
All-in-One WP Migration
Vulnerability
Admin+ Arbitrary File Upload to RCE
Patched in Version
7.41
Severity Score
Medium
Plugin
Ad Inserter – Ad Manager & AdSense Ads
Installations
200,000+
Patched in Version
2.7.11
Severity Score
Medium
Installations
200,000+
Patched in Version
2.2.9
Severity Score
Medium
Patched in Version
3.2.35
Severity Score
High

Product Feed PRO for WooCommerce

Plugin
Product Feed PRO for WooCommerce
Installations
80,000+
Patched in Version
11.2.3
Severity Score
Medium
Patched in Version
2022
Severity Score
Medium

WordPress Real Cookie Banner

Plugin
WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent
Patched in Version
2.14.2
Severity Score
Medium
Installations
40,000+
Patched in Version
5.8.22
Severity Score
Medium
Plugin
Conversios.io – Google Analytics and Google Shopping plugin for WooCommerce
Patched in Version
4.6.2
Severity Score
High
Plugin
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
Installations
30,000+
Patched in Version
2.3.9
Severity Score
High

Contact Form & Lead Form Elementor Builder Plugin

Plugin
Contact Form & Lead Form Elementor Builder
Installations
20,000+
Patched in Version
1.7.4
Severity Score
Medium
Plugin
Pricing Tables WordPress Plugin – Easy Pricing Tables
Vulnerability
Arbitrary Post Removal via CSRF
Patched in Version
3.1.3
Severity Score
Medium
Patched in Version
2.4.15
Severity Score
High
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
2.26.9
Severity Score
Low
Patched in Version
5.0.2.2
Severity Score
Medium

Catch Themes Demo Import

Patched in Version
2.1.1
Severity Score
Medium
Plugin
MasterStudy LMS – WordPress LMS Plugin
Installations
10,000+
Patched in Version
2.7.6
Severity Score
Critical
Installations
10,000+
Vulnerability
Unauthorised Arbitrary Post Metadata Access; Authenticated Arbitrary File Access / LFI; Authenticated Stored Cross-Site Scripting
Patched in Version
4.0.1
Severity Score
High
Installations
5,000+
Patched in Version
1.4.8
Severity Score
Medium

WP Time Slots Booking Form

Plugin
WP Time Slots Booking Form
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.1.63
Severity Score
Low
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.0.15
Severity Score
Low

Premium Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure

Multisite User Sync/Unsync

Plugin
WordPress Multisite User Sync/Unsync
Patched in Version
2.1.2
Severity Score
Medium

Multisite Content Copier/Updater Pro

Plugin
WordPress Multisite Content Copier/Updater
Installations
Unknown; Premium Plugin
Patched in Version
2.1.0
Severity Score
Medium

WordPress Plugin Vulnerabilities – No Known Fix

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure

Cost Calculator

Vulnerability
Authenticated Local File Inclusion
Patched in Version
No Fix
Severity Score
Medium

WordPress Theme Vulnerabilities

No new theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.

This content was originally published here.