WordPress Vulnerability Report – March 16, 2022


Warning: getimagesize(https://ps.w.org/ameliabooking/assets/banner-1544x500.png?rev=1991943): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/google-pagespeed-insights/assets/banner-1544x500.jpg?rev=780690): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress Core Vulnerabilities

WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fixe and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!

WordPress Core

Vulnerability
Prototype Pollution in jQuery
The vulnerability has been patched, so you should update to version 5.9.2.

WordPress Core

Vulnerability
Contributor+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 5.9.2.

WordPress Core

Vulnerability
Prototype Pollution via Gutenberg’s WordPress/url package
The vulnerability has been patched, so you should update to version 5.9.2.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

WooCommerce

Product image for WooCommerce.

Vulnerability
Orders Marked as Paid (via PayPal Standard Gateway)
The vulnerability has been patched, so you should update to version 6.3.1.

UpdraftPlus

Product image for UpdraftPlus WordPress Backup Plugin.

Plugin
UpdraftPlus WordPress Backup Plugin
The vulnerability has been patched, so you should update to version 1.22.9.

Gutenberg

Product image for Gutenberg.

Vulnerability
Contributor+ Stored Cross-Site Scripting; Prototype Pollution via Gutenberg’s WordPress/url package
The vulnerability has been patched, so you should update to version 12.7.2.

Ad Inserter

Product image for Ad Inserter – Ad Manager & AdSense Ads.

Plugin
Ad Inserter – Ad Manager & AdSense Ads
The vulnerability has been patched, so you should update to version 2.7.12.

MapPress Maps for WordPress

Product image for MapPress Maps for WordPress.

Plugin
MapPress Maps for WordPress
Vulnerability
Admin+ File Upload to Remote Code Execution
The vulnerability has been patched, so you should update to version 2.73.13.

Profile Builder

Product image for Profile Builder – User Profile & User Registration Forms.

Plugin
Profile Builder – User Profile & User Registration Forms
Vulnerability
Admin+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 3.6.8.

Amelia < 1.0.48 –

Product image for Amelia – Events & Appointments Booking Calendar.

Plugin
Amelia – Events & Appointments Booking Calendar
Vulnerability
Customer+ SMS Service Abuse and Sensitive Data Disclosure; Customer+ Arbitrary Appointments Status Update
The vulnerability has been patched, so you should update to version 1.0.49.

Easy Social Icons

The vulnerability has been patched, so you should update to version 3.1.4.

Google Pagespeed Insights

Product image for Insights from Google PageSpeed.

Plugin
Insights from Google PageSpeed
The vulnerability has been patched, so you should update to version 4.0.4.

WP Block and Stop Bad Bots

Product image for Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection.

Plugin
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
The vulnerability has been patched, so you should update to version 6.88.

Booking Package

Product image for Booking Package – Appointment Booking Calendar System.

Plugin
Booking Package – Appointment Booking Calendar System
Vulnerability
Unauthenticated Sensitive Data Disclosure
The vulnerability has been patched, so you should update to version 1.5.29.

Ad Inserter

The vulnerability has been patched, so you should update to version 2.7.12.

Members List

The vulnerability has been patched, so you should update to version 4.3.7.

Ninja Forms File Uploads Extension

Plugin
Ninja Forms File Uploads Extension
Vulnerability
Unauthenticated Arbitrary File Upload
The vulnerability has been patched, so you should update to version 3.3.1.

Ninja Forms File Uploads Extension

Plugin
Ninja Forms File Uploads Extension
Vulnerability
Unauthenticated Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 3.3.13.

Mark Posts

Vulnerability
Admin+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 2.0.1.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Dropdown Menu Widget

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Library File Manager

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

KingComposer

Plugin
Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

FormBuilder

Vulnerability
Stored Cross-Site Scripting via CSRF
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Material Design for Contact Form 7

Plugin
Material Design for Contact Form 7
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Updates Continue for 400+ Plugins, Themes Impacted by Insecure Freemius Version

Last week, it was discovered that many plugins and themes are using an insecure version of the Freemius Framework, which is used to power their upsell paths from free to Pro.

As of this report, over 400 plugins and 25 themes are impacted. Because the list is so large, we’re linking directly to the WPScan vulnerability disclosure for the latest information about patches.

Actions to take:

  • Update all your themes and plugins to the latest versions.
  • Be sure to turn on automatic updates for your plugins and themes as developers continue to release updates.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • Good news! No new WordPress theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro

wordpress vulnerability report

The post WordPress Vulnerability Report – March 16, 2022 appeared first on iThemes.

This content was originally published here.