WordPress Vulnerability Report – March 23, 2022


Warning: getimagesize(https://ps.w.org/one-click-demo-import/assets/banner-1544x500.png?rev=2506685): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/favicon-by-realfavicongenerator/assets/banner-1544x500.png?rev=1110918): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/learnpress/assets/banner-1544x500.png?rev=2395011): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/post-grid/assets/banner-1544x500.png?rev=2307499): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/portfolio-wp/assets/banner-1544x500.png?rev=2216364): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/salon-booking-system/assets/banner-1544x500.png?rev=2652612): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/advanced-booking-calendar/assets/banner-772x250.jpg?rev=1623528): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress Core Vulnerabilities

WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fix and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

One Click Demo Import

Product image for One Click Demo Import.

Plugin
One Click Demo Import
Vulnerability
Admin+ Arbitrary File Upload
The vulnerability has been patched, so you should update to version 3.1.0.

Favicon by RealFaviconGenerator

Product image for Favicon by RealFaviconGenerator.

The vulnerability has been patched, so you should update to version 1.3.23.

Download Manager

Product image for Download Manager.

Vulnerability
Unauthenticated brute force of files master key
The vulnerability has been patched, so you should update to version 3.2.39.

WPvivid Backup and Migration Plugin

Product image for Migration, Backup, Staging – WPvivid.

Plugin
Migration, Backup, Staging – WPvivid
The vulnerability has been patched, so you should update to version 0.9.70.

Responsive Menu

Product image for Responsive Menu – Create Mobile-Friendly Menu.

Plugin
Responsive Menu – Create Mobile-Friendly Menu
The vulnerability has been patched, so you should update to version 4.1.8.

LearnPress

Product image for LearnPress – WordPress LMS Plugin.

Plugin
LearnPress – WordPress LMS Plugin
The vulnerability has been patched, so you should update to version 4.1.6.

Image optimization & Lazy Load

Product image for Image optimization & Lazy Load by Optimole.

Plugin
Image optimization & Lazy Load by Optimole
Vulnerability
Admin+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 3.3.2.

Post Grid

Product image for Post Grid.

Vulnerability
Reflected Cross-Site Scripting via keyword; Reflected Cross-Site Scripting via post_types
The vulnerability has been patched, so you should update to version 2.1.16.

Super Socializer

Product image for Social Share, Social Login and Social Comments Plugin – Super Socializer.

The vulnerability has been patched, so you should update to version 7.13.30.

Easy Smooth Scroll Links

Product image for Easy Smooth Scroll Links  – Smooth Scrolling Anchor.

Plugin
Easy Smooth Scroll Links – Smooth Scrolling Anchor
Vulnerability
Admin+ Stored Cross-Site Scripting
The vulnerability has been patched, so you should update to version 2.23.1.

FV Flowplayer Video Player

Product image for FV Flowplayer Video Player.

Plugin
FV Flowplayer Video Player
The vulnerability has been patched, so you should update to version 7.5.18.727.

Easy Social Icons

Vulnerability
Admin+ Stored Cross-Site Scripting; Admin+ Stored Cross-Site Scripting in add icon; Unauthenticated Arbitrary Icon Deletion
The vulnerability has been patched, so you should update to version 3.2.1.

Export All URLs

Product image for Export All URLs.

Vulnerability
Private/Draft Post/Page Title Disclosure via CSRF; Reflected Cross-Site Scripting
The vulnerability has been patched, so you should update to version 4.3.

iQ Block Country

Product image for iQ Block Country.

Vulnerability
Admin+ Arbitrary File Deletion via Zip Slip
The vulnerability has been patched, so you should update to version 1.2.13.

GridKit Portfolio

Product image for Portfolio Gallery, Product Catalog – Grid KIT Portfolio.

Plugin
Portfolio Gallery, Product Catalog – Grid KIT Portfolio
The vulnerability has been patched, so you should update to version 2.1.0.

WP Block and Stop Bad Bots

Product image for Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection.

Plugin
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
The vulnerability has been patched, so you should update to version 6.930.

Salon booking system

Product image for Salon booking system.

Vulnerability
Customer+ Bookings/Customers Data Disclosure; Unauthenticated Sensitive Data Disclosure
The vulnerability has been patched, so you should update to version 7.6.3.

Podcast Importer SecondLine

Product image for Podcast Importer SecondLine.

The vulnerability has been patched, so you should update to version 1.3.8.

Advanced Booking Calendar

Product image for Advanced Booking Calendar.

Vulnerability
Reflected Cross-Site Scripting; Admin+ SQLi
The vulnerability has been patched, so you should update to version 1.7.1.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Sassy Social Share

Product image for Social Sharing Plugin – Sassy Social Share.

Plugin
Social Sharing Plugin – Sassy Social Share
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

NS WooCommerce Watermark

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • Good news! No new WordPress theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro

The post WordPress Vulnerability Report – March 23, 2022 appeared first on iThemes.

This content was originally published here.