WordPress Vulnerability Report: October 2021, Part 3

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

Contents of the October 20, 2021 Report

The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

1. WPSchoolPress

Plugin: WPSchoolPress
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in Version: 2.1.17
Severity Score: Low

The vulnerability is patched, so you should update to version 2.1.17.

Plugin: WPSchoolPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.1.10
Severity Score: High

The vulnerability is patched, so you should update to version 2.1.10.

Plugin: WPSchoolPress
Vulnerability: Multiple Authenticated SQL Injections
Patched in Version: 2.1.10
Severity Score: High

The vulnerability is patched, so you should update to version 2.1.10.

2. YITH WooCommerce Multi Vendor

Plugin: Squaretype MYITH WooCommerce Multi Vendor
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.8.1
Severity Score: High

The vulnerability is patched, so you should update to version 3.8.1.

3. Print-O-Matic

Plugin: Print-O-Matic
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.0.3
Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.3.

4. Pie Register

Plugin: Pie Register
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 3.7.1.6
Severity Score: High

The vulnerability is patched, so you should update to version 3.7.1.6.

Plugin: Pie Register
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 3.7.1.6
Severity Score: Critical

The vulnerability is patched, so you should update to version 3.7.1.6.

5. Coupon Affiliates for WooCommerce

Plugin: Coupon Affiliates for WooCommerce
Vulnerability: Arbitrary Referral Visits Deletion via CSRF
Patched in Version: 4.11.3.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.11.3.4.

6. MAZ Loader

Plugin: MAZ Loader
Vulnerability: Contributor+ SQL Injection
Patched in Version: 1.3.3
Severity Score: High

The vulnerability is patched, so you should update to version 1.3.3.

7. Storefront Footer Text

Plugin: Storefront Footer Text
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of October 6, 2021. Uninstall and delete.

8. Quiz Tool Lite

Plugin: Quiz Tool Lite
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 28, 2021. Uninstall and delete.

9. Qwizcards

Plugin: Qwizcards
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 3.62
Severity Score: Low

The vulnerability is patched, so you should update to version 3.62.

10. Loco Translate 

Plugin: Loco Translate  
Vulnerability:  Authenticated PHP Code Injection
Patched in Version: 2.5.4
Severity Score: High

The vulnerability is patched, so you should update to version 2.5.4.

11. iPanorama 360 WordPress Virtual Tour Builder

Plugin: iPanorama 360 WordPress Virtual Tour Builder
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: 1.6.22
Severity Score: High

The vulnerability is patched, so you should update to version 1.6.22.

12. Vision Interactive For WordPress

Plugin: Vision Interactive For WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

13. ImageLinks Interactive Image Builder for WordPress

Plugin: ImageLinks Interactive Image Builder for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

14. WordPress Easy Custom Js And Css Plugin

Plugin: WordPress Easy Custom Js And Css Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

15. iPages Flipbook For WordPress

Plugin: iPages Flipbook For WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.4.3
Severity Score: High

The vulnerability is patched, so you should update to version 1.4.3.

16. 404 to 301

Plugin: 404 to 301
Vulnerability: Logs Deletion via CSRF
Patched in Version: 3.0.9
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.9.

17. Post Expirator

Plugin: Post Expirator
Vulnerability: Contributor+ Arbitrary Post Schedule
Patched in Version: 2.6.0
Severity Score: High

The vulnerability is patched, so you should update to version 1.6.22.

18. WP Header Images

Plugin: WP Header Images
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.1
Severity Score: High

The vulnerability is patched, so you should update to version 2.0.1.

19. Subscriptions & Memberships for PayPal

Plugin: Subscriptions & Memberships for PayPal
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: No known fix – plugin closed
Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of September 30, 2021. Uninstall and delete.

20. Accept Donations with PayPal

Plugin: Accept Donations with PayPal
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: 1.3.1
Severity Score: High

The vulnerability is patched, so you should update to version 1.3.1.

21. PayPal Events 

Plugin: PayPal Events 
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: No known fix – plugin closed
Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of September 30, 2021. Uninstall and delete.

22. Header Footer Code Manager

Plugin: Header Footer Code Manager
Vulnerability: Admin+ SQL Injections
Patched in Version: 1.1.14
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.14.

23. wpDiscuz 

Plugin: wpDiscuz 
Vulnerability: Arbitrary Comment Addition/Edition/Deletion via CSRF
Patched in Version: 7.3.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.3.4.

24. 3D Print Lite

Plugin: 3D Print Lite
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.9.1.6
Severity Score: High

The vulnerability is patched, so you should update to version 1.9.1.6.

25. Asgaros Forum

Plugin: Asgaros Forum
Vulnerability: Redirect Deletion via CSRF
Patched in Version: 1.15.13
Severity Score: High

The vulnerability is patched, so you should update to version 1.15.13.

26. WP SEO Redirect 301

Plugin: WP SEO Redirect 301
Vulnerability: Redirect Deletion via CSRF
Patched in Version: 2.3.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.3.2.

27. WCFM – Frontend Manager for WooCommerce

Plugin: WCFM – Frontend Manager for WooCommerce
Vulnerability: Customer/Subscriber+ SQL Injection
Patched in Version: 6.5.12
Severity Score: High

The vulnerability is patched, so you should update to version 6.5.12.

28. Affiliate Manager

Plugin: Affiliate Manager
Vulnerability: Admin+ SQL Injections
Patched in Version: 2.8.7
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.8.7.

29. Similar Posts

Plugin: Similar Posts
Vulnerability: Admin+ Arbitrary PHP Code Execution
Patched in Version: 3.1.6
Severity Score: High

The vulnerability is patched, so you should update to version 3.1.6.

30. WooCommerce Products Table

Plugin: WooCommerce Products Table
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.4.

31. Discounts Manager for Products

Plugin: Discounts Manager for Products
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.4.5
Severity Score: High

The vulnerability is patched, so you should update to version 3.4.5.

32. Testimonial Builder

Plugin: Testimonial Builder
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.6.0
Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.0.

33. Brizy

Plugin: Brizy
Vulnerability: Incorrect Authorization to Post Modification
Patched in Version: 2.3.12
Severity Score: High

The vulnerability is patched, so you should update to version 2.3.12.

Plugin: Brizy
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 2.3.12
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.3.12.

Plugin: Brizy
Vulnerability: Authenticated File Upload and Path Traversal
Patched in Version: 2.3.12
Severity Score: High

The vulnerability is patched, so you should update to version 2.3.12.

34. Colorful Categories

Plugin: Colorful Categories
Vulnerability: Arbitrary Colors Update via CSRF
Patched in Version: 2.0.15
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.15.

35. WP Fastest Cache

Plugin: WP Fastest Cache
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 0.9.5
Severity Score: High

The vulnerability is patched, so you should update to version 0.9.5.

Plugin: WP Fastest Cache
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: 0.9.5
Severity Score: High

The vulnerability is patched, so you should update to version 0.9.5.

36. Business Manager

Plugin: Business Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

37. Job Board Vanila

Plugin: Job Board Vanila
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

38. WpGenius Job Listing 

Plugin: WpGenius Job Listing 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

39. Job Manager

Plugin: Job Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

40. Job Portal

Plugin: Job Portal
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

41. MyBB Cross-Poster

Plugin: MyBB Cross-Poster
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

42. KJM Admin Notices

Plugin: KJM Admin Notices
Vulnerability: Incorrect Authorization to Post Modification
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

43. HAL

Plugin: HAL
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.2
Severity Score: Low

The vulnerability is patched, so you should update to version 2.2.

Plugin: Author Bio Box
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 3.4.0
Severity Score: Low

The vulnerability is patched, so you should update to version 3.4.0.

45. WordPress + Microsoft Office 365

Plugin: WordPress + Microsoft Office 365
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 15.4
Severity Score: Critical

The vulnerability is patched, so you should update to version 15.4.

46. YOP Poll 

Plugin: YOP Poll 
Vulnerability: Author+ Stored Cross-Site Scripting via Options Module
Patched in Version: 6.3.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 6.3.1.

Plugin: YOP Poll 
Vulnerability: Author+ Stored Cross-Site Scripting via Preview Module
Patched in Version: 6.3.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 6.3.1.

47. Indeed Job Importer

Plugin: Indeed Job Importer
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of October 14, 2021. Uninstall and delete.

48. MPL-Publisher – Self-publish your book & ebook

Plugin: MPL-Publisher – Self-publish your book & ebook
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

49. JobBoardWP

Plugin: JobBoardWP
Vulnerability: Incorrect Authorization to Post Modification
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 14, 2021. Uninstall and delete.

WordPress Theme Vulnerabilities

1. Squaretype Modern Blog

Theme: Squaretype Modern Blog
Vulnerability: Unauthenticated Private/Schedule Posts Disclosure
Patched in Version: 3.0.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.4.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro

WordPress vulnerability report

The post WordPress Vulnerability Report: October 2021, Part 3 appeared first on iThemes.

This content was originally published here.