PERFORMANCE & CREATIVITY

We integrate research, strategy, design, engineering and operations to imagine, create and deliver some of the world's most engaging products and services.

Location
Marousi-Attika
box 15124

WordPress Vulnerability Report – December 21, 2022

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

WP

VULNERABILITYUnauthenticated Blind SSRF via DNS Rebinding
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched.

This vulnerability was reported by Thomas Chauchefoin, and at this time, it affects all versions of WordPress. However, probable exploitation of this vulnerability is very low, and to fully protect yourself, all you’ll need to do is turn off XML-RPC or pingbacks on your WordPress site.

 

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

Table of Contents Plus

Product image for Table of Contents Plus.

PLUGIN SLUGtable-of-contents-plus
INSTALLATIONS300,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION2212
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 2212.

Download Manager

Product image for Download Manager.

 
PLUGIN SLUGdownload-manager
INSTALLATIONS100,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION3.2.62
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 3.2.62.

Smash Balloon Social Post Feed

Product image for Smash Balloon Social Post Feed.

 
PLUGIN SLUGcustom-facebook-feed
INSTALLATIONS100,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION4.1.6
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 4.1.6.

Mesmerize Companion

PLUGIN SLUGmesmerize-companion
INSTALLATIONS100,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.6.135
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 1.6.135.

Starter Templates by Kadence WP

Product image for Starter Templates by Kadence WP.

PLUGIN SLUGkadence-starter-templates
INSTALLATIONS100,000+
VULNERABILITYAdmin+ PHP Object Injection
PATCHED IN VERSION1.2.17
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.2.17.

Slimstat Analytics

Product image for Slimstat Analytics.

PLUGIN SLUGwp-slimstat
INSTALLATIONS100,000+
VULNERABILITYUnauthenticated Stored XSS
PATCHED IN VERSION4.9.3
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 4.9.3.

WPtouch

Product image for WPtouch.

PLUGIN WPtouch
PLUGIN SLUGwptouch
INSTALLATIONS100,000+
VULNERABILITYAdmin+ PHP Object Injection; Admin+ Arbitrary File Upload
PATCHED IN VERSION4.3.45
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 4.3.45.

Permalink Manager Lite

Product image for Permalink Manager Lite.

PLUGIN SLUGpermalink-manager
INSTALLATIONS70,000+
VULNERABILITYAuthenticated Stored XSS
PATCHED IN VERSION2.3.0
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 2.3.0.

WP Recipe Maker

Product image for WP Recipe Maker.

PLUGIN SLUGwp-recipe-maker
INSTALLATIONS50,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION8.6.1
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 8.6.1.

Metricool

Product image for Metricool.

PLUGIN Metricool
PLUGIN SLUGmetricool
INSTALLATIONS40,000+
VULNERABILITYAdmin+ Stored XSS
PATCHED IN VERSION1.18
SEVERITY SCORELow
The vulnerability has been patched, so you should update to version 1.18.

WP Custom Admin Interface

Product image for WP Custom Admin Interface.

PLUGIN SLUGwp-custom-admin-interface
INSTALLATIONS30,000+
VULNERABILITYAdmin+ PHP Object Injection
PATCHED IN VERSION7.29
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 7.29.

Multi Step Form

Product image for Multi Step Form.

PLUGIN SLUGmulti-step-form
INSTALLATIONS10,000+
VULNERABILITYAdmin+ Stored XSS
PATCHED IN VERSION1.7.8
SEVERITY SCORELow
The vulnerability has been patched, so you should update to version 1.7.8.

ActiveCampaign for WooCommerce

PLUGIN SLUGactivecampaign-for-woocommerce
INSTALLATIONS8,000+
VULNERABILITYSubscriber+ Error Log Cleanup
PATCHED IN VERSION1.9.8
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.9.8.

Vision Interactive For WordPress

Product image for Vision Interactive For WordPress.

PLUGIN SLUGvision
INSTALLATIONS3,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.5.4
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 1.5.4.

Sunshine Photo Cart

Product image for Sunshine Photo Cart.

PLUGIN SLUGsunshine-photo-cart
INSTALLATIONS1,000+
VULNERABILITYReflected XSS
PATCHED IN VERSION2.9.15
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 2.9.15.

Post Status Notifier Lite

Product image for Post Status Notifier Lite.

PLUGIN SLUGpost-status-notifier-lite
INSTALLATIONS1,000+
VULNERABILITYReflected XSS
PATCHED IN VERSION1.10.1
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 1.10.1.

WordPress Events Calendar Plugin

Product image for WordPress Events Calendar Plugin – connectDaily.

PLUGIN SLUGconnect-daily-web-calendar
INSTALLATIONS200+
VULNERABILITYMultiple Reflected XSS
PATCHED IN VERSION1.4.5
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 1.4.5.

WPQA

PLUGINWPQA Builder
PLUGIN SLUGwpqa
VULNERABILITYMissing validation lead to functionality abuse
PATCHED IN VERSION5.9.3
SEVERITY SCORELow
The vulnerability has been patched, so you should update to version 5.9.3.

Mautic Integration For WooCommerce

PLUGINMautic Integration for WooCommerce
PLUGIN SLUGmautic-integration-for-woocommerce
VULNERABILITYArbitrary Options Update via CSRF
PATCHED IN VERSION1.0.3
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 1.0.3.

iPages Flipbook For WordPress

PLUGIN SLUGipages-flipbook
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.4.7
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.4.7.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Mega Addons For WPBakery Page Builder

Product image for Mega Addons For WPBakery Page Builder.

PLUGIN SLUGmega-addons-for-visual-composer
INSTALLATIONS60,000+
VULNERABILITYSubscriber+ Settings Update
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched. You should deactivate the plugin.
 

iPanorama 360 WordPress Virtual Tour Builder

Product image for iPanorama 360 WordPress Virtual Tour Builder.

PLUGIN SLUGipanorama-360-virtual-tour-builder-lite
INSTALLATIONS7,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREHigh
The vulnerability has not been patched. You should deactivate the plugin.
 

ImageLinks Interactive Image Builder for WordPress

Product image for ImageLinks Interactive Image Builder for WordPress.

PLUGIN SLUGimagelinks-interactive-image-builder-lite
INSTALLATIONS3,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREHigh
The vulnerability has not been patched. You should deactivate the plugin.
 

WP CSV

PLUGIN WP CSV
PLUGIN SLUGwp-csv
VULNERABILITYReflected XSS via CSV Import
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

WP Table Reloaded

PLUGIN SLUGwp-table-reloaded
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Bg Bible References

PLUGIN SLUGbg-biblie-references
VULNERABILITYReflected XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

404 to Start

PLUGIN 404 to Start
PLUGIN SLUG404-to-start
VULNERABILITYAdmin+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCORELow
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

WPQA

THEMEHimer
THEME SLUGhimer
VULNERABILITYMissing validation lead to functionality abuse
PATCHED IN VERSIONNo Fix
SEVERITY SCORELow
The vulnerability has not been patched. You should switch themes.