Plugin Vulnerabilities for January 2022

Is your site up to date?

Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable!

SVG Support

Plugin: SVG Support
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 800,000+
Patched in Version: 2.3.20
Severity Score: Low

Asset CleanUp

Plugin: Asset CleanUp
Vulnerability: Reflected Cross-Site Scripting via AJAX Action
Active Installation: 100,000+
Patched in Version: 1.3.8.5
Severity Score: High

Paid Memberships Pro

Plugin: Paid Memberships Pro
Vulnerability: Unauthenticated Blind SQL Injection
Active Installation: 100,000+
Patched in Version: 2.6.7
Severity Score: Critical

NextScripts: Social Networks Auto-Poster

Plugin: NextScripts: Social Networks Auto-Poster 
Vulnerability: Arbitrary Post Deletion via CSRF
Active Installation: 90,000+
Patched in Version: 4.3.25
Severity Score: Medium

Ivory Search

Plugin: Ivory Search
Vulnerability: Contributor+ Stored Cross-Site Scripting
Active Installation: 80,000+
Patched in Version: 5.4.1
Severity Score: High

Easy Social Feed

Plugin: Easy Social Feed
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 70,000+
Patched in Version: 6.2.7
Severity Score: High

Visual CSS Style Editor

Plugin: Visual CSS Style Editor
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 50,000+
Patched in Version: 7.5.4
Severity Score: High

Contact Form Entries

Plugin: Contact Form Entries
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.1.7
Severity Score: High

Advanced Cron Manager

Plugin: Advanced Cron Manager
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Active Installation: 30,000+
Patched in Version: 2.4.2
Severity Score: Medium

WPLegalPages

Plugin: WPLegalPages
Vulnerability: Subscriber+ Arbitrary Settings Update to Stored XSS
Active Installation: 20,000+
Patched in Version: 2.7.1
Severity Score: Medium

WP Visitor Statistics (Real Time Traffic)

Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Subscriber+ SQL Injection
Active Installation: 20,000+
Patched in Version: 4.8
Severity Score: High

Wicked Folders

Plugin: Wicked Folders
Vulnerability: Subscriber+ SQL Injection
Active Installation: 10,000+
Patched in Version: 2.8.10
Severity Score: High

LiteSpeed Cache

Plugin: LiteSpeed Cache
Vulnerability: IP Check Bypass to Unauthenticated Stored XSS
Patched in Version: 4.4.4

SupportCandy

Plugin: SupportCandy
Vulnerability: Contributor+ Stored Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: Medium

Rearrange Woocommerce Products

Plugin: Rearrange Woocommerce Products
Vulnerability: Subscriber+ SQL Injection
Active Installation: 10,000+
Patched in Version: 3.0.8
Severity Score: High

IP2Location Country Blocker

Plugin: IP2Location Country Blocker
Vulnerability: Arbitrary Country Ban via CSRF
Active Installation: 10,000+
Patched in Version: 2.26.6
Severity Score: Medium

Awesome Support – WordPress HelpDesk & Support Plugin

Plugin: Awesome Support – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 10,000+
Patched in Version: 6.0.11
Severity Score: High

Ultimate Product Catalog

Plugin: Ultimate Product Catalog
Vulnerability: Subscriber+ Arbitrary Product Creation & Settings Update
Active Installation: 10,000
Patched in Version: 5.0.26
Severity Score: Medium

Document Embedder

Plugin: Document Embedder
Vulnerability: Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Active Installation: 9,000+
Patched in Version: 1.7.9
Severity Score: Medium

RVM – Responsive Vector Maps

Plugin: RVM – Responsive Vector Maps
Vulnerability: Subscriber+ Arbitrary File Read
Active Installation: 6,000+
Patched in Version: 6.4.2
Severity Score: High

Mediamatic

Plugin: Mediamatic 
Vulnerability: Subscriber+ SQL Injection
Active Installation: 3,000+
Patched in Version: 2.8.1
Severity Score: High

Woopra

Plugin: Woopra
Vulnerability: Unauthenticated Arbitrary File Upload
Active Installation: 2,000+
Patched in Version: 1.4.3.2
Severity Score: Critical

User Rights Access Manager

Plugin: User Rights Access Manager
Vulnerability: Access Restriction Bypass
Active Installation: 900+
Patched in Version: 1.0.8
Severity Score: Medium

YuMoney button

Plugin: YuMoney button – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 900+
Patched in Version: 2.4.0
Severity Score: High

TrustMate.io integration for WooCommerce

Plugin: TrustMate.io integration for WooCommerce
Vulnerability: Subscriber+ Arbitrary Plugin’s Settings Update
Active Installation: 300+
Patched in Version: 1.8.12
Severity Score: High

True Ranker

Plugin: True Ranker
Vulnerability: Unauthenticated Arbitrary File Access via Path Traversal
Active Installation: 300+
Patched in Version: 2.2.4
Severity Score: High

WebHotelier for WordPress

Plugin: WebHotelier for WordPress – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 200+
Patched in Version: 1.6.1
Severity Score: High

Advanced Cron Manager Pro

Plugin: Advanced Cron Manager Pro  
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Patched in Version: 2.5.3
Severity Score: Medium

Contact Form 7 Skins

Plugin: Contact Form 7 Skins
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 30,000+
Patched in Version: No known fix
Severity Score: Medium

WooRockets Nitro

Plugin: WooRockets Nitro
Vulnerability: Unauthenticated Arbitrary Plugin Installation
Patched in Version: No known fix
Severity Score: Critical

Amazon Affiliate

Plugin: Amazon Affiliate
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium

Need Security Help? Get WooSecured

We take security seriously. While security measures are built into WordPress and WooCommerce out of the box, there are things store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. Our security services make your life easier by making your data and your customer data safe.

Share This Post

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Plugins

eboov.com

From the desk of Joel Otterstrom President of WpConcierges Since the middle of November my mind has been focused on a project. The project is

Plugins

Plugin Vulnerabilities for March 2022

Is your site up to date? Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable! MC4WP Vulnerability:

Do You Want To Boost Your Business?

drop us a line and keep in touch