Plugin Vulnerabilities for January 2022

Is your site up to date?

Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable!

SVG Support

Plugin: SVG Support
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 800,000+
Patched in Version: 2.3.20
Severity ScoreLow

Asset CleanUp

Plugin: Asset CleanUp
Vulnerability: Reflected Cross-Site Scripting via AJAX Action
Active Installation: 100,000+
Patched in Version: 1.3.8.5
Severity ScoreHigh

Paid Memberships Pro

Plugin: Paid Memberships Pro
Vulnerability: Unauthenticated Blind SQL Injection
Active Installation: 100,000+
Patched in Version: 2.6.7
Severity ScoreCritical

NextScripts: Social Networks Auto-Poster

Plugin: NextScripts: Social Networks Auto-Poster 
Vulnerability: Arbitrary Post Deletion via CSRF
Active Installation: 90,000+
Patched in Version: 4.3.25
Severity ScoreMedium

Ivory Search

Plugin: Ivory Search
Vulnerability: Contributor+ Stored Cross-Site Scripting
Active Installation: 80,000+
Patched in Version: 5.4.1
Severity ScoreHigh

Easy Social Feed

Plugin: Easy Social Feed
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 70,000+
Patched in Version: 6.2.7
Severity ScoreHigh

Visual CSS Style Editor

Plugin: Visual CSS Style Editor
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 50,000+
Patched in Version: 7.5.4
Severity ScoreHigh

Contact Form Entries

Plugin: Contact Form Entries
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.1.7
Severity ScoreHigh

Advanced Cron Manager

Plugin: Advanced Cron Manager
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Active Installation: 30,000+
Patched in Version: 2.4.2
Severity ScoreMedium

WPLegalPages

Plugin: WPLegalPages
Vulnerability: Subscriber+ Arbitrary Settings Update to Stored XSS
Active Installation: 20,000+
Patched in Version: 2.7.1
Severity ScoreMedium

WP Visitor Statistics (Real Time Traffic)

Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Subscriber+ SQL Injection
Active Installation: 20,000+
Patched in Version: 4.8
Severity ScoreHigh

Wicked Folders

Plugin: Wicked Folders
Vulnerability: Subscriber+ SQL Injection
Active Installation: 10,000+
Patched in Version: 2.8.10
Severity ScoreHigh

LiteSpeed Cache

Plugin: LiteSpeed Cache
Vulnerability: IP Check Bypass to Unauthenticated Stored XSS
Patched in Version: 4.4.4

SupportCandy

Plugin: SupportCandy
Vulnerability: Contributor+ Stored Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity ScoreMedium

Rearrange Woocommerce Products

Plugin: Rearrange Woocommerce Products
Vulnerability: Subscriber+ SQL Injection
Active Installation: 10,000+
Patched in Version: 3.0.8
Severity ScoreHigh

IP2Location Country Blocker

Plugin: IP2Location Country Blocker
Vulnerability: Arbitrary Country Ban via CSRF
Active Installation: 10,000+
Patched in Version: 2.26.6
Severity ScoreMedium

Awesome Support – WordPress HelpDesk & Support Plugin

Plugin: Awesome Support – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 10,000+
Patched in Version: 6.0.11
Severity ScoreHigh

Ultimate Product Catalog

Plugin: Ultimate Product Catalog
Vulnerability: Subscriber+ Arbitrary Product Creation & Settings Update
Active Installation: 10,000
Patched in Version: 5.0.26
Severity ScoreMedium

Document Embedder

Plugin: Document Embedder
Vulnerability: Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Active Installation: 9,000+
Patched in Version: 1.7.9
Severity ScoreMedium

RVM – Responsive Vector Maps

Plugin: RVM – Responsive Vector Maps
Vulnerability: Subscriber+ Arbitrary File Read
Active Installation: 6,000+
Patched in Version: 6.4.2
Severity ScoreHigh

Mediamatic

Plugin: Mediamatic 
Vulnerability: Subscriber+ SQL Injection
Active Installation: 3,000+
Patched in Version: 2.8.1
Severity ScoreHigh

Woopra

Plugin: Woopra
Vulnerability: Unauthenticated Arbitrary File Upload
Active Installation: 2,000+
Patched in Version: 1.4.3.2
Severity ScoreCritical

User Rights Access Manager

Plugin: User Rights Access Manager
Vulnerability: Access Restriction Bypass
Active Installation: 900+
Patched in Version: 1.0.8
Severity ScoreMedium

YuMoney button

Plugin: YuMoney button – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 900+
Patched in Version: 2.4.0
Severity ScoreHigh

TrustMate.io integration for WooCommerce

Plugin: TrustMate.io integration for WooCommerce
Vulnerability: Subscriber+ Arbitrary Plugin’s Settings Update
Active Installation: 300+
Patched in Version: 1.8.12
Severity ScoreHigh

True Ranker

Plugin: True Ranker
Vulnerability: Unauthenticated Arbitrary File Access via Path Traversal
Active Installation: 300+
Patched in Version: 2.2.4
Severity ScoreHigh

WebHotelier for WordPress

Plugin: WebHotelier for WordPress – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 200+
Patched in Version: 1.6.1
Severity ScoreHigh

Advanced Cron Manager Pro

Plugin: Advanced Cron Manager Pro  
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Patched in Version: 2.5.3
Severity ScoreMedium

Contact Form 7 Skins

Plugin: Contact Form 7 Skins
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 30,000+
Patched in VersionNo known fix
Severity ScoreMedium

WooRockets Nitro

Plugin: WooRockets Nitro
Vulnerability: Unauthenticated Arbitrary Plugin Installation
Patched in VersionNo known fix
Severity ScoreCritical

Amazon Affiliate

Plugin: Amazon Affiliate
Vulnerability: Reflected Cross-Site Scripting
Patched in VersionNo known fix
Severity ScoreMedium

Need Security Help? Get WooSecured

We take security seriously. While security measures are built into WordPress and WooCommerce out of the box, there are things store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. Our security services make your life easier by making your data and your customer data safe.

Share This Post

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Plugins

eboov.com

From the desk of Joel Otterstrom President of WpConcierges Since the middle of November my mind has been focused on a project. The project is

Plugins

Plugin Vulnerabilities for March 2022

Is your site up to date? Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable! MC4WP Vulnerability:

Do You Want To Boost Your Business?

drop us a line and keep in touch