Wordpress security

WordPress Vulnerability News, March 2021


Updated: March 9, 2021 by Agnes Talalaev

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

This month we have listed 10 vulnerable plugins and themes that affect about 400 000 sites.

This year we have listed 66 vulnerable plugins and themes that affect more than 7.4 million sites.

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

You can find all the vulnerabilities mentioned in our WordPress vulnerability news from our vulnerability database.

Is your WordPress site secured? Take a look at how to secure your WordPress site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective or contact support@webarxsecurity.com and ask for a plugin security audit.

What are the biggest challenges for freelancers and digital agencies in 2020? Read the Website Security Survey Report 2020 to find out.

WooCommerce Upload Files premium

Upload any file any size from the product, cart, checkout, thank you, and/or order details pages. Preview images, add additional costs, fees, and many more options.

Vulnerability: Unauthenticated arbitrary file upload
Fixed in version: 59.4
Number of sites affected: 5 000+

Unauthenticated Arbitrary File Upload vulnerability found by WordFence in WordPress WooCommerce Upload Files premium plugin (versions <= 59.3).

Update the WordPress WooCommerce Upload Files premium plugin to the latest available version (at least 59.4).

User Profile Picture

Set or remove a custom profile image for a user using the standard WordPress media upload tool.

Vulnerability: Sensitive information disclosure
Fixed in version: 2.5.0
Number of sites affected: 60 000+

Sensitive Information Disclosure vulnerability found by WordFence in WordPress User Profile Picture plugin (versions <= 2.4.0).

Update the WordPress User Profile Picture plugin to the latest available version (at least 2.5.0).

Forminator

WordPress form builder.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.14.8.1
Number of sites affected: 100 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Forminator plugin (versions <= 1.14.8).

Update the WordPress Forminator plugin to the latest available version (at least 1.14.8.1).

Dokan

Marketplace plugin for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 3.2.1
Number of sites affected: 60 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Dokan plugin (versions <= 3.2.0).

Update the WordPress Dokan plugin to the latest available version (at least 3.2.1).

Defender Security – Malware Scanner, Login Security & Firewall

WordPress security plugin.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 2.4.6.1
Number of sites affected: 50 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Defender Security plugin (versions <= 2.4.6).

Update the WordPress Defender Security plugin to the latest available version (at least 2.4.6.1).

Abandoned Cart Lite for WooCommerce

Abandoned Cart Plugin helps you recover those carts from your WooCommerce shop.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 5.8.6
Number of sites affected: 30 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Abandoned Cart Lite for WooCommerce plugin (versions <= 5.8.5).

Update the WordPress Abandoned Cart Lite for WooCommerce plugin to the latest available version (at least 5.8.6).

Style Kits – Advanced Theme Styles for Elementor

Style Kits for Elementor adds meaningful UI controls to Theme Styles for the most important variables of your layout system in Elementor.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.8.1
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Style Kits plugin (versions <= 1.8.0).

Update the WordPress Style Kits plugin to the latest available version (at least 1.8.1).

WP ERP

Company and business management solution for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.7.5
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP ERP plugin (versions <= 1.7.4).

Update the WordPress WP ERP plugin to the latest available version (at least 1.7.5).

WP Project Manager

A project management and task management tool for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 2.4.10
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP Project Manager plugin (versions <= 2.4.9).

Update the WordPress WP Project Manager plugin to the latest available version (at least 2.4.10).

WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine

WP Travel is a travel engine for making customized travel & tour agency websites on WordPress in minutes.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 4.4.7
Number of sites affected: 6 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP Travel plugin (versions <= 4.4.6).

Update the WordPress WP Travel plugin to the latest available version (at least 4.4.7).

February 2021 WordPress vulnerability list

YITH WooCommerce Gift Cards

Sell gift cards in your shop to increase your earnings and attract new customers.

Vulnerability: Arbitrary file upload to remote code execution (RCE)
Fixed in version: 3.3.1
Number of sites affected: 50 000+

Arbitrary file upload to remote code execution (RCE) vulnerability found by Guy Liu in WordPress YITH WooCommerce Gift Cards plugin (versions <= 3.3.0).

Update the WordPress YITH WooCommerce Gift Cards plugin to the latest available version (at least 3.3.1).

WordPress NextGEN Gallery Pro 

A popular gallery plugin for WordPress.

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 3.1.11
Number of sites affected: 1+ million

Reflected cross-site scripting (XSS) vulnerability found by Thura Moe Myint in WordPress NextGEN Gallery Pro premium plugin (versions <= 3.1.9).

Update the WordPress NextGEN Gallery Pro premium plugin to the latest available version (at least 3.1.11).

WordPress Mega Menu – QuadMenu

Mega Menu is designed for theme developers with customizable menu layouts and drag & drop fields.

Vulnerability: Remote code execution (RCE)
Fixed in version: 2.0.7
Number of sites affected: 20 000+

Remote Code Execution (RCE) vulnerability found by Mikel Gorraiz in WordPress QuadMenu plugin (versions <= 2.0.6).

Update the WordPress QuadMenu plugin to the latest available version (at least 2.0.7).

WP Private Content Plus

WP Private Content Plus simplifies the process for protecting your important WordPress site content from guests, members, specific user roles, or a group of selected users. 

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 3.2
Number of sites affected: 8 000+

Cross-Site Request Forgery (CSRF) vulnerability found in WordPress WP Private Content Plus plugin (versions <= 3.1).

Update the WordPress WP Private Content Plus plugin to the latest available version (at least 3.2).

Custom Banners

Custom Banners is a WordPress plugin that allows you to easily manage several banners (ads) and display them on the front end.

Vulnerability: Cross-site request forgery (CSRF) vulnerability
Fixed in version: 3.3
Number of sites affected: 7 000+

Cross-Site Request Forgery (CSRF) vulnerability found by WPScan Team in WordPress Custom Banners plugin (versions <= 3.2.2).

Update the WordPress Custom Banners plugin to the latest available version (at least 3.3).

WordPress Backup and Migrate Plugin – Backup Guard

Backup Guard is a WordPress backup plugin.

Vulnerability: Authenticated arbitrary file upload vulnerability
Fixed in version: 1.6.0
Number of sites affected: 70 000+

Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh in WordPress Backup Guard plugin (versions <= 1.5.9).

Update the WordPress Backup Guard plugin to the latest available version (at least 1.6.0).

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Use Ninja Forms to create WordPress forms.

Vulnerability: Authenticated SendWP plugin installation and client secret key disclosure vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Authenticated OAuth connection key disclosure vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Administrator open redirect vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Cross-site request forgery (CSRF) vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Update the WordPress Ninja Forms Contact Form plugin to the latest available version (at least 3.4.34).

WP Ticket Customer Service Software & Support Ticket System

WP Ticket is a help desk software for WordPress.

Vulnerability: Cross-site scripting (XSS) 
Fixed in version: 5.6.0
Number of sites affected: 600+

Cross-Site Scripting (XSS) vulnerability found by WPScan security research team in WordPress WP Ticket Customer Service Software & Support Ticket System plugin (versions <= 5.5.1).

Update the WordPress WP Ticket Customer Service Software & Support Ticket System plugin to the latest available version (at least 5.6.0).

Teaser Maker

Teaser Maker is a WordPress plugin.

Vulnerability: Cross-site scripting (XSS) 
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A

Cross-Site Scripting (XSS) vulnerability found by WPScan security research team in WordPress Teaser Maker plugin (versions <= 0.1.114).

2020-02-15 – we were unable to find a patched version of this plugin. Notice from WordPress plugin repository: “This plugin has been closed as of January 14, 2021, and is not available for download. This closure is temporary, pending a full review.”

Ad Swapper

Ad Swapper is a WordPress plugin.

Vulnerability: Cross-site scripting (XSS) 
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A

Cross-Site Scripting (XSS) vulnerability found by WPScan security research team in WordPress Ad Swapper plugin (versions <= 1.0.3).

2020-02-15 – we were unable to find a patched version of this plugin. Notice from WordPress plugin repository: “This plugin has been closed as of January 14, 2021, and is not available for download. This closure is temporary, pending a full review.”

Drug Search

Drug Search is a WordPress plugin.

Vulnerability: Cross-site scripting (XSS) 
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A

Cross-Site Scripting (XSS) vulnerability found by WPScan security research team in WordPress Drug Search plugin (versions <= 1.0.0).

2020-02-15 – we were unable to find a patched version of this plugin. Notice from WordPress plugin repository: “This plugin has been closed as of January 14, 2021, and is not available for download. This closure is temporary, pending a full review.”

WP Inimat

WP Inimat is a WordPress plugin.

Vulnerability: Cross-site scripting (XSS) 
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A

Cross-Site Scripting (XSS) vulnerability found by WPScan security research team in WordPress WP Inimat plugin (versions <= 1.0).

2020-02-15 – we were unable to find a patched version of this plugin. Notice from WordPress plugin repository: “This plugin has been closed as of January 14, 2021, and is not available for download. This closure is temporary, pending a full review.”

Theme Editor

With Theme Editor you can edit theme, plugin files and more.

Vulnerability: Multiple authenticated arbitrary file download vulnerabilities
Fixed in version: 2.6
Number of sites affected: 50 000+

Multiple authenticated arbitrary file download vulnerabilities found by Nguyen Van Khanh and WPScan security research team in WordPress Theme Editor plugin (versions <= 2.5).

Update the WordPress Theme Editor plugin to the latest available version (at least 2.6).

ElasticPress

ElasticPress is a search and query engine for WordPress which enables WordPress to find or “query” relevant content through a variety of features.

Vulnerability: Nonce check bypass
Fixed in version: 3.5.4
Number of sites affected: 6 000+

Nonce check bypass vulnerability found by Felipe Elia in WordPress ElasticPress plugin (versions <= 3.5.3).

Update the WordPress ElasticPress plugin to the latest available version (at least 3.5.4).

All In One WP Security & Firewall

WordPress plugin for security.

Vulnerability: Authenticated cross-site scripting (XSS)
Fixed in version: 4.4.6
Number of sites affected: 900 000+

Authenticated Cross-Site Scripting (XSS) vulnerability found by WonTae Jang in WordPress All In One WP Security & Firewall plugin (versions <= 4.4.5).

Update the WordPress All In One WP Security & Firewall plugin to the latest available version (at least 4.4.6).

Responsive Menu – Create Mobile-Friendly Menu

Customisable Responsive Menu plugin for WordPress.

Vulnerability: Cross-site request forgery (CSRF) leading to arbitrary file upload, cross-site request forgery (CSRF) leading to setting modification, and authenticated arbitrary file upload vulnerability
Fixed in version: 4.0.4
Number of sites affected: 100 000+

Update the WordPress Responsive Menu plugin to the latest available version (at least 4.0.4).

Read more about the vulnerabilities from Wordfence blog.

Map Block for Google Maps

Map Block for Google Maps adds a map block to your Gutenberg blocks.

Vulnerability: Google API key manipulation
Fixed in version: 1.32
Number of sites affected: 6 000+

Google API Key Manipulation vulnerability found in WordPress Map Block for Google Maps plugin (versions <= 1.31).

Update the WordPress Map Block for Google Maps plugin to the latest available version (at least 1.32).

Welcart e-Commerce

Welcart is a free e-commerce plugin for WordPress.

Vulnerability: SQL injection (SQLi)
Fixed in version: 2.0.1
Number of sites affected: 20 000+

SQL injection (SQLi) vulnerability found by Erik David Martin in WordPress Welcart e-Commerce plugin (versions <= 2.0.0).

Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.0.1).

NextGen Gallery

NextGEN Gallery is a WordPress gallery plugin.

Vulnerability: Cross-site request forgery (CSRF) leading to XSS and RCE via file upload and LFI
Fixed in version: 3.5.0
Number of sites affected: 800 000+

Wordfence threat intelligence team found two cross-site request forgery (CSRF) vulnerabilities and a critical severity vulnerability that could lead to remote code execution (RCE) and stored cross-site scripting (XSS) in NextGen Gallery.

These vulnerabilities have been fully patched in version 3.5.0, and we users with WebARX installed are safe from the vulnerabilities mentioned.

Read more about the vulnerabilities from Wordfence blog.

Backup by Supsystic

Backup WordPress website to the FTP, DropBox, Google Drive or Local Computer and restore in two clicks.

Vulnerability: Local file inclusion (LFI)
Fixed in version: no known fix – plugin closed
Number of sites affected: 1 000+

Local File Inclusion (LFI) vulnerability found by Erik David Martin in WordPress Backup by Supsystic plugin (versions <= 2.3.12).

2021-02-08 – we were unable to find a patched version of this plugin. Notice from WordPress plugin repository: “This plugin has been closed as of December 1, 2020, and is not available for download. Reason: Security Issue.”

Contact Form by Supsystic

Contact Form Builder by Supsystic with drag-and-drop editor. 

Vulnerability: Stored cross-site scripting (XSS) and SQL injection (SQLi)
Fixed in version: 1.7.7
Number of sites affected: 20 000+

Stored cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities found by Erik David Martin in WordPress Contact Form by Supsystic plugin (versions <= 1.7.5).

Update the WordPress Contact Form by Supsystic plugin to the latest available version (at least 1.7.7).

Data Tables Generator by Supsystic

Create responsive data tables with sorting, searching, pagination, filtering and more.

Vulnerability: Stored cross-site scripting (XSS) and SQL injection (SQLi)
Fixed in version: 1.9.97
Number of sites affected: 30 000+

Stored cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities found by Erik David Martin in WordPress Data Tables Generator by Supsystic plugin (versions <= 1.9.96).

Update the WordPress Data Tables Generator by Supsystic plugin to the latest available version (at least 1.9.97).

Digital Publications by Supsystic

Digital publishing plugin to create magazine, catalog or any other issue with.

Vulnerability: Stored cross-site scripting (XSS) and path traversal and DoS vulnerability
Fixed in version: no known fix – plugin closed
Number of sites affected: 3 000+

Stored Cross-Site Scripting (XSS) and Path Traversal and DoS vulnerability found by Erik David Martin in WordPress Digital Publications by Supsystic plugin (versions <= 1.6.11).

2021-02-08 – we were unable to find a patched version of this plugin. WordPress plugin repository notice: “This plugin has been closed as of February 8, 2021, and is not available for download. This closure is temporary, pending a full review.”

Membership by Supsystic

Membership by Supsystic is a plugin to build online communities and membership sites with custom user profile, front-end registration, login, and more.

Vulnerability: SQL injection (SQLi)
Fixed in version: no known fix – plugin closed
Number of sites affected: 900+

SQL injection (SQLi) vulnerability found by Erik David Martin in WordPress Membership by Supsystic plugin (versions <= 1.5.0).

2021-02-08 – we were unable to find a patched version of this plugin. WordPress plugin repository notice: “This plugin has been closed as of February 8, 2021, and is not available for download. This closure is temporary, pending a full review.”

Newsletter by Supsystic

Newsletter by Supsystic is a plugin for mail list building and newsletter creation.

Vulnerability: SQL injection (SQLi)
Fixed in version: no known fix – plugin closed
Number of sites affected: 1 000+

SQL injection (SQLi) vulnerability found by Erik David Martin in WordPress Newsletter by Supsystic plugin (versions <= 1.5.6).

2021-02-08 – we were unable to find a patched version of this plugin. WordPress plugin repository notice: “This plugin has been closed as of December 1, 2020, and is not available for download. Reason: Security Issue.”

Like Button Rating ♥ LikeBtn

The Like Button Rating plugin allows you to add a fully customisable like button to posts, pages, comments and more.

Vulnerability: Unauthenticated server-side request forgery (SSRF)
Fixed in version: 2.6.32
Number of sites affected: 8 000+

Unauthenticated Server-Side Request Forgery (SSRF) vulnerability found by Lauritz Holme in WordPress Like Button Rating plugin (versions <= 2.6.31).

Update the WordPress Like Button Rating plugin to the latest available version (at least 2.6.32).

 Wyzi Premium

Wyzi Service Business Finder WordPress theme is a social business & service multi-store directory theme.

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 2.4.3
Number of sites affected: 2 000+

Cross-Site Scripting (XSS) vulnerability found by Daniel Ruf in WordPress Wyzi premium theme (versions <= 2.4.2). Update the WordPress Wyzi premium theme to the latest available version (at least 2.4.3).

Paid Memberships Pro

Paid Memberships Pro gives the tools to manage a membership site.

Vulnerability: Insecure direct object reference & sensitive information disclosure
Fixed in version: 2.5.3
Number of sites affected: 100 000+

Insecure Direct Object Reference & sensitive information disclosure vulnerability found in WordPress Paid Memberships Pro plugin (versions <= 2.5.2).

Update the WordPress Paid Memberships Pro plugin to the latest available version (at least 2.5.3).

Ultimate GDPR & CCPA Compliance Toolkit for WordPress

A GDPR and CCPA compliance toolkit plugin for WordPress.

Vulnerability: Unauthenticated settings import & export vulnerability
Fixed in version: 2.5
Number of sites affected: 6 000+

Unauthenticated Settings Import & Export vulnerability found by Jerome Bruandet in WordPress Ultimate GDPR & CCPA Compliance Toolkit premium plugin (versions <= 2.4).

Update the WordPress Ultimate GDPR & CCPA Compliance Toolkit premium plugin to the latest available version (at least 2.5).

Contact Form 7 Style

Contact Form 7 Style plugin is an add-on for Contact Form 7 which enables custom styling.

Vulnerability: Cross-site request forgery (CSRF) leading to stored cross-site scripting (XSS)
Fixed in version: no known fix
Number of sites affected: 50 000+

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability found by Wordfence Threat Intelligence team in WordPress Contact Form 7 Style plugin (versions <= 3.1.9).

2021-02-05 – We were unable to find a fixed version of this plugin. WordPress.org notice: “This plugin has been closed as of February 1, 2021, and is not available for download. This closure is temporary, pending a full review.”

MStore API

The plugin is used for config the Mstore/FluxStore mobile and support RestAPI to connect to the app.

Vulnerability: Bypass vulnerability in Apple login authentication method
Fixed in version: 3.2.0
Number of sites affected: 4 000+

Bypass vulnerability in Apple login authentication method found by Vincent Datrier in WordPress MStore API plugin (versions <= 3.1.9).

Update the WordPress MStore API plugin to the latest available version (at least 3.2.0)

Photo Gallery by 10Web

Photo Gallery is a plugin to build galleries.

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 1.5.68
Number of sites affected: 300 000+

Cross-site scripting (XSS) vulnerability found in WordPress Photo Gallery by 10Web plugin (versions <= 1.5.67).

Update the WordPress Photo Gallery by 10Web plugin to the latest available version (at least 1.5.68).

WP Editor

WP Editor is a plugin for WordPress that replaces the default plugin and theme editors as well as the page/post editor.

Vulnerability: SQL injection (SQLi)
Fixed in version: 1.2.7
Number of sites affected: 60 000+

SQL injection (SQLi) vulnerability found by Nguyen Van Khanh in WordPress WP Editor plugin (versions <= 1.2.6.3).

Update the WordPress WP Editor plugin to the latest available version (at least 1.2.7).

January 2021 WordPress vulnerability list

uListing

Design and display listings for any niche – such as potential apartments for rent or sale, job, event, property, real estate, and course listing.

Vulnerabilities: Unauthenticated arbitrary account creation/change, unauthenticated arbitrary post/page deletion, unauthenticated arbitrary roles and capabilities creation/deletion, multiple unauthenticated SQL injection (SQLi), unauthenticated information disclosure
Fixed in version: 1.7
Number of sites affected: 3000+

There are multiple vulnerabilities in the uListing WordPress plugin. The vulnerabilities are fixed in version 1.7. Update the WordPress uListing plugin to the latest available version.

Contact Form 7 Database Addon – CFDB7

The “CFDB7” plugin saves contact form 7 submissions to your WordPress database. Export the data to a CSV file.

Vulnerability: Insufficient input sanitization leading to authenticated SQL injection (SQLi)
Fixed in version: 1.2.5.4
Number of sites affected: 300 000+

Insufficient input sanitization leading to authenticated SQL injection (SQLi) vulnerability found in WordPress Contact Form 7 Database Addon – CFDB7 plugin (versions <= 1.2.5.3).

Update the WordPress Contact Form 7 Database Addon – CFDB7 plugin to the latest available version (at least 1.2.5.4)

Doneren met Mollie

A donation plugin for a charity for one-time donations and for periodic payments with payment methods.

Vulnerability: Authenticated information disclosure vulnerability
Fixed in version: 2.8.5
Number of sites affected: 4000+

Authenticated Information Disclosure vulnerability found in WordPress Doneren met Mollie plugin (versions <= 2.8.4).

Update the WordPress Doneren met Mollie plugin to the latest available version (at least 2.8.5).

Digital Climate Strike WP

A WordPress plugin to spread the word about the #ClimateStrike.

Vulnerability: Redirect to malicious websites
Fixed in version: no known fix
Number of sites affected: N/A

Redirect to malicious websites found in WordPress Digital Climate Strike WP plugin (versions <= 1.0.0).

We were unable to find a patched version of this plugin. WordPress.org notification: “This plugin has been closed as of January 20, 2021, and is not available for download. This closure is temporary, pending a full review.”

Under Construction

Create an under construction page, maintenance mode page, coming soon page or a landing page.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 3.86
Number of sites affected: 400 000+

Authenticated stored cross-site scripting (XSS) vulnerability found by Julien (atmon3r) in WordPress Under Construction plugin (versions <= 3.85).

Update the WordPress Under Construction plugin to the latest available version (at least 3.86).

123ContactForm

123 Form Builder makes it easy to build any form for any purpose without having to write a single line of code.

Vulnerability: Arbitrary file upload, arbitrary post creation, and validation bypass via plugin verification
Fixed in version: no known fix – plugin closed
Number of sites affected: 35 000+

Arbitrary file upload vulnerability, arbitrary post creation vulnerability, and validation bypass via plugin verification vulnerability found in WordPress 123ContactForm plugin (versions <= 1.5.6).

We were unable to find a patched version of this plugin. Notification from WordPress plugin repository: “This plugin has been closed as of October 27, 2020, and is not available for download. Reason: Security Issue.”

301 Redirects – Easy Redirect Manager

301 Redirects helps you manage and create 301, 302, 307 redirects for your WordPress site to improve SEO and visitor experience.

Vulnerability: Authenticated SQL injection (SQLi)
Fixed in version: 2.5.1
Number of sites affected: 100 000+

Authenticated SQL Injection (SQLi) vulnerability found in WordPress 301 Redirects – Easy Redirect Manager plugin (versions <= 2.50).

Update the WordPress 301 Redirects – Easy Redirect Manager plugin to the latest available version (at least 2.5.1).

Stockdio Historical Chart

Stockdio Historical Chart contains a plugin and a widget that provide the means to display a live chart with intraday and historical prices and information for stock, index, currencies or commodities.

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 2.8.1
Number of sites affected: 1000+

Cross-Site Scripting (XSS) vulnerability found in WordPress Stockdio Historical Chart plugin (versions <= 2.7.2).

Update the WordPress Stockdio Historical Chart plugin to the latest available version (at least 2.8.1).

FV Flowplayer Video Player

FV Player is a solution for embedding FLV or MP4 videos into your posts or pages. 

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 7.4.38.727
Number of sites affected: 40 000+

Authenticated stored cross-site scripting (XSS) vulnerability found in WordPress FV Flowplayer Video Player plugin (versions <= 7.4.37.727).

Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.4.38.727).

Simple Job Board

Simple Job Board by PressTigers is an easy, light weight plugin that adds a job board to your WordPress website.

Vulnerability: Authenticated directory traversal
Fixed in version: 2.9.4
Number of sites affected: 20 000+

The issue was quickly resolved (on 19h, January 2021) by the developer, update the Simple Job Board plugin to 2.9.4.

Orbit Fox by ThemeIsle

Extend your theme functionality with Orbit Fox with various modules like social media share buttons & icons, uptime monitoring, Google Analytics, custom menu-icons and more.

Vulnerability: Authenticated stored cross-site scripting (XSS) & authenticated privilege escalation
Fixed in version: 2.10.3
Number of sites affected: 400 000+

Update the WordPress Orbit Fox by ThemeIsle plugin to the latest available version (at least 2.10.3).

Elementor Contact Form DB

A simple plugin to store Elementor Pro Form submissions.

Vulnerability: Cross-site request forgery (CSRF) via backend admin pages
Fixed in version: 1.6
Number of sites affected: 40 000+

There is a cross-site request forgery (CSRF) via backend admin pages vulnerability found in the WordPress Elementor Contact Form DB plugin (versions <= 1.5).

Update the WordPress Elementor Contact Form DB plugin to the latest available version (at least 1.6).

Custom Global Variables

Create your own custom variables to manage information on your website.

Vulnerability: Stored cross-site scripting (XSS)
Fixed in version: no known fix
Number of sites affected: N/A

Stored cross-site scripting (XSS) vulnerability found by Swapnil Subhash Bodekar in WordPress Custom Global Variables plugin (versions <= 1.0.5).

We couldn’t find a patched version of this plugin. The last version was released two years ago, and the plugin is poorly maintained, so we recommend you deactivate and uninstall it until the patched version will be available.

WP24 Domain Check

WP24 Domain Check allows users to check domains if they are free for registration.

Vulnerability: Stored cross-site scripting (XSS)
Fixed in version: no known fix
Number of sites affected: N/A

Stored cross-site scripting (XSS) vulnerability found by Mehmet Kelepçe in WordPress WP24 Domain Check plugin (versions <= 1.6.2).

We were unable to find a patched version of this plugin.

Stripe Payments

The Stripe Payments plugin allows you to accept credit card payments via Stripe payment gateway on your WordPress site easily.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 2.0.40
Number of sites affected: 40 000+

Authenticated Stored Cross-Site Scripting (XSS) vulnerability found by Park Won Seok in WordPress Stripe Payments plugin (versions <= 2.0.39).

Update the WordPress Stripe Payments plugin to the latest available version (at least 2.0.40).

WP-Paginate

WP-Paginate is a simple and flexible pagination plugin which provides users with better navigation on your WordPress site.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 2.1.4
Number of sites affected: 40 000+

Authenticated stored cross-site scripting (XSS) vulnerability found by Park Won Seok in WordPress WP Paginate plugin (versions <= 2.1.3).

Update the WordPress WP Paginate plugin to the latest available version (at least 2.1.4).

Contact Form Submissions

Once activated all contact form 7 submissions will be saved so you can view them in wp-admin.

Vulnerability: Authenticated double query SQL injection (SQLi) vulnerability
Fixed in version: no known fix
Number of sites affected: 50 000+

Vulnerability: Authenticated SQL injection (SQLi) vulnerability
Fixed in version: no known fix
Number of sites affected: 50 000+

Authenticated double query SQL injection and authenticated SQL injection (SQLi) vulnerability in WordPress Contact Form Submissions plugin (versions <= 1.6.4).

We could not find a patched version of this plugin (last updated 10 months ago). The plugin is poorly maintained, we recommend deactivating and deleting it at least until a patched version is available.

Site Offline Or Coming Soon Or Maintenance Mode

Site offline provides you a retina ready template with countdown.

Vulnerability: Multiple cross-site request forgery (CSRF) vulnerabilities
Fixed in version: 1.4.4
Number of sites affected: 40 000+

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities found in the WordPress Site Offline plugin (versions <= 1.4.2). Update the WordPress Site Offline plugin to the latest available version (at least 1.4.4).

Newsletter Manager

Newsletter management plugin for WordPress.

Vulnerability: Unauthenticated insecure deserialization vulnerability
Fixed in version: no known fix – plugin closed
Number of sites affected: 5000+

Unauthenticated insecure deserialization vulnerability found in WordPress Newsletter Manager plugin (versions <= 1.5.1).

We were unable to find a patched version of this plugin. WordPress.org notification: “This plugin has been closed as of October 28, 2020 and is not available for download. Reason: Security Issue.”

Read more about the WordPress vulnerability here.

Internal Links Manager

A WordPress plugin to manage internal links.

Vulnerability: Stored cross-site scripting (XSS) and cross-site request forgery (CSRF), and authenticated shell upload
Fixed in version: no known fix – plugin closed
Number of sites affected: N/A

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities found by Chevon Phillip in WordPress Internal Links Manager plugin (versions <= 2.1.0).

We were unable to find a patched version of this plugin. Notification from WordPress.org – “This plugin has been closed as of December 28, 2020, and is not available for download. This closure is temporary, pending a full review.”

Thumbnail carousel slider

A responsive thumbnail slider for WordPress sites.

Vulnerability: Stored cross-site scripting (XSS) and cross-site request forgery (CSRF), and authenticated shell upload
Fixed in version: 1.0.1
Number of sites affected: 5000+

The are multiple vulnerabilities found by Arash Khazaei in the WordPress Thumbnail carousel slider plugin (versions <= 1.0). Update the WordPress Thumbnail carousel slider plugin to the latest available version (at least 1.0.1).

Read more about the WordPress vulnerability here.

LiteSpeed Cache

LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features.

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 3.6.1
Number of sites affected: 1+ million

Authenticated Stored Cross-Site Scripting (XSS) vulnerability found by WonTae Jang in WordPress LiteSpeed Cache plugin (versions <= 3.6). Update the WordPress LiteSpeed Cache plugin to the latest available version (at least 3.6.1).

Adning Advertising – Professional, All In One Ad Manager for WordPress

The “Adning” (formerly WP PRO Advertising System) WordPress plugin focuses on easy banner managing for any WordPress site.

Vulnerability: Arbitrary File Upload vulnerability
Fixed in version: 1.5.6
Number of sites affected: 9000+

Arbitrary File Upload vulnerability found by Spacehen in WordPress Adning Advertising premium plugin (versions <= 1.5.5). Update the WordPress Adning Advertising premium plugin to the latest available version (at least 1.5.6).

WordPress Vulnerability News – Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently asked wuestions about WordPress vulnerability

How do I know if I have a vulnerable WordPress plugin on my site?

The best way to know is to monitor your site for vulnerabilities. WebARX gives you an overview and monitoring panel where you have the opportunity to gain a full overview of what is going on with your sites. You can also enable auto-updates for vulnerable plugins and receive notifications if any of the sites you manage are outdated or at risk.

How to choose a WordPress security tool?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Where can I find out if I have vulnerable plugins on my site?

WebARX shows all the software and plugin vulnerabilities once you have installed it on your site. It helps you to always be on top of vulnerabilities, with protection and updates.

Does installing many WordPress plugins negatively affect security?

There is no rule of thumb on how many plugins you should have on your site, but if you choose to add functionality to your site using plugins, you should closely monitor available updates.

As said – hundreds of WordPress sites get hacked every day. Statistics say that 98% of hacking incidents happen because of outdated plugins and themes. We recommend using the auto-update feature on vulnerable plugins and installing a managed web application firewall that sends automatic virtual patches to your sites.

If you have a lot of plugins you should strongly consider using WebARX to protect your sites.

How many websites are hacked every day?

On average 30 000 new websites are hacked every day. These 30 000 sites are usually legitimate small business sites, that are unwittingly distributing malware.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla