Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. What’s new in this report: Vulnerabilities will now be listed based on the number of active installations rather than the publication date.
Please share this post with your friends to help everyone use WordPress more safely! The content of the report on January 12, 2022 is WordPress core vulnerability, WordPress plug-in vulnerability 1. Svg supports 2. Asset consolidation Charging member ratio 4. Nextscripts: social network automatic poster 5. Search Ivory Simple social seeds 7. Visual CSS Style Editor 8. Consultation form items Senior Colleen Manager 10. WP legal page 11. WP visitor statistics (real-time traffic) 12. Evil folder 13. Sponsor candy Reordering of ukmouth products 15. Ip2location national circuit breaker 16. Strong support – WordPress help desk and support plugins 17. Ultimate product catalogue 18. Document imbeder 19. RVM reactive vector map 20. Media art 21. Upra User rights access manager 23. Humor button Trustmate for woocommerce. IO merge Trunk 26. WordPress uses web Hotel advanced plug-in vulnerability 27. Word Pro 28 has no known vulnerabilities. Consult Style 7 skin 29. Woorockets T-shirt 30. In order to protect the WordPress website from the vulnerable plug-ins and themes of Amazon subsidiary, do you want to send the ithemes Security Pro receiving report to your weekly inbox through the year-round website security monitoring? Weekly email subscription WordPress core vulnerabilities the latest version of WordPress core was released as a short-term security release on January 6, 2022. WordPress 5.8.3 is a secure release. It is recommended to update all sites immediately.
WordPress. You can from org or visit WordPress Management Dashboard > update, and then click update now to update to WordPress 5.8.3. If your site has automatic background updates enabled, it may have been successfully updated. Word press core vulnerability: SQL injection through wp_query version: patch in 5.8.3 note: wp_meta_query is not properly deleted, so blind SQL injection may occur. Fixed the vulnerability, please ensure that word press 5.8.3 is running. Vulnerability: through XSS storage version of author + Post slugs: patch description in 5.8.3: low authority authenticated users (such as authors) in WordPress core can run JavaScript or execute stored XSS attacks through postsurg, which may affect high authority users.
Fixed the vulnerability, please ensure that word press 5.8.3 is running. Weakness: multi site super administrator object injection version: patch description in 5.8.3: users with the highest administrator role in multi sites can bypass explicit \/ additional reinforcement under specific conditions through object injection. Fixed the vulnerability, please ensure that word press 5.8.3 is running. Vulnerability: SQL injection via wp_meta_query version: patch in 5.8.3 Description: wp_meta
_Query is not properly deleted, so blind SQL injection may occur.
Fixed the vulnerability, please ensure that word press 5.8.3 is running. Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, active installation, patch version number and severity level. 1. SVG support male plug-in: SVG support vulnerability: admin + saved cross site script activity installation: 800000 + version: patch severity score in 2.3.20: lower vulnerability is patched, so it must be updated to version 2.3.20. 2. Asset cleanup plug-in: asset cleanup vulnerability: cross site scripting activity reflected through Ajax action installation: 100000 + version: patch severity score in 1.3.8.5: high
The vulnerability has been fixed and needs to be updated to version 1.3.8.5. Plug in: asset cleanup vulnerability: reflected cross site scripting activity installation: 100000 + version: patch severity score in 1.3.8.5: vulnerabilities are usually patched, so they must be updated to version 1.3.8.5. 3. Charging member professional male plug-in: charging member professional weakness: unauthenticated blind SQL injection activity installation: 100000 + version: patch severity score in 2.6.7: fatal weakness is patched and needs to be updated to version 2.6.7. 4. Nextscripts: social network automatic poster male plug-in: nextscripts: social network automatic poster weakness: randomly delete articles through CSRF active installation: 90000 + version: patch severity score in 4.3.25: normal
The vulnerability has been fixed and must be updated to version 4.3.25. Plug in: nextscripts: social network automatic poster vulnerability: unauthenticated saved XSS activity installation: 90000 + version: patch severity score in 4.3.25: high vulnerability is patched, so it must be updated to version 4.3.25. 5. Ivory search male plug-in: Ivory search vulnerability: contributor + saved cross site script activity installation: 80000 + version: patch severity score in 5.4.1: high vulnerability is patched, so it needs to be updated to version 5.4.1. 6. Simple social seed male plug-in: simple social seed weakness: reflective cross site script (XSS) active installation: 70000 + version: patch severity score in 6.2.7: high
The vulnerability has been fixed and must be updated to version 6.2.7. 7. Visual CSS Style Editor male plug-in: visual CSS Style Editor vulnerability: reflective cross site scripting activity installation: 50000 + version: patch severity score in 7.5.4: patch high vulnerability and need to be updated to version 7.5.4. 8. Consultation form project male plug-in: consultation form project vulnerability: unauthenticated saved cross site script activity installation: 40000 + version: fix severity score in 1.1.7: fix high vulnerability, so it needs to be updated to version 1.1.7. 9. Advanced Clone manager male plug-in: advanced Clone manager weakness: Subscriber + random event \/ schedule generation \/ deletion activity installation: 30000 + version: patch severity score in 2.4.2: normal
The vulnerability has been fixed and must be updated to version 2.4.2. 10. WP legal page plug-in: wplegalpages vulnerability: the subscriber randomly sets and updates the saved XSS. Activity installation: 20000 + version: patch severity score in 2.7.1: ordinary vulnerability has been patched and should be updated to version 2.7.1. 11. WP visitor statistics (real-time traffic) maleplug-in: WP visitor statistics (real-time traffic) weakness: Subscriber + SQL
Vector map plug-in: RVM – reactive vector map vulnerability: user + random file reading activity installation: 6000 + version: patch severity score in 6.4.2: patch high vulnerability, so it needs to be updated to version 6.4.2. 20. Media matic plug-in: media matic vulnerability: Subscriber + SQL injection activity installation: 3000 + version: patch severity score in 2.8.1: high vulnerability is patched and needs to be updated to version 2.8.1. 21. Woopra male plug-in: woopra vulnerability: unauthenticated random file upload activity installation: 2000 + version: patch severity score in 1.4.3.2: fatal vulnerability is patched and needs to be updated to version 1.4.3.2. 22. User rights access manager plug-in: user rights access manager vulnerability: access restriction detour activity installation: 900 + version: patch in 1.0.8 severity score: usually the vulnerability has been patched and needs to be updated to version 1.0.8. 23. Humor button male plug-in: yumoney button Titan framework vulnerability: reflected cross site script (XSS) activity installation: 900 + version: patch severity score in 2.4.0: patch high vulnerability, so it needs to be updated to version 2.4.0. 24. Trustmate for woocommerce. IO integration plug-in: trustmate for woocommerce. IO integration vulnerability: Subscriber + Arab plugin settings update activity installation: 300 + version: 1.8.12 patch severity score: high vulnerability is patched, so it must be updated to version 1.8.12. Plug in: trustmate for woocommerce. IO integration vulnerability: Subscriber + random blog option update activity installation: 300 + version: patch severity score in 1.7.1: high vulnerability is patched, so it must be updated to version 1.8.12. 25. Truranker plug-in: truranker vulnerability: any file access activity without path traversal authentication installation: 300 + version: patch severity score in 2.2.4: high vulnerability is patched, so it needs to be updated to version 2.2.4. 26. Web Hotel rier male plug-in for text imprinting: Webhotel Titan framework for WordPress vulnerability: reflected cross site scripting (XSS) activity installation: 200 + version: patch severity score in 1.6.1: high vulnerability has been patched and should be updated to version 1.6.1. Advanced plug-in vulnerabilities this section discloses the latest word press advanced plug-in vulnerabilities. Each plug-in list includes vulnerability type, patch version number and severity level. 27. Advanced cron Manager Pro plug-in: Advanced cron Manager Pro vulnerability: Subscriber + random events \/ schedule creation \/ deletion version: patch severity score in 2.5.3: due to the patching of common vulnerabilities, it must be updated to version 2.5.3. WordPress plug-in vulnerability: this section introduces the latest WordPress plug-in vulnerability in the closed plug-in. Each plug-in list includes vulnerability type, severity, and closure date. 28. Consultation form 7 skin male plug-in: consultation form 7 skin weakness: reflected cross site scripting (XSS) activity installation: patch in 30000 + version: no known modification severity score: usually the vulnerability is not patched. Uninstall and remove plug-ins until patches are released. 29. Woolockets knitting plug-in: woolockets nitro vulnerability: patched in any non certified plug-in installation version: no known modification is made, severity score: fatal vulnerability is not patched. Uninstall and remove plug-ins until patches are released. 30. Amazon community
