Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. Please share this post with your friends, spread rumors and help everyone make WordPress safer.
Report on November 24, 2021: WordPress Hosting: GoDaddy hacker WordPress core vulnerability WordPress plug-in vulnerability 1. Pixel light source 2. Multifunctional Gallery Stop the drain plate 4. Temporary login without password 5. Resume printer Modern event calendar 7. Automatically recommend pictures Ultimate nofollow 9. NEX format 10. SEO booster 11. WP system log 12. Inspirational quotation 13. Single exporter 14. Flex local font 15. WP manager flag chain 16. Contact form advanced database 17. Flashing button 18. Filter portfolio gallery 19. WP limit 20. Page \/ post content shortcut code 21. Include page improvement 22. Media art 23. Display post metadata 24. Totop Link 25。 User meta shortcut code 26. Citation vowel WordPress uses push notification (LITE) 28. sports news Login \/ membership pop-up 30. Woocomerce email preview 31. WP user front end 32. Directorist – business directory plug-in 33. Simple registration form WP reset configuration 35. Text printing + Microsoft Office 365 36. Repeat post To protect the WordPress website from backup migration fragile plug-ins and themes, do you want ithemes Security Pro to receive reports and send them to your inbox every week? Weekly e-mail subscription to WordPress Hosting: in the security disclosure released by goddy hackers on November 21, 2021, goddy said that hackers exposed up to 1.2 million active and inactive customers after accessing the managed WordPress hosting platform.
Recently, we wrote a post introducing some details of GoDaddy’s hacking attack, its impact on customers, and suggestions on what GoDaddy’s WordPress hosting customers will do. Reading posts WordPress core vulnerabilities the latest version of WordPress core is 5.8.2. As a best practice, always run the latest version of the WordPress kernel! Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, patch version number and severity level.
1. Pixel cat light plug-in: pixel cat Lite vulnerability: cross site script version saved by admin +: patch severity score in 2.6.3: patch low vulnerability, so it must be updated to version 2.6.3. Plug in: pixel cat Lite vulnerability: CSRF version for saved cross site scripts: patch severity score in 2.6.2: high vulnerability is patched, so it must be updated to version 2.6.2. 2. Multifunctional Gallery male plug-in: multifunctional Gallery weakness: admin + version containing local files: patch severity score in 2.5.0: low
The vulnerability has been fixed and must be updated to version 2.5.0. 3. Stop badbot plug-in: stopbadbots vulnerability: reflected cross site script version: from 6.67
Patch severity score: a fatal vulnerability has been fixed, so it must be updated to version 6.67. 4. Temporary login without password male plug-in: temporary login without password vulnerability: Subscriber + plug-in settings update version: patch severity score in 1.7.1: usually patch the vulnerability, so it needs to be updated to version 1.7.1. 5. Profile press plug-in: profile press vulnerability: reflected cross site script version: patch severity score in 3.2.3: normal
The vulnerability has been fixed and must be updated to version 3.2.3. Plug in: profile imprinting vulnerability: reflected cross site script version: patch severity score in 3.2.3: high vulnerability is patched, so it must be updated to version 3.2.3. 6. Modern event calendar plug-in: modern event calendar vulnerability: unauthenticated blind SQL injection version: patch severity score in 6.1.5: high vulnerability is patched, so it needs to be updated to version 6.1.5. Plug in: weakness of modern event calendar: reflected cross site script version: patch severity score in 6.1.5: high
The vulnerability has been fixed and must be updated to version 6.1.5. 7. Automatically recommend image maleplug-in: automatically recommend image weakness: reflected Cross website script version: patch severity score in 3.9.3: the vulnerability is usually patched, so it needs to be updated to version 3.9.3. 8. Ultimate nofollow plug-in: Ultimate nofollow vulnerability: patched in the cross site script version saved by contributor +: no known modification – plug-in closure severity score: usually the vulnerability is not patched. The plug-in was closed on September 28, 2021. Delete and delete. 9. Nex form plug-in: nex foms vulnerability: patched in the cross site script version saved by multiple admin +: no known modification – plug-in closure severity score: low
This vulnerability is not patched. The plug-in was closed on October 4, 2021. Delete and delete. 10. SEO startup plug-in: SEO startup vulnerability: patched in admin + SQL injection version: no known modification – plug-in closure severity score: usually this vulnerability is not patched. The plug-in was closed on October 5, 2021. Delete and delete. 11. WP system log plug-in: WP system log vulnerability: unauthenticated saved cross site script version: patch severity score in 1.0.21: fatal
The vulnerability has been fixed and must be updated to version 1.0.21. 12. Reference area rotor plug-in of inspiration source: reference area rotor vulnerability of inspiration source: admin + patched in the saved cross site script version: no known modification – plug-in closure severity score: low vulnerability not patched. The plug-in was closed on September 23, 2021. Delete and delete. 13. Single column exporter plug-in: single column export vulnerability: patched in the updated version of plug-in settings through CSRF: no known modification – plug-in closure severity score: usually
This vulnerability is not patched. The plug-in was closed on September 23, 2021. Delete and delete. 14. Flex local font plug-in: Flex local font vulnerability: patched in the cross site script version saved by admin +: no known modification – plug-in closure severity score: low vulnerability not patched. The plug-in was closed on September 23, 2021. Delete and delete. 15. WP administrator logo chain low plug-in: WP administrator logo chain low vulnerability: failed to set the version by updating the plug-in through CSRF
Installed: no known modifications – plug-in closed severity score: normal
This vulnerability is not patched. The plug-in was closed on October 4, 2021. Delete and delete. 16. Contact form advanced database plug-in: contact form advanced database vulnerability: patched in the unapproved Ajax call version: no known modification severity score: the plug-in is usually closed on September 27, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 17. Blinking button plug-in: blinking button vulnerability: patched in an unauthenticated saved version of the cross site script: unknown modification severity score: high. The plug-in was closed on September 27, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 18. Filtering portfolio gallery plug-in: portfolio gallery filtering vulnerability: patched in any Gallery deleted version through CSRF: severity score is not known to be modified: usually, the plug-in is closed on September 27, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 19. WP restricted plug-in: WP restricted vulnerability: patched in the updated version of plug-in settings through CSRF: no known modification severity score: usually, the plug-in is closed on October 4, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 20. Page \/ post content shortcut code plug-in: page \/ post content shortcut code vulnerability: patched in contributor + any post \/ page access version: no known modification severity score: generally, the plug-in is closed on October 4, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 21. Including page improvement plug-in: including page improvement vulnerability: patched in contributor + any post \/ page access version: unpublished modification severity score: generally, the plug-in is closed on October 8, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 22. Media matic plug-in: media matic vulnerability: patched in subscriber + SQL injection version: no known modification severity score: high. The plug-in was closed on October 11, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 23. Post metadata display plug-in: Post metadata display vulnerability: patched in the cross website script version saved by contributor +: no known modification severity score: Baotong male the plug-in was closed on October 21, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding modifications. 24. Totop link plug-in: top link vulnerability: patched in the unauthenticated PHP object injection version: no known modification severity score: the plug-in is usually closed on October 21, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 25. User metadata shortcut code plug-in: user metadata shortcut code vulnerability: patched in contributor + unauthorized user metadata access version: known
No modification severity score: high. The plug-in was closed on October 12, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 26. Citation summary plug-in: index collection vulnerability: patched in admin + SQL injection version: unpublished modification severity score: usually, the plug-in is closed on October 13, 2021 and cannot be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 27. WordPress push notification (LITE) male plug-in: WordPress push notification (LITE) vulnerability: update version through CSRF settings: patch severity score in 6.0.1: usually the vulnerability has been patched, so it needs to be updated to version 6.0.1. 28. Sports news plug-in: sportspress vulnerability: reflected Cross website script version: patch severity score in 2.7.9: high vulnerability is patched and needs to be updated to version 2.7.9. 29. Login \/ member join pop-up plug-in: login \/ subscription pop-up vulnerability: reflected Cross website script version: patch severity score in 2.2: patch high vulnerability and need to be updated to version 2.2. 30. Email preview plug-in for woocommerce: email preview vulnerability for woocommerce: reflected cross site script version: patch severity score in 2.0.0: usually the vulnerability has been patched, so it needs to be updated to version 3.0.0.5. 31. WP user front-end plug-in: WP user front-end vulnerability: WordPress membership, profile, registration and post submission plug-in version: patch severity score in 3.5.25: ordinary vulnerability has been patched and needs to be updated to version 3.5.25. Severity of vulnerability: the vulnerability of version 32.0.0.0 of the business directorist plug-in must be uploaded to the directory of the remote plug-in due to the severity of vulnerability: the vulnerability of version 32.0.0.0 of the business directorist plug-in must be patched. 33. Simple registration form plug-in: simple registration form vulnerability: the saved Cross website script was patched in CSRF version: no known modification severity score: high. The plug-in was closed on November 12, 2021 and could not be ed. This closure is temporary, waiting for the entire review. It is recommended to delete and delete before finding the modification. 34. WP reset Pro male plug-in: WP reset Pro vulnerability: user + database reset version: patch severity score in 5.99: fatal vulnerability is patched and needs to be updated to version 5.99. Plug in: WP refresh configuration vulnerability: reset the database version through CSRF: fix the severity score in 5.99: fix the fatal vulnerability, so it must be updated to version 5.99. 35. WordPress + Microsoft Office 365 male plug-in: WordPress + Microsoft Office 365 vulnerability: unauthenticated saved cross site script version: patch severity score in 15.4: fatal vulnerability has been patched and should be updated to version 15.4. 36. Repeat post male plug-in: repeat post vulnerability: Certified SQL injection version: from 1.2.0 to patch severity score: usually the vulnerability has been patched, so it needs to be updated to version 1.2.0. 37. Backup migration plug-in: Backup migration vulnerability: cross site script version stored by admin + from 1.1.6 to patch severity score: the vulnerability is usually patched, so it needs to be updated to version 1.1.6. How to protect websites and WordPress plugins from vulnerable themes
As you can see, many new word press plug-ins and theme vulnerabilities are exposed every week. Because we know that it is difficult to determine the disclosure of all reported vulnerabilities, using the ithemes Security Pro plug-in can easily determine whether the site is running a theme, plug-in or core version of word press with known vulnerabilities. 1. Install the ithemes Security Pro plug-in. The ithemes Security Pro plug-in will strengthen the WordPress site to understand the most common ways for websites to be attacked by hackers. There are more than 30 ways to protect your site with an easy-to-use plug-in. 2. Enable site scanning to identify known vulnerabilities. The version management function of ithemes Security Pro is integrated with site scanning to protect the site. Fragile themes, plug-ins and the core version of word press will be updated automatically. 3. The core of monitoring file changes and quickly detecting security violations is to monitor file changes on the website. The file change detection function of ithemes Security Pro scans files on the website and notifies you when the website changes. Through round the clock website security monitoring, we have obtained ithemes Security Pro and WordPress security plug-in. Ithemes Security Pro provides more than 50 methods to protect and protect websites from common WordPress security vulnerabilities. You can use WordPress, dual authentication, indifference proxy protection, strong password application, etc. to add a security layer to the website. For plug-in and subject vulnerability detection site scanner file change real-time website security dashboard WordPress security log trusted device reCAPTCHA indifference substitution protection dual authentication direct login link permission reporting password confirmation and rejection ithemes Security Pro discount 40%
