Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. Please share this post with your friends, spread rumors and help everyone make WordPress safer.
The content of the report on November 17, 2021 is WordPress core vulnerability 1. Word press plugin vulnerability 1. Register event calendar 2. Log in to WP3. Woocomerce call converter Secure copy content protection and content locking 5. Beili Email log 7. Tawk. To live chat 8. WP data access 9. PDF. JS viewer 10 Backup and restore Treadmill Get custom field value 13. Reservation package Like button evaluation 15. Caldera form 16. Start program template 17. Contact form email 18. Video Gallery – Vimeo and Youtube galleries 19. How to protect WordPress websites from vulnerable plugins and themes of popular WordPress posts? Do you want ithemes Security Pro to receive this report and send it to your inbox every week? Weekly email subscription WordPress core vulnerability the latest version of WordPress core is 5.8.2. As a best practice, always run the latest version of the WordPress kernel!
1. Word press vulnerability: expired DST root CA X3 certificate version: patched in 5.8.2 Description: WP include \/ categories \/ Ca bundle. The CRT file contains DST root CA X3 that expires on September 30, 2021, so security warnings will appear in some cases. Please ensure that WordPress 5.8.2 is running because the vulnerability has been fixed. Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, patch version number and severity level.
1. Event calendar registration plug-in: Event Calendar registration vulnerability: unauthenticated SQL injection version: patch severity score in 2.7.6: high vulnerability is patched and needs to be updated to version 2.7.6. 2. Login WP plug-in: login WP vulnerability: reflected Cross website script version: patch severity score in 3.0.0.5: high vulnerability is patched and needs to be updated to version 3.0.0.5. 3. Woocommerce call converter male plug-in: woocommerce call converter weakness: reflected Cross website script version: patch severity score in 1.3.7.1: normal
The vulnerability has been fixed and needs to be updated to version 1.3.7.1. 4. Secure copy content protection and content locking male plug-in: secure copy content protection and content locking vulnerability: Subscriber + e-mail address exposure version: patch severity score in 2.8.2: high vulnerability is patched and needs to be updated to version 2.8.2. 5. Bookly male plug-in: bookly vulnerability: employees save version in cross site script: patch severity score in 20.3.1: usually the vulnerability has been patched, so it needs to be updated to version 20.3.1. 6. Email log plug-in: email log vulnerability: reflected cross site script version: patch severity score in 2.4.8: high
The vulnerability has been fixed and must be updated to version 2.4.8. 7. Tawk. To live chat plug-in: Tawk
. to real-time chat vulnerability: Subscriber + visitor monitoring and chat deletion version: patch severity score in 0.6.0: high vulnerability is patched, so it must be updated to version 0.6.0. 8. WP data access plug-in: WP data access vulnerability: admin + SQL injection version: patch severity score in 5.00: high vulnerability is patched, so it must be updated to version 5.00. 9. PDF. JS viewer plug-in: PDF. JS viewer vulnerability: contributor + saved cross site script version: patch severity score in 2.0.2: normal
The vulnerability has been fixed and must be updated to version 2.0.2. 10. Backup and restore plug-in: backup and restore vulnerability: patched in admin + random file deletion version: no known modification severity score: usually this vulnerability is not patched. Uninstall and remove plug-ins until patches are released. 11. Runpress plug-in: learnpress vulnerability: admin + SQL injection version: patch severity score in 4.1.4: usually the vulnerability has been patched, so it needs to be updated to version 4.1.4. 12. Import custom field value male plug-in: weakness of importing custom field value: contributor + saved cross site script version: patch severity score in 4.0.1: normal
The vulnerability has been fixed and must be updated to version 4.0.1. 13. Reservation package male plug-in: Reservation package vulnerability: reflected Cross website script version: from 1.5.11 to patch severity score: usually the vulnerability has been patched and needs to be updated to version 1.5.11. 14. Like button evaluation plug-in: like button evaluation vulnerability: unauthorized export of e-mail and IP address version: patch severity score in 2.6.38: patch high vulnerability, which needs to be updated to version 2.6.38. 15. Caldera form male plug-in: caldera forms vulnerability: cross site script version saved by admin +: patch severity score in 1.9.5: low
The vulnerability has been fixed and must be updated to version 1.9.5. 16. Startup program template plug-in: startup template vulnerability: XSS import blocked version saved by contributor +: patch severity score in 2.7.1: high vulnerability has been patched and needs to be updated to version 2.7.1. 17. Contact form email plug-in: query form email vulnerability: admin + saved cross site script version: patch severity score in 1.3.25: low vulnerability has been patched, so it must be updated to version 1.3.25. 18. Video gallery – Vimeo and YouTube gallery male plug-ins: Video Gallery – Vimeo and YouTube gallery weaknesses: admin + stored cross site script version: patch severity score in 1.1.5: low
The vulnerability has been fixed and must be updated to version 1.1.5. 19. WordPress popular post male plug-in: WordPress popular post vulnerability: Cross website script version saved by admin +: patch severity score in 5.3.4: low vulnerability has been patched and needs to be updated to version 5.3.4. The report describes how to protect the WordPress website from vulnerable plug-ins and themes. Many new WordPress plug-ins and themes are exposed every week. Because we know that it is difficult to determine the disclosure of all reported vulnerabilities, using the ithemes Security Pro plug-in can easily determine whether the site is running a theme, plug-in or core version of word press with known vulnerabilities.
1. Install the ithemes Security Pro plug-in website hacker
Strengthen the WordPress site and learn about the most common methods. There are more than 30 ways to protect your site with an easy-to-use plug-in. 2. Enable site scanning to identify known vulnerabilities. The version management function of ithemes Security Pro is integrated with site scanning to protect the site. Fragile themes, plug-ins and the core version of word press will be updated automatically. 3. The core of monitoring file changes and quickly detecting security violations is to monitor file changes on the website. The file change detection function of ithemes Security Pro scans files on the website and notifies you when the website changes. Through round the clock website security monitoring, we have obtained ithemes Security Pro and WordPress security plug-in. Ithemes Security Pro provides more than 50 methods to protect and protect websites from common WordPress security vulnerabilities. You can use WordPress, dual authentication, indifference proxy protection, strong password application, etc. to add a security layer to the website. For plug-in and theme vulnerability detection, site scanner file change, real-time website security control board, WordPress security log, reliable device reCAPTCHA, indifference substitution protection, dual authentication, direct login link permission reporting, password confirmation and denial ithemes security process
