Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. Please share this post with your friends, spread rumors and help everyone make WordPress safer.
The content of the report on November 3, 2021 is WordPress core vulnerability, WordPress plug-in vulnerability 1. Comments plus 2. Slide show Gallery Mainwp sub 4. E-commerce product catalog for WordPress 5. WordPress uses Falang multilingual 6. Video course administrator WP spell check 8. E-commerce – phase 2 certification 9. Maz loader 10. Eliot gate 11. Repeat post notice Connector business directory 14. Media label Author box information 16. PayPal subscriptions and memberships 17. PayPal accepts donations 18. PayPal 19 easy activity. Whatever it is, pop up 20. JS job manager 21. Batch date \/ time change 22. Ninja form Export WP attachment 24. Post content text slider 25. Hashthemes demo import tool 26. Register an event calendar 27. Internet cafe board wp28. Optimus Prime 29. Nextscripts: social network automatic poster 30. Smash balloon social article seeds 31. WP-pro-quiz 32。 Supsysic’s consultation form 33. WP – in order to protect the WordPress website from statistical vulnerabilities and themes, do you want ithemes Security Pro to receive the report and send it to your inbox every week? Weekly email subscription WordPress core vulnerability the latest version of WordPress core is 5.8.1. As a best practice, always run the latest version of the WordPress kernel!
Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, patch version number and severity level. 1. Review plus plug-in: review plus vulnerability: Subscriber + review DOS version: patch severity score in 1.2.14: low vulnerability is patched, so it needs to be updated to version 1.2.14. 2. Slide show Gallery male plug-in: slide show Gallery weakness: cross site script version saved by admin +: patch severity score in 1.7.4: low
The vulnerability has been fixed and must be updated to version 1.7.4. 3. Mainwp sub plug-in: mainwp sub vulnerability: admin + SQL injection version: patch severity score in 4.1.8: the vulnerability is usually patched, so it needs to be updated to version 4.1.8. 4. E-commerce product catalog for WordPress male plug-in: e-commerce product catalog for WordPress vulnerability: reflected Cross website script version: patch severity score in 3.0.39: patch high vulnerability, which should be updated to version 3.0.39. 5. Falang multilingual plug-in for WordPress: Falang multilingual vulnerability for WordPress: reflected cross site script version: patch severity score in 1.3.18: high
The vulnerability has been fixed and needs to be updated to version 1.3.18. 6. Video course manager male plug-in: video course manager vulnerability: Cross website script version saved by admin +: patch severity score in 1.7.2: low vulnerability, patched, version 1.7.2
Severity score: the vulnerability is usually fixed, so it needs to be updated to version 3.6.4. 23. Export WP attachment male plug-in: weakness of export WP attachment: unauthenticated post version: patch severity score in 0.2.4: high
The vulnerability has been fixed and needs to be updated to version 0.2.4. 24. Post content text slider male plug-in: post content text slider vulnerability: Certified storage cross site script (XSS) version: patch severity score in 6.9: common vulnerability has been patched and should be updated to version 6.9. 25. Hashthemes demo import tool male plug-in: hashthemes demo import tool vulnerability: improper access control version of blog reset: patch severity score in 1.1.2: fatal vulnerability is patched, so it needs to be updated to version 1.1.2. 26. Event calendar registration plug-in: Event Calendar registration vulnerability: reflected Cross website script version: patch severity score in 2.7.5: high vulnerability is patched, so it must be updated to version 2.7.5. 27. Watchboard WP plug-in: mang board WP vulnerability: SQL injection version: patch severity score in 1.6.9: high vulnerability is patched, so it needs to be updated to version 1.6.9. 28. Optin monster plug-in: optin monster vulnerability: unprotected rest-api endpoint version: patch severity score in 2.6.5: high vulnerability is patched and needs to be updated to version 2.6.5. 29. Nextscripts: social network automatic poster male plug-in: nextscripts: social network automatic poster vulnerability: reflected cross site script version: patch severity score in 4.3.21: patch high vulnerability and need to be updated to version 4.3.21. 30. Smash balloon social article feed male plug-in: Smash balloon social article feed vulnerability: use XSS update version set by storage subscriber + any plug-in: patch severity score in 4.0.1: patch high vulnerability, so it needs to be updated to version 4.0.1. 31. WP Pro quiz plug-in: WP Pro quiz vulnerability: patched in any test deleted version through CSRF: no known modification – plug-in closure severity score: usually the vulnerability is not patched. The plug-in was closed on July 17, 2020. Delete and delete. 32. Supsysic’s consultation form male plug-in: supsysic’s consultation form vulnerability: admin + patched in the saved cross site script version: no known modification severity score: low vulnerability not patched. Uninstall and remove plug-ins until patches are released. 33. WP statistical plug-in: WP statistical vulnerability: CSRF to stored cross site scripting (XSS) version: patch severity score in 2.52: high. The plug-in has not been tested in the latest three major releases of WordPress. It may no longer be retained or supported, and there may be compatibility issues when used with the latest version of word press. This vulnerability is not patched. Uninstall and remove plug-ins until patches are released. The report describes how to protect the WordPress website from vulnerable plug-ins and themes. Many new WordPress plug-ins and themes are exposed every week. Because we know that it is difficult to determine the disclosure of all reported vulnerabilities, using the ithemes Security Pro plug-in can easily determine whether the site is running a theme, plug-in or core version of word press with known vulnerabilities. 1. Install the ithemes Security Pro plug-in
