Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. Please share this post with your friends, spread rumors and help everyone make WordPress safer.
Do you want to send the report on October 20, 2021 to the inbox you receive every week? Weekly e-mail subscription WordPress core vulnerabilities the core of the latest version of WordPress is 5.8.1 of the security and maintenance release. As a best practice, always run the latest version of the WordPress kernel! Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, patch version number and severity level. 1. Wpschoolpress male plug-in: wpschoolpress vulnerability: multi admin + saved cross site script version: patch severity score in 2.1.17: low
The vulnerability has been fixed and must be updated to version 2.1.17. Plug in: wpschoolpress vulnerability: reflected cross site script version: 2.1.10 to patch severity score: high vulnerability is patched, so it must be updated to version 2.1.10. Plug in: wpschoolpress vulnerability: multi validation SQL injection version: 2.1.10 to patch severity score: high vulnerability is patched, so it must be updated to version 2.1.10. 2. Yith woocomerce multi vendor male plug-in: squaretype myith woocomerce multi vendor weakness: reflected cross site script version: patch severity score in 3.8.1: high
The vulnerability has been fixed and must be updated to version 3.8.1. 3. Print-o-matic plug-in: print-o-matic vulnerability: cross site script version saved by admin +: patch severity score in 2.0.3: low vulnerability is patched, so it must be updated to version 2.0.3. 4. Fire register plug-in: Fire register vulnerability: unauthenticated SQL injection version: patch severity score in 3.7.1.6: high vulnerability is patched, so it needs to be updated to version 3.7.1.6. Plug in: file register vulnerability: unauthenticated SQL injection version: patch in 3.7.1.6 severity score: fatal
The vulnerability has been fixed and must be updated to version 3.7.1.6. 5. Woocommerce coupon partner male plug-in: woocommerce coupon partner vulnerability: access and delete through CSRF random recommendation version: patch severity score in 4.11.3.4: usually the vulnerability has been patched and needs to be updated to version 4.11.3.4. 6. Maz loader male plug-in: maz loader vulnerability: contributor + SQL injection version: patch severity score in 1.3.3: high vulnerability is patched, so it must be updated to version 1.3.3. 7. Store footnote text plug-in: store foreground footnote text vulnerability: patched in the cross website script version saved by admin +: no known modification – plug-in closure severity score: usually
This vulnerability is not patched. The plug-in was closed on October 6, 2021. Delete and delete. 8. Q & a tool light plug-in: Q & a tool light vulnerability: cross site script version stored by multiple admin +
Patching: no known modifications – plug-in closed severity score: low vulnerability not patched. The plug-in was closed on September 28, 2021. Delete and delete. 9. Answer card plug-in: qwizcards vulnerability: cross site script version saved by admin +: patch severity score in 3.62: low
The vulnerability has been fixed and needs to be updated to version 3.62. 10. Logo translation plug-in: loco translation vulnerability: Certified PHP code insertion version: patch severity score in 2.5.4: high vulnerability is patched and needs to be updated to version 2.5.4. 11. Ipanorama360 WordPress virtual tourism builder male plug-in: ipanorama360 WordPress virtual tourism builder vulnerability: CSRF version of stored cross site script: fix severity score in 1.6.22: fix high vulnerability, so it needs to be updated to version 1.6.22. 12. Vision Interactive plug-in for WordPress: Vision Interactive vulnerability for WordPress: patched in reflected cross site script version: no known modification severity score: high
This vulnerability is not patched. Uninstall and remove plug-ins until patches are released. 13. Imagelinks interactive image builder for WordPress male plug-in: imagelinks interactive image builder for WordPress vulnerability: patched in the reflected cross site script version: no known modification severity score: high vulnerability not patched. Uninstall and remove plug-ins until patches are released. 14. WordPress easy custom JS and CSS plug-ins male plug-ins: WordPress easy custom JS and CSS plug-ins weaknesses: patched in the reflected cross site script version: no known modification severity score: high
This vulnerability is not patched. Uninstall and remove plug-ins until patches are released. 15. Ipages flipbook male plug-in for text imprinting: ipages flipbook vulnerability for WordPress: reflected cross site script version: patch severity score in 1.4.3: patch high vulnerability, which needs to be updated to version 1.4.3. 16.404 ~ 301 male plug-in: 404 ~ 301 vulnerability: delete the log through CSRF version: patch severity score in 3.0.9: due to the patching of common vulnerabilities, it must be updated to version 3.0.9. 17. Curious plug-in: post expirator vulnerability: contributor + arbitrary release schedule version: patch severity score in 2.6.0: high
The vulnerability has been fixed and must be updated to version 1.6.22. 18. WP header image male plug-in: WP header image vulnerability: reflected cross site script version: patch severity score in 2.0.1: high vulnerability is patched and needs to be updated to version 2.0.1. 19. PayPal subscription and membership plug-in: PayPal subscription and membership weaknesses: cross site script version patch reflected through page parameters: no known modifications – plug-in closure severity score: high weaknesses are not patched. The plug-in was closed on September 30, 2021. Delete and delete. 20. Accept donation with PayPal male plug-in: accept donation with PayPal weakness: cross site script version reflected by page parameters: patch severity score in 1.3.1: high
The vulnerability has been fixed and must be updated to version 1.3.1. 21. Papal event plug-in: PayPal event vulnerability: cross site script version reflected through page parameters
Patching in: no known modifications – plug-in closed severity score: high vulnerabilities are not patched. The plug-in was closed on September 30, 2021. Delete and delete. 22. Header and footer code manager male plug-in: header and footer code manager vulnerability: admin + SQL injection version: patch severity score in 1.1.14: usually the vulnerability has been patched and needs to be updated to version 1.1.14. 23. Wpdiscuz male plug-in: wpdiscuz vulnerability: Add \/ edit \/ delete arbitrary comments through CSRF version: patch severity score in 7.3.4: the vulnerability is usually patched, so it needs to be updated to version 7.3.4. 24.3d printing light source plug-in: 3D printing light source vulnerability: reflected cross site script version: patch severity score in 1.9.1.6: high vulnerability is patched, so it must be updated to version 1.9.1.6. 25. Asga forum male plug-in: asgaros forum vulnerability: deleted by redirection of CSRF version: patch severity score in 1.15.13: high vulnerability is patched, so it needs to be updated to version 1.15.13. 26. Wp seo redirection 301 plug-in: wp seo redirection 301 vulnerability: delete the redirection through CSRF. Patch severity score in version: 2.3.2: the vulnerability is usually patched, so it needs to be updated to version 2.3.2. 27. Wcfm – woocommerce front end manager male plug-in: wcfm – woocommerce front end manager vulnerability: customer \/ subscriber + SQL injection version: 6.5.12 patch severity score: patch high vulnerability, which should be updated to version 6.5.12. 28. Alliance manager plug-in: Alliance manager vulnerability: admin + SQL injection version: patch severity score in 2.8.7: the vulnerability is usually patched, so it needs to be updated to version 2.8.7. 29. Similar post male plug-in: similar post vulnerability: admin + random PHP code execution version: patch severity score in 3.1.6: high vulnerability is patched and needs to be updated to version 3.1.6. 30. Woocommerce product table male plug-in: woocommerce product table vulnerability: reflected cross site script version: patch severity score in 1.0.4: usually the vulnerability has been patched, so it needs to be updated to version 1.0.4. 31. Product discount manager plug-in: product discount manager vulnerability: reflected Cross website script version: patch severity score in 3.4.5: high vulnerability is patched, so it must be updated to version 3.4.5. 32. Evaluate the writer plug-in: use the post writer vulnerability: cross site script version saved by admin +: patch severity score in 1.6.0: due to the low vulnerability, it must be updated to version 1.6.0. 33. Bridge male plug-in: Bridge vulnerability: modified error authorization version: patch severity score in 2.3.12: high male vulnerability has been patched and should be updated to version 2.3.12. Plug in: bridging vulnerability: in the certified saved cross site script version: 2.3.12, the patch severity score: due to the patching of common vulnerabilities, it must be updated to version 2.3.12. Plug in: bridging vulnerability: fix the severity score in the certified file upload and path navigation version: 2.3.12: fix the high vulnerability, so it must be updated to version 2.3.12. 34. Colorful category male plug-in: colorful category vulnerability: update the severity score in version 2.0.15 through any color of CSRF: ordinary vulnerability has been repaired and should be updated to version 2.0.15. 35. WP fastest cache male plug-in: WP fastest cache vulnerability: Subscriber + SQL injection version: severity patched in 0.9.5
Score: fixed high vulnerability and need to be updated to version 0.9.5. Plug in: WP’s fastest cache vulnerability: CSRF version to saved cross site script: patch severity score in 0.9.5: high vulnerability is patched, so it must be updated to 0.9.5. 36. Business manager plug-in: business administrator vulnerability: patched in the cross site script version saved by admin +: no known modification severity score: low vulnerability not patched. Uninstall and remove plug-ins until patches are released. 37. Career bulletin board vanilla plug-in: job board vanilla vulnerability: patched in the cross website script version saved by admin +: no known modification – plug-in closure severity score: low, this vulnerability is not patched. The plug-in was closed on October 13, 2021. Delete and delete. 38. Wpgenius task list plug-in: wpgenius task list vulnerability: patched in the cross site script version saved by admin +: no known modification – plug-in closure severity score: low vulnerability, not patched. The plug-in was closed on October 13, 2021. Delete and delete. 39. Task manager plug-in: Task Manager vulnerability: patched in the cross site script version saved by admin +: no known modification – plug-in closure severity score: low vulnerability not patched. The plug-in was closed on October 13, 2021. Delete and delete. 40. Career portal plug-in: work portal vulnerability: patched in the cross website script version saved by admin +: no known modification – plug-in closure severity score: low vulnerability not patched. The plug-in was closed on October 13, 2021. Delete and delete. 41. MyBB cross poster plug-in: MyBB cross poster vulnerability: patched in the cross website script version saved by admin +: no known modification – plug-in closure severity score: low vulnerability not patched. The plug-in was closed on October 13, 2021. Delete and delete. 42. Kjm administrator notification plug-in: kjm administrator notification vulnerability: patched in the wrong authorized version after modification: no known modification – plug-in closure severity score: low vulnerability not patched. The plug-in was closed on October 13, 2021. Delete and delete. 43. Plug in to be made: Hal vulnerability: cross site script version saved by admin +: patch severity score in 2.2: low vulnerability is patched, so it must be updated to version 2.2. 44. Author Biobox plug-in: author Biobox vulnerability: cross site script version saved by admin +: patch severity score in 3.4.0: low vulnerability has been patched, so it must be updated to version 3.4.0. 45. Word press + Microsoft Office 365 male plug-in: word press + Microsoft Office 365 vulnerability: unauthenticated saved cross site script version: patch severity score in 15.4: fatal vulnerability is patched and needs to be updated to version 15.4. 46. Yop voting male plug-in: Yop voting vulnerability: Cross website script version stored through the author + option module: patch severity score in 6.3.1: usually patch the vulnerability, so it needs to be updated to version 6.3.1. Plug in: Yop voting vulnerability: cross site script saved through the author + of the preview module version: patch severity score in 6.3.1: ordinary vulnerabilities are patched, so it must be updated to version 6.3.1. 47. Independent professional importer plug-in: independent zabobot weakness
: patched in the cross site script version saved by admin +: no known modifications – plug-in closed severity score: high vulnerabilities are not patched. The plug-in was closed on October 14, 2021. Delete and delete. 48. MPL publisher – Self Publishing of books and e-books maleplug-in: MPL publisher – Self Publishing of books and e-books vulnerability: patched in the cross website script version saved by admin +: no known modification severity score: low vulnerability not patched. Uninstall and remove plug-ins until patches are released. 49. Miscellaneous board WP plug-in: jobboardwp vulnerability: patched in the wrong authorized version after modification: no known modification – plug-in closure severity score: low vulnerability not patched. The plug-in was closed on October 14, 2021. Delete and delete. WordPress Theme weakness 1. Square type modern blog topic: squaretype modern blog vulnerability: unauthenticated non-public \/ schedule post public version: patch severity score in 3.0.4: ordinary vulnerability has been patched and needs to be updated to version 3.0.4. The report describes how to protect the WordPress website from vulnerable plug-ins and themes. Many new WordPress plug-ins and themes are exposed every week. Because we know that it is difficult to determine the disclosure of all reported vulnerabilities, using the ithemes Security Pro plug-in can easily determine whether the site is running a theme, plug-in or core version of word press with known vulnerabilities. 1. For known website vulnerabilities, the daily search for ithemes Security Pro plug-in will search the WordPress website for the #1 reason why hackers have invaded the old plug-in and the theme of known vulnerabilities. 2. Automatically update to the secure version. The version management function of ithemes Security Pro is integrated with site scanning to protect the site. Fragile themes, plug-ins and the core version of word press will be updated automatically. 3. The core of monitoring file changes and quickly detecting security violations is to monitor file changes on the website. The file change detection function of ithemes Security Pro scans files on the website and notifies you when the website changes. Obtain ithemes Security Pro WordPress security plug-in through year-round website monitoring. Ithemes Security Pro provides more than 50 methods to protect and protect websites from common WordPress security vulnerabilities. You can use WordPress, dual authentication, indifference proxy protection, strong password application, etc. to add a security layer to the website. For plug-in and theme vulnerability detection, site scanner file change, real-time website security control board, WordPress security log, reliable device reCAPTCHA, indifference substitution protection, dual authentication, direct login link permission reporting, password confirmation and denial ithemes security process
