Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. What’s new in this report: Vulnerabilities will now be listed based on the number of active installations rather than the publication date.
Please share this post with your friends to help everyone use WordPress more safely! Report content on January 5, 2022 summary of WordPress vulnerability report in 2021: 1263 vulnerabilities were disclosed. 98% WordPress plug-in core vulnerability WordPress plug-in vulnerability 1. Up Rapt Plus 2。 Webp converter for media 3. Woof – woocommerce product filter 4. Treadmill Copy WP post page 6. WP attached file format 7. Teacher LMS 8. Customize dashboards and landing pages 9. Ultimate FAQ 10. WP user front end 11. Machong 12. Image Hoover effect ultimate record 13. lovely Registered magic Woocommerce order tracking 16. Link library AF companion 18. KNR creator list component 19. WP cookie user information WordPress plugin vulnerability: plugin shutdown 20. Laboratory tools Authentication domain 22. Error log viewer 23. Countries visiting WP 24. Study course Complete questionnaire WordPress plugin vulnerability: no known modifications 26. Do you want ithemes Security Pro to receive the report and send it to your inbox every week to protect the WordPress website from weak media management plug-ins and themes with year-round website security monitoring? Weekly email subscription 2021 WordPress vulnerability report summary: 1263 vulnerabilities have been disclosed. 98% of plug-ins disclosed 1263 plug-ins and theme vulnerabilities in 2021. WordPress plugin vulnerabilities account for 98% of all reported vulnerabilities. The most vulnerabilities were reported in September 2021, and 323 vulnerabilities were disclosed in that month alone. The most common types of plug-in vulnerabilities exposed in 2021 are XSS (cross site scripting) and SQL insertion. Most plug-in authors have released patches, but some plug-ins are still closed. With the increase of vulnerability disclosure times, the frequency of vulnerability reporting has changed from 2 times a month to 1 time a week. Thanks to your feedback, we began to list the plug-in disclosures by sequential or active installation. We also began to group plug-ins according to free and professional, and carried out separate chapters for closed plug-ins and plug-ins, with no known modifications. WordPress core vulnerability the latest version of WordPress kernel is 5.8.2. As a best practice, always run the latest version of the WordPress kernel!
Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, active installation, patch version number and severity level. 1. Updraftplus male plug-in: updraftplus vulnerability: reflected cross site script activity installation: more than 3 million patch version: 1.16.569 severity score: high vulnerability is patched and needs to be updated to version 1.16.59. Plug in: updraftplus vulnerability: admin + saved cross site script active installation: more than 3 million version: patch severity score in 1.6.59: low
Intoxication
The vulnerability has been fixed and must be updated to version 1.6.59. Plug in: updraftplus vulnerability: active installation including admin + local files: 3 million or more versions: patch severity score in 1.16.59: the vulnerability is usually patched, so it must be updated to version 1.16.59. 2. Media oriented webp converter male plug-in: media oriented webp converter vulnerability: unauthenticated open through installation: 100000 + version: patch severity score in 4.0.3: ordinary vulnerability has been patched and should be updated to version 4.0.3. 3. Woof – woocommerce product filter male plug-in: woof – woocommerce product filter weakness: reflected cross site script activity installation: 100000 + version: patch severity score in 1.2.63: high
The vulnerability has been fixed and must be updated to version 1.2.6.3. 4. Runpress plug-in: learnpress vulnerability: admin + saved cross site script activity installation: 100000 + version: patch severity score in 4.1.3.2: the vulnerability is usually patched, so it needs to be updated to version 4.1.3.2. Vulnerability: postpage 1 + postpage 2 should be copied to the version of WP page 1.80000 without authorization, vulnerability: postpage 1.80000 should be patched. 6. WP additional file format plug-in: WP additional file format vulnerability: enable CSRF for saved cross site scripts: 50000 + version: patch severity score in 0.5.1: high
The vulnerability has been patched and must be updated to version 0.5.1. 7. Teacher LMS plug-in: teacher LMS vulnerability: Subscriber + saved cross site script activity installation: 40000 + version: patch severity score in 1.9.12: high vulnerability is patched and needs to be updated to version 1.9.12. Plug in: teacher LMS vulnerability: reflected cross site script activity installation: 40000 + version: patching severity score from 1.9.12: patched high vulnerability, so it must be updated to version 1.9.12. Vulnerability in dashboard: normal and custom login page: 40000 + severity in dashboard: 40000
The vulnerability has been fixed and must be updated to version 7.0. 9. Ultimate FAQ plug-in: Ultimate FAQ vulnerability: Subscriber + random FAQ generation activity installation: 30000 + version: patch severity score in 2.1.2: ordinary vulnerability has been patched and needs to be updated to version 2.1.2. 10. WP user front-end plug-in: WP user front-end vulnerability: SQL injection activity of reflected cross site script installation: 30000 + version: patch severity score in 3.5.26: the patch vulnerability is high and needs to be updated to version 3.5.26. 11. Machong plug-in: mycred vulnerability: reflected cross site script activity installation: 20000 + version: patch severity score in 2.4: high
The vulnerability has been fixed and must be updated to version 2.4. 12. Image Hoover effect ultimate machine male plug-in: image Hoover effect ultimate weakness: reflected cross site script activity installation: 20000 + version: patch severity score in 9.7.1: patch high vulnerabilities, so it needs to be updated to version 9.7.1. 13. Cute male plug-in: cube vulnerability: Subscriber + random FAQ generation activity installation: 10000 + version: patch severity score in 1.7.8: usually the vulnerability has been patched and needs to be updated to version 1.7.8. 14. Registered magic male plug-in: registered Eagle
Vulnerability: unauthorized Ajax call \/ survey settings update: patched in 1.5.2 – plug in shutdown severity score: high vulnerability patched. The plug-in was closed on October 5, 2021. Delete and delete. Plug in: complete questionnaire vulnerability: unauthorized Ajax call \/ survey settings update: patched in 1.5.2 – plug in shutdown severity score: high is the vulnerability has been patched. The plug-in was closed on October 5, 2021. Delete and delete. Plug in: complete questionnaire vulnerability: unauthenticated SQL injection version: patched in 1.5.2 – plug in closure severity score: high is vulnerability patching. The plug-in was closed on October 5, 2021. Delete and delete. Plug in: complete questionnaire vulnerability: reflected cross site script version: patched in 1.5.2 – plug in closure severity score: high is vulnerability patching. The plug-in was closed on October 5, 2021. Delete and delete. Plug in: complete questionnaire vulnerability: patched in unauthenticated saved cross site script version: no known modifications – plug in closure severity score: high vulnerability patched. The plug-in was closed on October 5, 2021. Delete and delete. WordPress plug-in vulnerability: this section introduces the latest WordPress plug-in vulnerability in the closed plug-in. Each plug-in list includes vulnerability type, severity, and closure date. 26. Media matic plug-in: media matic vulnerability: Subscriber + SQL injection activity installation: patched in 3000 + version: no known modification severity score: high vulnerability not patched. Uninstall and remove plug-ins until patches are released. The report describes how to protect the WordPress website from vulnerable plug-ins and themes. Many new WordPress plug-ins and themes are exposed every week. Because we know that it is difficult to determine the disclosure of all reported vulnerabilities, using the ithemes Security Pro plug-in can easily determine whether the site is running a theme, plug-in or core version of word press with known vulnerabilities. 1. Install the ithemes Security Pro plug-in. The ithemes Security Pro plug-in will strengthen the WordPress site to understand the most common ways for websites to be attacked by hackers. There are more than 30 ways to protect your site with an easy-to-use plug-in. 2. Enable site scanning to identify known vulnerabilities. The version management function of ithemes Security Pro is integrated with site scanning to protect the site. Fragile themes, plug-ins and the core version of word press will be updated automatically. 3. Enable file change detection. The core of rapid detection of security violations is to monitor file changes on the website. The file change detection function of ithemes Security Pro scans files on the website and notifies you when the website changes. Access to ithemes Security Pro WordPress security plug-in through 24×7 website security monitoring. Ithemes Security Pro provides more than 50 methods to protect and protect websites from common WordPress security vulnerabilities. You can use WordPress, dual authentication, indifference proxy protection, strong password application, etc. to add a security layer to the website. Male website scanner file change detection of plug-in and theme vulnerabilities real-time website security dashboard WordPress security log reliable device reCAPTCHA undifferentiated Protection Authority
