Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. Please share this post with your friends, spread rumors and help everyone make WordPress safer.
December 8, 2021 report content: WordPress news: gravatar data disclosure WordPress core vulnerability WordPress plug-in vulnerability 1. Activity manager Rich comments on starfish 3. Typing robot Contact form and guide form element Builder 5. Manager WP RSS collector 7. Buttonizer intelligent printing action button 8. WP mail log 9. motion Query form using secure characters 11. Handsome support Asgaros Forum Litespeed cache 14. Video conferencing using zoom 15. Ukmas booster 16. Speed up mask 17. Oh, my God Kaohsiung 19. WP travel engine monitor Mortgage calculator \/ loan calculator 22. Woocommerce’s deformed sample 23. Clickbank cooperative advertising 24. Advanced custom fields 25. Canto In order to protect the WordPress website from the fragile plug-ins and themes of the all-in-one Gallery, do you want ithemes Security Pro to receive reports and send them to your inbox every week? Weekly e-mail subscription to WordPress news: the gravatar data breach violated gravatar this week, a global service for the only parent. But gravatar is sure there are no hackers.
Hello everyone, I want to confirm that gravatar has not been hacked and the security protocol has not been violated. For more information, visit https:\/\/t.co\/hhIQQ5WWKt Visit- Gravatar. Com (@ gravatar) the data was clipped on December 7, 2021, and the password and other personal information were not disclosed, so there was no violation. On the contrary, we collect information publicly in a way that is usually not easy to obtain. In theory, someone must know the user name of a gravatar user to access that user’s email address. Through the script, the attacker can the user name and email at the same time.
WordPress core vulnerability the latest version of WordPress kernel is 5.8.2. As a best practice, always run the latest version of the WordPress kernel! Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, patch version number and severity level. 1. Activity manager plug-in: activity manager vulnerability: admin + SQL injection version: patch severity score in 5.9.8: usually the vulnerability has been patched, so it needs to be updated to version 5.9.8. Plug in: Event Manager vulnerability: XSS (cross site script) version: patch in 5.9.8 severity score: low
The vulnerability has been fixed and needs to be updated to version 5.9.8. 2. Starfish rich comments male plug-in: starfish rich comments vulnerability: admin + SQL injection version: patch severity score in 1.9.6: the vulnerability is usually patched and needs to be updated to version 1.9.6. 3. Typing robot plug-in: typebot vulnerability: admin + saved
Cross site script version: severity score patched in 1.4.3: low vulnerability has been patched, so it must be updated to version 1.4.3. 4. Contact form and guide form elementor builder plug-in: Contact Form & lead form elementor builder vulnerability: unauthenticated saved cross site script version: patch severity score in 1.6.4: high
The vulnerability has been fixed and must be updated to version 1.6.4. 5. Manager plug-in: Manager vulnerability: Subscriber + saved cross site script version: patch severity score in 3.2.22: high vulnerability is patched, so it needs to be updated to version 3.2.22. 6. WP RSS collector male plug-in: Subscriber + saved cross site script vulnerability: admin + SQL injection version: patch severity score in 4.19.3: high vulnerability is patched, so it needs to be updated to version 4.19.3. 7. Button – Intelligent print action button male plug-in: Button – Intelligent print action button weakness: admin + saved Cross website script version: patch severity score in 2.5.5: low
The vulnerability has been fixed and must be updated to version 2.5.5. 8. WP email logging plug-in: WP email logging vulnerability: patch severity score in the old Redux Framework version: 1.10.0: usually the vulnerability has been patched, so it needs to be updated to version 1.10.0. 9. Static plug-in: static vulnerability: patch the saved cross site script in CSRF version: no known modification – plug-in closure severity score: high vulnerability is not patched. The plug-in was closed on November 20, 2021. Delete and delete. 10. Query form plug-in using secure characters: query form vulnerability using captcha: fixed saved cross site script in CSRF version: no known modification – plug-in closure severity score: high
This vulnerability is not patched. The plug-in was closed on November 26, 2021. Delete and delete. 11. Beautiful support plug-in: huge support vulnerability: reflected Cross website script version: patch severity score in 6.07.7: high vulnerability has been patched and needs to be updated to version 6.07.7. 12. Asga forum male plug-in: asgaros forum vulnerability: Cross website script version saved by admin +: patch severity score in 1.15.14: patch low vulnerability, so it needs to be updated to version 1.15.14. 13. Litespeed cache male plug-in: Litespeed cache vulnerability: unauthenticated storage XSS IP authentication detour version: patch severity score in 4.4.4: high
The vulnerability has been fixed and needs to be updated to version 4.4.4. Plug in: Litespeed cache vulnerability: cross site script version reflected by admin +: patch severity score in 4.4.4: high vulnerability is patched, so it must be updated to version 4.4.4. 14. Video conference plug-in using zoom: video conference vulnerability using zoom: reflected Cross website script version: patch severity score in 3.8.16: high vulnerability is patched, so it needs to be updated to version 3.8.16. 15. Ukmos booster male plug-in: ukmos booster weakness: Cross website script version reflected in PDF invoice module: patch severity score in 5.4.9: high
The vulnerability has been fixed and must be updated to version 5.4.9. Plug in: Booster vulnerability of unikmouth: cross site script version reflected by ordinary module: patch severity score in 5.4.9: version 5.4 due to high vulnerability.
Must be updated to 9. Plug in: Booster vulnerability of woocmers: cross site script version reflected in product XML seed module: patch severity score in 5.4.9: high vulnerability is patched, so it must be updated to version 5.4.9. 16. Quick start package male plug-in: quick start package vulnerability: admin + SQL injection version: patch severity score in 4.3.3.1: normal
The vulnerability has been fixed and must be updated to version 4.3.3.1. Vulnerability: the vulnerability in the world’s version of travers12.5 has been patched, and the severity of the vulnerability: travers12.5 is required to be deleted. 18. CAS male plug-in: Cass vulnerability: delete admin + any folder through path traversal version: patch severity score in 4.1.9: patched through male vulnerability, which needs to be updated to version 4.1.9. 19. WP travel engine plug-in: WP travel engine vulnerability: Editor + saved cross site scripting version: patch severity score in 5.3.1: low vulnerability has been patched and should be updated to version 5.3.1. 20. Monitor Plug-in: monitor vulnerability: admin + SQL injection version: patch severity score in 4.4.5: usually the vulnerability has been patched, so it needs to be updated to version 4.4.5. 21. Mogi calculator \/ loan calculator male plug-in: Mogi calculator \/ loan calculator vulnerability: contributor + saved Cross website script version: patch severity score in 1.5.17: usually the vulnerability has been patched, so it needs to be updated to version 1.5.17. 22. Woocommerce deformation sample male plug-in: woocommerce deformation sample vulnerability: Subscriber + saved Cross website script version: patch severity score in 2.1.2: high vulnerability is patched, so it needs to be updated to version 2.1.2. 23. Clickbank cooperative advertising plug-in: Clickbank cooperative advertising vulnerability: the CSRF version fixes the stored Cross website script: no known modification – plug-in closure severity score: high vulnerability, no patch. The plug-in was closed on December 1, 2021. Delete and delete. Plug in: Clickbank cooperative advertising vulnerability: admin + patched in the saved cross site script version: no known modifications – plug in closure severity score: low vulnerability not patched. The plug-in was closed on December 1, 2021. Delete and delete. 24. Advanced custom field plug-in: advanced custom field vulnerability: user + any ACF data \/ field group view and field mobile version: patch severity score in 5.11: the vulnerability is usually patched, so it needs to be updated to version 5.11. 25. Kanto male plug-in: Kanto vulnerability: patched in an unauthenticated blind SSRF version: no known modification severity score: usually the vulnerability is not patched. Uninstall and remove plug-ins until patches are released. 26. Multifunctional Gallery plug-in: multifunctional Gallery vulnerability: admin + version containing local files: patch severity score in 2.5.0: due to the low vulnerability, it must be updated to version 2.5.0. The report describes how to protect the WordPress website from vulnerable plug-ins and themes. Many new WordPress plug-ins and themes are exposed every week. I know that it is difficult to determine the disclosure of all reported vulnerabilities, so I use the ithemes Security Pro plug-in to run the theme, plug-in or core version of word press with known vulnerabilities on the website.
It is easy to confirm whether it exists. 1. Install the ithemes Security Pro plug-in. The ithemes Security Pro plug-in will strengthen the WordPress site to understand the most common ways for websites to be attacked by hackers. There are more than 30 ways to protect your site with an easy-to-use plug-in. 2. Enable site scanning to identify known vulnerabilities. The version management function of ithemes Security Pro is integrated with site scanning to protect the site. Fragile themes, plug-ins and the core version of word press will be updated automatically. 3. Enable file change detection. The core of rapid detection of security violations is to monitor file changes on the website. The file change detection function of ithemes Security Pro scans files on the website and notifies you when the website changes. Access to ithemes Security Pro WordPress security plug-in through 24×7 website security monitoring. Ithemes Security Pro provides more than 50 methods to protect and protect websites from common WordPress security vulnerabilities. You can use WordPress, dual authentication, indifference proxy protection, strong password application, etc. to add a security layer to the website. Male website scanner file change detection of plug-in and theme vulnerabilities real-time website security control board WordPress security log reliable device anaptcha indiscriminate substitution protection dual authentication magic login link permission confirmation and denial of ithemes security process
