Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. Please share this post with your friends, spread rumors and help everyone make WordPress safer.
WordPress core vulnerability report, October 27, 2021. Share file 2. Two dimensional controller 3. Mousewheel smooth scrolling 4. Insert page SEO redirection 6. PayPal donation Impress 8 for IDX agent. Simple JWT login 9. My ticket Client invoice for sprout invoice 11. Email log WP performance score booster 13. Active directory integration \/ LDAP integration 14. Table temperature Reactive image slider, picture library and carousel 16. WP website map page 17. Streaming media Helpful 19. Treadmill Content dump 21. It’s paywall 22. Teacher LMS 23. Logo with smooth slider showcase 24. Powerful foam builder 25. plug-ins 26. Webp image 27. MS store API 28. Easy to digital 29. Advanced access manager 30. Yop vote 31. Export WP attachment 32. Post content text slider 33. Bingke 34. Betrinks 35. Runtime Image boss Terminator 38. MPL Publisher 39。 Elevator 40. Arrogant social sharing 41. Pie register 42. Advanced breeding Get capture theme presentation 44. Simple work bulletin board 45. Ivory search 46. To protect the WordPress website from proxy gateway vulnerable plug-ins and themes, do you want ithemes Security Pro to receive reports and send them to your inbox every week? Weekly e-mail subscription WordPress core vulnerabilities the core of the latest version of WordPress is 5.8.1 of the security and maintenance release. As a best practice, always run the latest version of the WordPress kernel!
Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, patch version number and severity level. 1. Shared file plug-in: shared file vulnerability: cross site script version saved by admin +: patch severity score in 1.6.61: low vulnerability is patched, so it must be updated to version 1.6.61. 2. 2D controller male plug-in: 2D controller vulnerability: contributor + saved Cross website script version: patch severity score in 1.6.1: normal
The vulnerability has been fixed and must be updated to version 1.6.1. Plug in: 2D controller vulnerability: Subscriber + random 2D redirection response status update version: patch severity score in 1.6: due to the patching of common vulnerabilities, it must be updated to version 1.6. 3. Mousewheel smooth rolling plug-in: mousewheel smooth rolling vulnerability: update the plug-in through CSRF. Set the patch severity score in version: 5.7: usually the vulnerability has been patched and needs to be updated to version 5.7. 4. Page insertion plug-in: page insertion vulnerability: contributor + any post \/ page access version: patch severity score in 3.7.0: normal
The vulnerability has been patched and needs to be updated to version 3.7.0
。 Plug in: Insert page vulnerability: contributor + saved cross site script version: patch severity score in 3.7.0: due to patching common vulnerabilities, it must be updated to version 3.7.0. 5. SEO redirection plug-in: SEO redirection vulnerability: Subscriber + SQL injection version: patch severity score in 8.2: high vulnerability is patched, so it must be updated to version 8.2. 6. Papal donation male plug-in: papal donation vulnerability: Cross website script version saved by admin +: patch severity score in 1.3.2: low
The vulnerability has been fixed and must be updated to version 1.3.2. 7. Impass plug-in for IDX agent: impass vulnerability for IDX agent: reflected cross site script version: patch severity score in 3.0.6: patch high vulnerability, so it must be updated to version 3.0.6. 8. Simple JWT login male plug-in: simple JWT login vulnerability: capture arbitrary settings of the website through CSRF. Updated version: patch severity score in 3.2.1: high vulnerability is patched, so it must be updated to version 3.2.1. 9. My ticket plug-in: my ticket vulnerability: Subscriber + SQL injection version: patch severity score in 1.8.31: high
The vulnerability has been patched and must be updated to version 31.8.1. 10. Client invoice plug-in composed of sprout invoice: sprout invoice leads to client invoice issuance vulnerability: Cross website script version stored by admin +: patch severity score in 19.9.7: low vulnerability has been patched and should be updated to 19.9.7. 11. Email log plug-in: email log vulnerability: admin + SQL injection version: 2.4.7 to patch severity score: usually the vulnerability has been patched, so it needs to be updated to version 2.4.7. 12. WP performance score booster male plug-in WP performance score booster weakness: change the setting through CSRF version: patch severity score in 2.1: normal
The vulnerability has been fixed and must be updated to version 2.1. 13. Active Directory integration \/ LDAP integration male plug-in: Active Directory integration \/ LDAP integration vulnerability: Subscriber + SQL injection version: patch severity score in 3.6.95: high vulnerability is patched, so it needs to be updated to version 3.6.95. 14. Tableon plug-in: tableon vulnerability: reflected cross site script version: patch severity score in 1.0.1: due to the patching of common vulnerabilities, it must be updated to version 1.0.1. 15. Reactive image slider, picture library and carousel male plug-in: reactive image slider, picture library and carousel weakness: copy \/ store \/ delete slider through CSRF version: 1.3.2 patch depth score: normal
The vulnerability has been fixed and must be updated to version 1.3.2. Plug in: reactive image slider, image library and carousel vulnerability: Subscriber + random post access version: patch severity score in 1.3.6: due to the common vulnerability, it must be updated to version 1.3.6. 16. WP website map page male plug-in: WP website map page vulnerability: Cross website script version saved by admin +: patch severity score in 1.7.0: low vulnerability has been patched and should be updated to version 1.7.0. 17. Stream plug-in: stream vulnerability: admin + SQL injection version: patch severity score in 3.8.2: normal
The vulnerability has been fixed and must be updated to version 3.8.2. 18. Helpful plug-ins: useful vulnerabilities: cross site script version saved by admin +: severity score patched in 4.4.59: version 4.4 was patched due to lower vulnerabilities
Must be updated to. 59. 19. Runpress plug-in: learnpress vulnerability: cross site script version saved by admin +: patch severity score in 4.1.3.2: due to the low vulnerability, it must be updated to version 4.1.3.2. 20. Content dump plug-in: content dump vulnerability: patched in the cross site script version saved by admin +: no known modification – plug-in shutdown severity score: low
This vulnerability is not patched. The plug-in was closed on October 15, 2021. Delete and delete. 21. New paywall plug-in: leaky paywall vulnerability: patched in the cross website script version saved by admin +: unmodified without known severity score: low vulnerability not patched. Uninstall and remove plug-ins until patches are released. 22. Teacher LMS plug-in: teacher LMS vulnerability: reflected Cross website script version: patch severity score in 1.9.11: usually the vulnerability has been patched and needs to be updated to version 1.9.11. 23. Logo showcase plug-in with smooth slider: logo showcase with smooth slider weakness: author + saved cross site script version: patch severity score in 1.2.4: the weakness is usually patched, so it needs to be updated to version 1.2.4. 24. Powerful form builder plug-in: powerful form builder vulnerability: unauthenticated saved cross site script version: patch severity score in 4.09.05: low vulnerability has been patched and should be updated to version 4.09.05. 25. Plug in male plug-in: plug in vulnerability: user + random plug-in activation version: patch severity score in 1.6.1: usually the vulnerability has been patched and needs to be updated to version 1.6.1. 26. Patch the image plug-in with webp: there is an image vulnerability in webp: CSRF (multi Cross Site Request Forgery) version: patch severity score in 1.9: the vulnerability is usually patched, so it needs to be updated to version 1.9. Plug in: image vulnerability on webp: patched in version: 1.9 containing certified local files severity score: low vulnerability patched, so it must be updated to version 1.9. 27. MS store API male plug-in: msstore API vulnerability: unauthenticated PHP file upload version: patch severity score in 3.4.5: fatal vulnerability is patched and needs to be updated to version 3.4.5. 28. Simple digital male plug-in: simple digital vulnerability: reflected Cross website script version: patch severity score in 2.11.2.1: high vulnerability is patched and needs to be updated to version 2.11.2.1. 29. Advanced access manager plug-in: Advanced Access Manager vulnerability: cross site script version saved by admin +: patch severity score in 6.8.0: low vulnerability has been patched and needs to be updated to version 6.8.0. 30. Yop voting plug-in: Yop voting vulnerability: reflected Cross website script version: patch severity score in 6.1.2: usually the vulnerability has been patched and needs to be updated to version 6.1.2. 31. Export WP attachment male plug-in: export WP attachment vulnerability: unauthenticated post version: patch severity score in 0.2.4: patch high vulnerability and need to be updated to version 1.2.4. 32. Post content text slider male plug-in: post content text slider vulnerability: Certified storage cross site script (XSS) version: patch severity score in 6.9: usually the vulnerability has been patched, so it needs to be updated to version 6.9. 33. Bingke male plug-in: Bingke weakness: Cross website script saved by admin +
Version: severity score patched in 2.0.3: low vulnerability patched, so it must be updated to version 2.0.3. 34. Better links male plug-in: better links vulnerability: cross site script version saved by admin +: patched in 1.2.6 severity score: low vulnerability has been patched, so it needs to be updated to version 1.2.6. 35. Runtime plug-in: learndash vulnerability: unauthenticated random file upload version: patch severity score in 2.5.4: fatal vulnerability is patched, so it must be updated to version 2.5.4. 36. Image boss plug-in: imageboss vulnerability: cross site script version saved by admin +: patch severity score in 3.0.6: low vulnerability is patched, so it must be updated to version 3.0.6. 37.4minuter male plug-in: 4minuter vulnerability: administrator + saved cross site script version: patch severity score in 1.2.4: low vulnerability has been patched and needs to be updated to version 1.2.4. 38. MPL publisher plug-in: MPL publisher vulnerability: cross site script version saved by admin +: from 1.30.4 to patch severity score: low vulnerability has been patched, so it needs to be updated to version 1.30.4. 39. Element plug-in: element vulnerability: DOM cross site script version: patch severity score in 3.1.4: usually the vulnerability has been patched and needs to be updated to version 3.1.4. 40. Arrogant social sharing male plug-in: sassy social share vulnerability: access control missing version of PHP object insertion: patch severity score in 3.3.24: the vulnerability is usually patched, so it needs to be updated to version 3.3.24. 41. Pie register male plug-in: Pie register weak points: open version: patch severity score in 3.7.2.4: ordinary weak points have been patched and need to be updated to version 3.7.2.4. 42. Advanced form plug-in: advanced form vulnerability: update version through user + idor arbitrary user email address: patch severity score in 1.6.9: high vulnerability is patched, so it needs to be updated to version 1.6.9. Plug in: advanced forms Pro vulnerability: user + idor arbitrary user email address update version: patch severity score in 1.6.9: high vulnerability is patched, so it must be updated to version 1.6.9. 43. Get catch theme demo male plug-in: catch theme demo import vulnerability: admin + random file upload version: patch severity score from 1.8: fatal vulnerability is patched, so it must be updated to version 1.8. 44. Simple task bulletin board plug-in: simple task bulletin board vulnerability: Cross website script version saved by admin +: patch severity score in 2.9.5: low vulnerability has been patched and should be updated to version 2.9.5. 45. Ivory search male plug-in: Ivory search vulnerability: reflected Cross website script version: patch severity score in 4.7: high vulnerability is patched and needs to be updated to version 4.7. 46. Proxy gateway plug-in: proxy gateway vulnerability: authenticated saved cross site script version: patch severity score in 2.16.4: fatal vulnerability is patched and needs to be updated to version 2.16.4. The report describes how to protect the WordPress website from vulnerable plug-ins and themes. Many new WordPress plug-ins and themes are exposed every week. Because I know that it is difficult to determine the disclosure of all reported vulnerabilities, using the ithemes Security Pro plug-in can easily determine whether the site is running a theme, plug-in or core version of word press with known vulnerabilities.
。 1. Search for known website vulnerabilities ithemes Security Pro plug-in will search for the #1 reason why WordPress website is hacked – the old plug-in and the subject of known vulnerabilities. 2. Automatically update to the secure version. The version management function of ithemes Security Pro is integrated with site scanning to protect the site. Fragile themes, plug-ins and the core version of word press will be updated automatically. 3. The core of monitoring file changes and quickly detecting security violations is to monitor file changes on the website. The file change detection function of ithemes Security Pro scans files on the website and notifies you when the website changes. Obtain ithemes Security Pro WordPress security plug-in through year-round website monitoring. Ithemes Security Pro provides more than 50 methods to protect and protect websites from common WordPress security vulnerabilities. You can use WordPress, dual authentication, indifference proxy protection, strong password application, etc. to add a security layer to the website. For plug-in and theme vulnerability detection, site scanner file change, real-time website security control board, WordPress security log, reliable device reCAPTCHA, indifference substitution protection, dual authentication, direct login link permission reporting, password confirmation and denial ithemes security process
