Fragile plug-ins and themes are the #1 reason why WordPress websites are hacked. The weekly WordPress vulnerability report provided by wpscan covers the recent WordPress plug-ins, themes and core vulnerabilities, as well as the tasks to be performed when running one of the vulnerable plug-ins or themes on the website. The severity of each vulnerability is low, medium, high, or fatal. Openness and reporting on vulnerability is an essential part of maintaining the safety of the WordPress community. Please share this post with your friends, spread rumors and help everyone make WordPress safer.
Do you want to send the report content on October 13, 2021 to the inbox you receive every week? Weekly e-mail subscription WordPress core vulnerabilities the core of the latest version of WordPress is 5.8.1 of the security and maintenance release. As a best practice, always run the latest version of the WordPress kernel! Word press plug-in vulnerabilities this section discloses the latest word press plug-in vulnerabilities. Each plug-in list includes vulnerability type, patch version number and severity level. 1. Simple PayPal buy now button male plug-in: simple PayPal buy now button weakness: CSRF version of stored cross site script: patch severity score in 1.7.3: high
The vulnerability has been fixed and must be updated to version 1.7.3. 2. Simple activity plug-in: simple activity vulnerability: Cross website script version saved by admin +: patch severity score in 2.2.24: a lower vulnerability has been patched and needs to be updated to version 2.2.24. The vulnerability of BP: messages in version 41.9.9 needs to be patched, so the severity of BP: messages in version 41.9.9 needs to be updated to better version 41.9. Plug in: BP better message vulnerability: multiple CSRF version: patch in 1.9.41 severity score: normal
The vulnerability has been fixed and must be updated to version 1.9.9.41. 4. Themify biller male plug-in: themify biller vulnerability: reflected cross site script version: patch severity score in 5.3.2: high vulnerability is patched, so it needs to be updated to version 5.3.2. 5. Far future expiration header male plug-in: far future expiration header vulnerability: update the plug-in through CSRF. Set the patch severity score in version: 1.5: usually the vulnerability has been patched and needs to be updated to version 1.5. Vulnerability: medium version of plug-in + severity of image after patching: 1.3
The vulnerability has been fixed and must be updated to version 2.3.1. 7. Flag slider and showcase male plug-in: Flag slider and showcase vulnerability: edit plug-in settings update version: patch severity score in 1.337: low vulnerability has been patched and should be updated to version 1.3.37. 8. Cardity payment gateway plug-in for woocommerce: cardity payment gateway vulnerability of woocommerce: reflected Cross website script version: fix severity score in 3.0.7: fix high vulnerability and need to be updated to version 3.0.7. 9. Sonaar MP3 audio player for music, broadcasting and podcasting male plug-in: sonaar MP3 audio player for music, broadcasting and podcasting weakness: multi admin + Cross website script version: 2.4.2 patch severity score: low
The vulnerability has been fixed and must be updated to version 2.4.2. 10. Papal donation male plug-in: papal donation
: since the vulnerability is usually patched, it must be updated to version 1.8.2. Plug in: jobsearch WP recruitment bulletin board vulnerability: joiner + schedule call add \/ update version: patch severity score in 1.8.2: usually the vulnerability has been patched, so it must be updated to version 1.8.2. 19. Thecartpress e-commerce shopping cart plug-in: thecartpress e-commerce shopping cart vulnerability: the saved Cross website script is patched in the CSRF version: no known modifications – plug-in closure severity score: high vulnerability, no patch. The plug-in was closed on October 5, 2021. Delete and delete. 20. MS store API plug-in: msstore API vulnerability: patched in the uploaded version of unauthenticated PHP file: no known modification – plug-in closure severity score: fatal vulnerability not patched. The plug-in was closed on October 5, 2021. Delete and delete. 21. Media file renaming – automatic and manual renaming male plug-in: media file renaming – automatic and manual renaming vulnerability: update the version through the media title \/ file name \/ locking status of CSRF: fix the severity score in 5.2.7: usually the vulnerability has been patched, so it needs to be updated to version 5.2.7. 22. Deploy cat plug-in: deploy cat vulnerability: patch in the add \/ set \/ delete version on subscriber + posts of any category: no known modification – plug-in closure severity score: usually this vulnerability is not patched. The plug-in was closed on September 24, 2021. Delete and delete. 23. Q translation x plug-in: qtranslate x vulnerability: patched in the cross site script version saved by multiple admin +: no known modification – plug-in closure severity score: low vulnerability not patched. The plug-in was closed on August 31, 2021. Delete and delete. 24. World tourism information plug-in: World Tourism Information vulnerability: patched in the reflected cross site script version: no known modification – plug-in closure severity score: high, this vulnerability is not patched. The plug-in was closed on September 23, 2021. Delete and delete. 25. WP serverplus plug-in: WP server plus vulnerability: patched in user + Ajax call version: no known modification – plug-in closure severity score: high vulnerability not patched. The plug-in was closed on September 30, 2021. Delete and delete. 26. WP website map page male plug-in: WP website map page vulnerability: patched in the cross website script version saved by admin +: no known modification severity score: low vulnerability not patched. Uninstall and remove plug-ins until patches are released. 27. WP banner ad 2.0.0 plug-in: WP banner ad 2.0.0 vulnerability: patched in the certified SQL injection version: no known modifications – plug-in closure severity score: high vulnerability not patched. The plug-in was closed on July 19, 2021. Delete and delete. 28. Genie WP pabicon male plug-in: Genie WP pabicon vulnerability: patch any modified version of pabicon through CSRF: no known modification – plug-in closure severity score: usually there is no patch for this vulnerability. The plug-in was closed on August 27, 2021. Delete and delete. 29. Phoenix contact media renaming male plug-in: Phoenix Contact media renaming vulnerability: the author renames any media file version: patch severity score in 3.4.4: due to the patching of Baotong male vulnerability, it needs to be updated to version 3.4.4. 30. Room
Short message traffic real-time statistics plug-in: visitor traffic real-time statistics vulnerability: Subscriber + SQL injection version: patch severity score in 3.9: high vulnerability has been patched, so it needs to be updated to version 3.9. 31. Addtoany sharing button male plug-in: addtoany sharing button vulnerability: cross site script version saved by admin +: patch severity score in 1.7.48: patch low vulnerability, so it needs to be updated to version 1.7.48. 32. Powerful form builder plug-in: powerful form builder vulnerability: cross site script version saved by admin +: patch severity score in 5.0.7: lower vulnerability is patched, so it must be updated to version 5.0.7. 33. Bulletproof security plug-in: bulletproof security vulnerability: sensitive information disclosure version: patch severity score in 5.2: ordinary vulnerabilities have been patched and need to be updated to version 5.2. 34. WP all export male plug-ins: WP all export vulnerabilities: cross site script version saved by admin +: patch severity score in 1.3.1: low vulnerability has been patched and should be updated to version 1.3.1. 35.404 error page redirection to the home page or custom page plug-in where the log is located: 404 error page redirection to the home page or custom page where the log is located weakness: delete the log through CSRF version: patch severity score in 1.7.9: usually the vulnerability has been patched, so it needs to be updated to version 1.7.9 whole 36. Access to demo importer plug-in: demo importer access vulnerability: accessor + random file upload version: patch severity score in 1.0.7: high vulnerability is patched, so it must be updated to version 1.0.7. 37. Monitor male plug-in: monitor vulnerability: unauthenticated log version: from 1.9.7 to patch severity score: usually the vulnerability has been patched, so it needs to be updated to version 1.9.7. Plug in: monitor vulnerability: reflected cross site script (XSS) version: patch severity score in 1.7.1: due to the patching of common vulnerabilities, it must be updated to version 1.7.1. Plug in: monitor vulnerability: patch the severity score in the authentication directory list version: 1.6.4: because the common vulnerability is patched, it must be updated to version 1.6.4. Plug in: monitor vulnerability: multi reflection cross site script version: patch severity score in 3.3.6.2: Since ordinary vulnerabilities are patched, they must be updated to version 3.3.6. 38. Unrestricted pop-up plug-in: unrestricted pop-up vulnerability: patched in the author + SQL injection version: no known modification – plug-in closure severity score: high vulnerability is not patched. The plug-in was closed on June 22, 2021. Delete and delete. 39. Schleikasten plug-in: schleikasten vulnerability: patched in the author + SQL injection version: no known modification – plug-in closure severity score: high vulnerability not patched. The plug-in was closed on June 21, 2021. Delete and delete. 40. Post content XMLRPC plug-in: post content XMLRPC vulnerability: patched in author + SQL injection version: no known modification – plug-in closure severity score: high vulnerability not patched. The plug-in was closed on June 21, 2021. Delete and delete. Vulnerability: Wow + form is not patched in the plug-in with known severity: Wow + form 41. The plug-in was closed on June 18, 2021. Delete and delete. 42. Automatic hi
Hyperlink plug-in: G automatic hyperlink vulnerability: patched in author + SQL injection version: no known modification – plug-in closure severity score: usually the vulnerability is not patched. The plug-in was closed on June 18, 2021. Delete and delete. 43. Chameleon CSS plug-in: Chameleon CSS vulnerability: patched in subscriber + SQL injection version: no known modification – plug-in closure severity score: fatal weakness not patched. The plug-in was closed on June 18, 2021. Delete and delete. 44. Spider directory plug-in: spider directory vulnerability: patched in the author + SQL injection version: no known modification – plug-in closure severity score: usually the vulnerability is not patched. The plug-in was closed on June 18, 2021. Delete and delete. 45. Support board plug-in: support board vulnerability: cross site scripting version saved by agent +: patch severity score in 3.3.5: because ordinary vulnerabilities are patched, it must be updated to version 3.3.5. 46. Proxy gateway plug-in: proxy gateway vulnerability: authenticated saved cross site script version: patch severity score in 2.16.4: usually the vulnerability has been patched, so it needs to be updated to version 2.16.4. 47. Inline post male plug-in: inline post vulnerability: admin + inter site script version: patch severity score in 3.0.5: due to the low vulnerability, it must be updated to version 3.0.5. The report describes how to protect the WordPress website from vulnerable plug-ins and themes. Many new WordPress plug-ins and themes are exposed every week. Because we know that it is difficult to determine the disclosure of all reported vulnerabilities, using the ithemes Security Pro plug-in can easily determine whether the site is running a theme, plug-in or core version of word press with known vulnerabilities. 1. Search for known website vulnerabilities ithemes Security Pro plug-in will search for the #1 reason why WordPress website is hacked – the old plug-in and the subject of known vulnerabilities. 2. Automatically update to the secure version. The version management function of ithemes Security Pro is integrated with site scanning to protect the site. Fragile themes, plug-ins and the core version of word press will be updated automatically. 3. The core of monitoring file changes and quickly detecting security violations is to monitor file changes on the website. The file change detection function of ithemes Security Pro scans files on the website and notifies you when the website changes. Obtain ithemes Security Pro WordPress security plug-in through year-round website monitoring. Ithemes Security Pro provides more than 50 methods to protect and protect websites from common WordPress security vulnerabilities. You can use WordPress, dual authentication, indifference proxy protection, strong password application, etc. to add a security layer to the website. For plug-in and theme vulnerability detection, site scanner file change, real-time website security control board, WordPress security log, reliable device reCAPTCHA, indifference substitution protection, dual authentication, direct login link permission reporting, password confirmation and denial ithemes security process
