WordPress Vulnerability Report: November 2021, Part 1

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

Get SolidWP tips direct in your inbox

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Get started with confidence � risk free, guaranteed

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.1. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

1. Reviews Plus

Plugin: Reviews Plus
Vulnerability: Subscriber+ Reviews DoS
Patched in Version: 1.2.14
Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.14.

2. Slideshow Gallery

Plugin: Slideshow Gallery
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.7.4
Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.4.

3. MainWP Child

Plugin: MainWP Child
Vulnerability: Admin+ SQL Injection
Patched in Version: 4.1.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.8.

4. eCommerce Product Catalog for WordPress

Plugin: eCommerce Product Catalog for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.0.39
Severity Score: High

The vulnerability is patched, so you should update to version 3.0.39.

5. Falang multilanguage for WordPress

Plugin: Falang multilanguage for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.18
Severity Score: High

The vulnerability is patched, so you should update to version 1.3.18.

6. Video Lessons Manager

Plugin: Video Lessons Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.7.2
Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.2.

7. WP Spell Check

Plugin: WP Spell Check
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 9.3
Severity Score: High

The vulnerability is patched, so you should update to version 9.3.

8. Ecommerce – Two Factor Authentication

Plugin: Ecommerce – Two Factor Authentication
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.5
Severity Score: High

The vulnerability is patched, so you should update to version 1.0.5.

9. MAZ Loader

Plugin: MAZ Loader
Vulnerability: Arbitrary Loader Deletion via CSRF
Patched in Version: No known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

10. Age Gate

Plugin: Age Gate
Vulnerability: Unauthenticated Import Settings
Patched in Version: 2.17.1
Severity Score: Critical

The vulnerability is patched, so you should update to version 2.17.1.

11. Duplicate Post

Plugin: Duplicate Post
Vulnerability: Authenticated SQL Injection
Patched in Version: 1.2.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.0.

12. Notification

Plugin: Notification
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 8.0.0
Severity Score: Low

The vulnerability is patched, so you should update to version 8.0.0.

13. Connections Business Directory

Plugin: Connections Business Directory
Vulnerability: Admin+ CSV Injection
Patched in Version: 9.7
Severity Score: Medium

The vulnerability is patched, so you should update to version 9.7.

14. Media-Tags

Plugin: Media-Tags
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 28, 2021. Uninstall and delete.

15. About Author Box

Plugin: About Author Box
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.0.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.2.

16. Subscriptions & Memberships for PayPal

Plugin: Subscriptions & Memberships for PayPal
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: 1.1.3
Severity Score: High

The vulnerability is patched, so you should update to version 1.1.3.

17. Accept Donations with PayPal

Plugin: Accept Donations with PayPal
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: 1.3.1
Severity Score: High

The vulnerability is patched, so you should update to version 1.3.1.

18. Easy PayPal Events

Plugin: Easy PayPal Events
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: 1.1.2
Severity Score: High

The vulnerability is patched, so you should update to version 1.1.2.

Plugin: Popup Anything
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.0.4
Severity Score: High

The vulnerability is patched, so you should update to version 2.0.4.

20. JS Job Manager

Plugin: JS Job Manager
Vulnerability: Unauthenticated Arbitrary Plugin Installation/Activation
Patched in Version: 1.1.9
Severity Score: Critical

The vulnerability is patched, so you should update to version 1.1.9.

21. Bulk Datetime Change

Plugin: Bulk Datetime Change
Vulnerability: Missing Authorisation
Patched in Version: 1.12
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.12.

22. Ninja Forms

Plugin: Ninja Forms
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.6.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.6.4.

23. WP Attachment Export

Plugin: WP Attachment Export
Vulnerability: Unauthenticated Posts Download
Patched in Version: 0.2.4
Severity Score: High

The vulnerability is patched, so you should update to version 0.2.4.

24. Content text slider on post

Plugin: Content text slider on post
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 6.9
Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.

25. HashThemes Demo Importer

Plugin: HashThemes Demo Importer
Vulnerability: Improper Access Control to Blog Reset
Patched in Version: 1.1.2
Severity Score: Critical

The vulnerability is patched, so you should update to version 1.1.2.

26. Registrations for The Events Calendar

Plugin: Registrations for The Events Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.7.5
Severity Score: High

The vulnerability is patched, so you should update to version 2.7.5.

27. Mang Board WP

Plugin: Mang Board WP
Vulnerability: SQL Injection
Patched in Version: 1.6.9
Severity Score: High

The vulnerability is patched, so you should update to version 1.6.9.

28. OptinMonster

Plugin: OptinMonster
Vulnerability: Unprotected REST-API Endpoints
Patched in Version: 2.6.5
Severity Score: High

The vulnerability is patched, so you should update to version 2.6.5.

Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.3.21
Severity Score: High

The vulnerability is patched, so you should update to version 4.3.21.

Plugin: Smash Balloon Social Post Feed
Vulnerability: Subscriber+ Arbitrary Plugin Settings Update to Stored XSS
Patched in Version: 4.0.1
Severity Score: High

The vulnerability is patched, so you should update to version 4.0.1.

31. WP-Pro-Quiz

Plugin: WP-Pro-Quiz
Vulnerability: Arbitrary Quiz Deletion via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of July 17, 2020. Uninstall and delete.

32. Contact Form by Supsystic

Plugin: Contact Form by Supsystic
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix
Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

33. WP-Stats

Plugin: WP-Stats
Vulnerability: CSRF to Stored Cross-Site Scripting (XSS)
Patched in Version: 2.52
Severity Score: High

This plugin hasn�t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Monitor File Changes

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website�s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

WordPress Vulnerability Report: November 2021, Part 1

Get SolidWP tips direct in your inbox

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

1. Reviews Plus

2. Slideshow Gallery

3. MainWP Child

4. eCommerce Product Catalog for WordPress

5. Falang multilanguage for WordPress

6. Video Lessons Manager

7. WP Spell Check

8. Ecommerce – Two Factor Authentication

9. MAZ Loader

10. Age Gate

11. Duplicate Post

12. Notification

13. Connections Business Directory

14. Media-Tags

15. About Author Box

16. Subscriptions & Memberships for PayPal

17. Accept Donations with PayPal

18. Easy PayPal Events

19. Popup Anything

20. JS Job Manager

21. Bulk Datetime Change

22. Ninja Forms

23. WP Attachment Export

24. Content text slider on post

25. HashThemes Demo Importer

26. Registrations for The Events Calendar

27. Mang Board WP

28. OptinMonster

29. NextScripts: Social Networks Auto-Poster

30. Smash Balloon Social Post Feed

31. WP-Pro-Quiz

32. Contact Form by Supsystic

33. WP-Stats

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

1. Install the iThemes Security Pro Plugin

2. Enable the Site Scan to Check for Known Vulnerabilities

3. Monitor File Changes

Get iThemes Security Pro with 24/7 Website Monitoring

Get iThemes Security Pro

Related articles

Wait! Get exclusive hosting insights