WP Plugins

Vulnerabilities

Keeping up to date with security vulnerabilities in WordPress is an important part of security

13

Apr 13, 2022

Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.

A critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code.

The Elementor plugin for WordPress introduced an Onboarding module in version 3.6.0, designed to simplify the initial setup of the plugin. The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.

				
					Description: Insufficient Access Control leading to Subscriber+ Remote Code Execution
Affected Plugin: Elementor
Plugin Slug: elementor
Plugin Developer: Elementor
Affected Versions: 3.6.0 – 3.6.2
CVE ID: CVE-2022-1329
CVSS Score: 9.9(Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 3.6.3
				
			

14

Apr 27, 2022

Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.

The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a shortcode, [bookingflextimeline].

If you’re a customer of PrettyWP and have installed this plugin on your site, then you don’t have to worry about it! Our team has already updated the plugin safely to the patched version.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.

				
					Description: Insecure Deserialization/PHP Object Injection
Affected Plugin: Booking Calendar
Plugin Slug: booking
Plugin Developer: wpdevelop, oplugins
Affected Versions: <= 9.1
CVE ID: CVE-2022-1463
CVSS Score: 8.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 9.1.1
				
			

11

Mar 30, 2022

CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.

A vulnerability reflected Cross-Site scripting vulnerabilities which could be used for site takeover if an attacker could successfully trick a site administrator into performing an action, such as clicking a link.

The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript.

As with the spam comment vulnerability, if an administrator can be tricked into performing an action, it is possible to use JavaScript running in their browser to take over a site.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.

				
					Description: Reflected Cross-Site Scripting
Affected Plugin: Spam protection, AntiSpam, FireWall by CleanTalk
Plugin Slug: cleantalk-spam-protect
Plugin Developer: CleanTalk
Affected Versions: <= 5.173
CVE ID: CVE-2022-28221
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 5.174.1
				
			

12

Apr 7, 2022

SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more.

A vulnerability in the plugin makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.

We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6.

If you’re a customer of PrettyWP and have installed this plugin on your site, then you don’t have to worry about it! Our team has already updated the plugin safely to the patched version.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.

				
					Description: Authentication Bypass via 2-Factor Authentication Setup
Affected Plugin: SiteGround Security
Plugin Slug: sg-security
Plugin Developer: SiteGround
Affected Versions: <= 1.2.5
CVE ID: CVE-2022-0992
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: ​1.2.6
				
			

09

Feb 10, 2022

A vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. This could be used to extract sensitive information like password hashes and secret keys from the database.

When the “Record Exclusions” feature was enabled, this vulnerability became exploitable. The “Record Exclusions” feature is designed to record when a visit, or a “hit”, is excluded from the site’s statistics, such as visits by users with specific roles, login page access, and anything else that a site owner may have explicitly selected to exclude.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to a complete site takeover.

				
					Description: Unauthenticated Blind SQL Injection
Affected Plugin: WP Statistics
Plugin Slug: wp-statistics
Plugin Developer: VeronaLabs
Affected Versions: <= 13.1.4
CVE ID: CVE-2022-0513
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 13.1.5
				
			

10

Feb 17, 2022

A vulnerability in the plugin makes it possible for an unauthenticated attacker to craft a request that contains malicious JavaScript. If the attacker is able to trick a site administrator or user into performing an action, the malicious JavaScript executes, making it possible for the attacker to create new admin users, redirect victims, or engage in other harmful attacks.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Profile Builder – User Profile & User Registration Forms”, which is version 3.6.5

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to a complete site takeover.

				
					Description: Reflected Cross-Site Scripting
Affected Plugin: Profile Builder – User Profile & User Registration Forms
Plugin Slug: profile-builder
Plugin Developer: Cozmoslabs
Affected Versions: <= 3.6.1
CVE ID: CVE-2022-0653
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 3.6.2
				
			

07

WordPress Email Template Designer – WP HTML Mail

Jan 19, 2022

A vulnerability in the plugin This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor.

This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.

We strongly recommend ensuring that your site has been updated to the latest patched version of “WordPress Email Template Designer – WP HTML Mail”, which is version 3.1.

If you’re a customer of PrettyWP and have installed this plugin on your site, then you don’t have to worry about it! Our team has already updated the plugin safely to the patched version.

				
					Description: Unprotected REST-API Endpoint to Unauthenticated Stored Cross-Site Scripting and Data Modification
Affected Plugin: WordPress Email Template Designer – WP HTML Mail
Plugin Slug: wp-html-mail
Plugin Developer: codemiq
Affected Versions: <= 3.0.9
CVE ID: CVE-2022-0218
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 3.1
				
			

08

PHP Everywhere

Feb 8, 2022

PHP Everywhere is a WordPress plugin that is intended to allow site owners to execute PHP code anywhere on their site.

A vulnerability in the plugin allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed. As the vulnerabilities were of critical severity, we contacted the WordPress plugin repository with our disclosure in addition to initiating outreach to the plugin author.

If you’re using the PHP everywhere plugin, it is imperative that you upgrade to the newest version, which is 3.0.0, in order to prevent your site from being exploited.

Our team is currently working on PrettyWP user’s sites to update the plugin safely to the new version.

				
					Description: Remote Code Execution by Contributor+ users via metabox
Affected Plugin: PHP Everywhere
Plugin Slug: php-everywhere
Plugin Developer: Alexander Fuchs
Affected Versions: <= 2.0.3
CVE ID: CVE-2022-24664
CVSS Score: 9.9(Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 3.0.0
				
			

05

Registration Magic

Dec 8, 2021

A vulnerability in the plugin made it possible for unauthenticated attackers to log in as any user, including administrative users, on an affected site as long as a valid username or email address was known to the attacker and a login form created with the plugin existed on the site.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Registration Magic – Custom Registration Forms, User Registration and User Login Plugin,” which is version 5.0.1.8.

If you’re a customer of PrettyWP and have installed this plugin on your site, our team has already taken a step to secure your site!

				
					Description: Authentication Bypass
Affected Plugin: RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 5.0.1.7
CVE ID: CVE-2021-4073
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 5.0.1.8
				
			

06

Side Cart WooCommerce, Login/Signup Popup, Waitlist WooCommerce

Jan 13, 2022

The same vulnerability in the 3 different plugins made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.

We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist WooCommerce, and version 2.1 for Side Cart WooCommerce. Our team has already secured the sites of PrettyWP’s customers! Cool 🙂

				
					Description: Cross-Site Request Forgery to Arbitrary Options Update
Affected Plugins: Login/Signup Popup | Waitlist Woocommerce | Side Cart Woocommerce (Ajax)
Plugin Slugs: easy-login-woocommerce | waitlist-woocommerce | side-cart-woocommerce
Plugin Developer: XootiX
Affected Versions: <= 2.2 | <= 2.5.1 | <= 2.0
CVE ID: CVE-2022-0215
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Versions: 2.3 | 2.5.2 | 2.1
				
			

03

Starter Templates

Nov 11, 2021

The old version of the plugin 2.7.0 contains a vulnerability that allows Contributor-level users to completely overwrite any page on the site with malicious JavaScript.

Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

The developers of the plugin have released a patched version 2.7.1.

				
					Description: Authenticated Block Import to Stored XSS
Affected Plugin: Starter Templates — Elementor, Gutenberg & Beaver Builder Templates
Plugin Slug: astra-sites
Affected Versions: <= 2.7.0
CVE ID: CVE-2021-42360
CVSS Score: 7.6(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Fully Patched Version: 2.7.1
				
			

04

Variation Swatches for WooCommerce

Dec 01, 2021

A vulnerability made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript that would execute when a site administrator accessed the settings area of the plugin.

Malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over a site.

The developers of the plugin have released the patched version 2.1.2. Don’t forget to update the plugin, if you have installed this plugin on your site.

				
					Description: Stored Cross-Site Scripting
Affected Plugin: Variation Swatches for WooCommerce
Plugin Slug: variation-swatches-for-woocommerce
Plugin Developer: Woosuite
Affected Versions: <= 2.1.1
CVE ID: CVE-2021-42367
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 2.1.2
				
			

01

OptinMonster

Oct 27, 2021

A vulnerability in the OptinMonster plugin that affects over 1,000,000 WordPress sites. The vulnerability lets any site visitor export sensitive information and add malicious JavaScript to a WordPress site. 

We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5.

For the users who have installed OptinMonster on their sites, our team has updated the plugin safely to the patched version!

				
					Description: Unprotected REST-API to Sensitive Information Disclosure and Unauthorized app.optinmonster.com API access
Affected Plugin: OptinMonster
Plugin Slug: optinmonster
Affected Versions: <= 2.6.4
CVE ID: CVE-2021-39341
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 2.6.5
				
			

02

NextScripts: Social Networks Auto-Poster

Oct 29, 2021

A vulnerability in a popular social auto-posting plugin installed on over 100,000 sites.

This vulnerability could be used to take over a site by hijacking an administrator session.

As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover.

The developers of the plugin have released the patched version of this plugin 4.3.21.

				
					Description: Reflected Cross-Site Scripting(XSS)
Affected Plugin: NextScripts: Social Networks Auto-Poster
Plugin Slug: social-networks-auto-poster-facebook-twitter-g
Affected Versions: <= 4.3.20
CVE ID: CVE-2021-38356
CVSS Score: 6.1(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 4.3.21
				
			
PrettyWP Newsletter

Subscribe Our Newsletter To Get More Security

By clicking subscribe above, you consent to allow PrettyWP to store and process the personal information submitted above to provide you with the content requested.