WordPress Vulnerability Report

March 16, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

List of Vulnerabilities

WordPress Core Vulnerabilities
WordPress Core / Prototype Pollution in jQuery
WordPress Core / Contributor+ Stored Cross-Site Scripting
WordPress Core / Prototype Pollution via Gutenberg’s WordPress/url package

WordPress Plugin Vulnerabilities
WooCommerce / Orders Marked as Paid (via PayPal Standard Gateway)
UpdraftPlus / Reflected Cross-Site Scripting
Gutenberg / Contributor+ Stored Cross-Site Scripting; Prototype Pollution via Gutenberg’s WordPress/url package
Ad Inserter / Reflected Cross-Site Scripting
MapPress Maps for WordPress / Admin+ File Upload to Remote Code Execution
Profile Builder / Admin+ Stored Cross-Site Scripting
Amelia < 1.0.48 / Customer+ SMS Service Abuse and Sensitive Data Disclosure; Customer+ Arbitrary Appointments Status Update
Easy Social Icons / Admin+ SQL Injection
Google Pagespeed Insights / Reflected Cross-Site Scripting
WP Block and Stop Bad Bots / Unauthenticated SQLi
Booking Package / Unauthenticated Sensitive Data Disclosure
Ad Inserter / Reflected Cross-Site Scripting
Members List / Reflected Cross-Site Scripting
Ninja Forms File Uploads Extension / Unauthenticated Arbitrary File Upload
Ninja Forms File Uploads Extension / Unauthenticated Stored Cross-Site Scripting
Mark Posts / Admin+ Stored Cross-Site Scripting

WordPress Plugin Vulnerabilities – No Known Fix
Dropdown Menu Widget / Subscriber+ Arbitrary Settings Update to Stored XSS
Library File Manager / Subscriber+ Arbitrary File Creation/Upload/Deletion
KingComposer / Subscriber+ Stored Cross-Site Scripting
FormBuilder / Stored Cross-Site Scripting via CSRF
Material Design for Contact Form 7 / Subscriber+ Arbitrary Settings Update leading to DoS

Click the button below to be taken to the post on iThemes.com, written by (see below).


Last Updated on March 16, 2022