The Wordfence Threat Intelligence team has released their 2022 State of WordPress Security report. In the report, they look at changes in the threat landscape, analyze impactful trends, and provide recommendations based on their findings.
833a6664e11b54321c4268553ac08e81c3b99e65165b4e44d62207f09cc2fb5cWordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities.
5d3c94aa12c0662cecfc95164895acace4553b37a6d627727e5abb15210b1abaWordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.
0537a61d8c7e168ee93f25ae88cc62b13741cb186c02291ebc2f946f834cd81fThe Wordfence Threat Intelligence team uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete ar bitrary files on sites where a separate POP chain was present. This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.
e25d000d7a2df2172a646831088ba3e0f1083e02893c12d290f821c392cde8a3Jupiter Theme versions 6.10.1 and below as well as JupiterX Core plugin versions 2.0.7 and below suffer from privilege escalation and post deletion vulnerabilities. JupiterX Theme versions 2.0.6 and below as well as JupiterX Core versions 2.0.6 and below suffer from plugin deactivation and setting modification flaws. JupiterX Theme versions 2.0.6 and below as well as Jupiter Theme versions 6.10.1 and below suffer from path traversal and local file inclusion vulnerabilities. Jupiter Theme versions 6.10.1 and below suffer from an arbitrary plugin deletion vulnerability. JupiterX Core plugin versions 2.0.6 and below suffer from information disclosure, modification, and denial of service vulnerabilities.
99977b76ad75b06f3f800ae91ea38ee20b0d9091a394d12146ce6e1c875bc515WordPress Booking Calendar plugin versions 9.1 and below suffer from PHP object injection and insecure deserialization vulnerabilities.
ca383548169d539c9e3c7a8fb2058f0828391d09365e432f7376f20ec13cc507WordPress Elementor versions 3.6.0 through 3.6.2 suffer from a remote code execution vulnerability.
6eaed5370d47ef1831e0129aff2a7f1d6e7a9d7ab393c20f0bed1962b0cecff2WordPress CleanTalk plugin versions 5.173 and below suffer from multiple cross site scripting vulnerabilities.
4136278cd0e53a4bc876e08a79e68f309bd0ea7712eb64d14cfca18b9f7d6147WordPress 99robots Header Footer Code Manager plugin versions 1.1.16 and below suffer from a cross site scripting vulnerability.
989d395c3d66b15fe519bc0c80e99d2eaaa476e1800da8e837d7674b16acc7fdPHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities.
6a2dcc3898ac3a1b90915521a41f2d6e5e9592121ab91ccecbf993baae2e11e2WordPress NextScripts: Social Networks Auto-Poster plugin versions 4.3.20 and below suffer from a cross site scripting vulnerability.
3b243357482f55615e13c6f86d3c5f7e5661b3bdb1e7d084a3489717be01cedaThis Metasploit module exploits an unauthenticated directory traversal vulnerability in WordPress Duplicator plugin versions 1.3.24 through 1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.
4ea50cf867ab79c361dd72e12949f0f0d61e20bd60dd59c1e49252679fd3c7a8
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed