XSS MAY 2021 – Cross-Site Scripting MAY 2021
Managed WordPress Security Report
Be informed about the latest Cross-Site Scripting MAY 2022, identified and reported publicly. As these XSS MAY 2021 vulnerabilities have a severe negative impact on any WordPress Security, consider our FREE security AUDIT.
An estimated jaw-dropping 2.176.000+ active WordPress installations are susceptible to this attack type, considering only the publicly available numbers. The estimated number can increase by 20-25% with premium versions as they are private purchases.
Furthermore, the initial estimation can triple if we consider (1) the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain; and (2) the closed “uncounted” versions remain active on domains already running the plugins, as nobody is maintaining security. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind new / protected areas, possibly exposing other clean WP to different attack types.
It is a 109% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: ALERT: 52 XSS APR 2021 – Cross-Site Scripting APR 2021 Blast and 11 XSS – Cross-Site Scripting – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the XSS MAY 2021 category:
- gallery-from-files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)
- This plugin has been closed as of May 24, 2022 and is not available for download. This closure is temporary, pending a full review.
- Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)
- Now you can easily embed the FLV Flash videos in your WordPress Blog. I have packaged the three FLV Flash player – OS FLV , FlowPlayer v2, v3, and v5 , and MediaElement.js (for HTML5 player support). So you can use them freely without worries even for the commercial purpose unlike the JW player. Active installations: 4,000+
- hotjar-connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
- Active installations: This plugin has been closed as of May 5, 2022 and is not available for download. This closure is temporary, pending a full review.
- iflychat <= 4.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of May 10, 2022 and is not available for download. This closure is temporary, pending a full review.
- Instant Images – One Click Unsplash Uploads < 4.4.0.1 - Authenticated Stored XSS & XFS
- Instantly upload photos from Unsplash to your website without leaving WordPress! Active installations: 70,000+
- LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress < 4.21.1 - Authenticated Stored XSS in Edit Profile
- LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress < 4.21.1 - Reflected Cross-Site Scripting (XSS) via Coupon Code in Checkout
- LifterLMS is a powerful WordPress LMS plugin that makes it easy to create, sell, and protect engaging online courses and training based membership websites. Active installations: 10,000+
- Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title
- Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000+
- PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)
- PickPlugins Product Slider is easy and user friendly carousel slider for WooCommerce products, You can create unlimited product slider by this plugin and display anywhere via shortcodes. We added layout builder for your product slider to build as you want, easy to customize and add your own CSS via layout editor you can build some fancy and unique layout. No coding is required to build custom layout and add elements to layout. we added tons of option to handle slider functionality to control slide speed, display or hide navigations and dots. Active installations: 20,000+
- ReDi Restaurant Reservation < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)
- The one and only fully automated reservation system. Real time available seats check with instant reservation confirmation for your guests. Don’t spent anymore time for manually reviewing and confirming reservations. Turn your web site visitors into restaurant’s guests. Don’t let your guest wait, surprise him with instant confirmation. Active installations: 1,000+
- Simple Giveaways – Grow your business, email lists and traffic with contests < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
- Simple Giveaways helps you host giveaways which is entirely what this plugin is all about. You can host them on a separate page and also drive people to it through widgets & shortcodes. Active installations: 1,000+
- Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS
- The Smooth Page Scroll Up/Down Buttons plugin for WordPress adds buttons to every page of your site, that can be used to (smoothly) scroll up or down exactly one screen/page at a time. This can be particularly handy for pages with a lot of text/content, or in cases wherever a browser’s scrollbar is just not good enough (or not present at all, like on tablets) to enable one-click, one-screen scrolling. Active installations: 5,000+
- stock-in <= 1.0.4 - Reflected Cross-Site Scripting (XSS)
- This plugin has been closed as of April 29, 2022 and is not available for download. This closure is temporary, pending a full review.
- Target First Plugin 2.0 – Unauthenticated Stored XSS via Licence Key
- The Target First WordPress Plugin, also previously known as Watcheezy, suffered from a critical unauthenticated stored XSS vulnerability. Active installations: Not public info
