Threat Alerts / Apr 07, 2021

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability includes information on which version you should be running, so be sure to update!

 

WordPress Core Vulnerabilities

Great news! No new WordPress core vulnerabilities have been disclosed this month.

The latest version of WordPress is currently 5.7. Make sure all your websites are running the latest version of WordPress core.

WordPress Plugin Vulnerabilities

1. Controlled Admin Access

Vulnerability: Improper Access Control to Privilege Escalation Patched in Version: 1.5.6 Severity: High

The vulnerability is patched, so you should update to version 1.5.6+.

2. Advanced Booking Calendar

Vulnerability: Authenticated Reflected Cross-Site Scripting Patched in Version: 1.6.8 Severity: High

The vulnerability is patched, so you should update to version 1.6.8+.

3. Cooked Pro

Vulnerability: Unauthenticated Reflected Cross-Site Scripting Patched in Version: 1.7.5.6 Severity: Medium

The vulnerability is patched, so you should update to version 1.7.5.6+.

4. SecuPress Free & Pro

Vulnerability: Unauthenticated Arbitrary IP Ban Patched in Version: 2.0 Severity: Medium

The vulnerability is patched, so you should update to version 2.0+.

5. Ivory Search

Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.6.1 Severity: Medium

The vulnerability is patched, so you should update to version 4.6.1+.

6. Goto – Tour & Travel

Vulnerability: Unauthenticated Reflected Cross-Site Scripting Patched in Version: 2.0 Severity: Medium 

The vulnerability is patched, so you should update to version 2.0+.

7. Virtual Robots.txt

Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.10 Severity: Medium

The vulnerability is patched, so you should update to version 1.10+.

8. Realteo

Vulnerability: Unauthenticated Reflected Cross-Site Scripting Patched in Version: 1.2.4 Severity: High

Vulnerability: Arbitrary Property Deletion via IDOR Patched in Version: 1.2.4 Severity: High

The vulnerability is patched, so you should update to version 1.2.4+.

9. Business Hours Pro

Vulnerability: Unauthenticated Arbitrary File Upload to RCE Patched in Version: No known fix Severity: Critical 

The vulnerability HAS NOT been patched, so you should remove this plugin immediately.

10. Erident Custom Login and Dashboard

Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 3.5.9 Severity: Medium

The vulnerability is patched, so you should update to version 3.5.9+.

11. Pie Register

Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.7.0.1 Severity: High

The vulnerability is patched, so you should update to version 3.7.0.1+.

12. Tutor LMS

Vulnerability: Authenticated Local File Inclusion Patched in Version: 1.8.8 Severity: Medium

The vulnerability is patched, so you should update to version 1.8.8+.

WordPress Themes Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!