Threat Alerts / Apr 21, 2021

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

 

WordPress Core Vulnerabilities

WordPress 5.7.1 is was released on April 15, 2021. This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release of WordPress core, it is recommended that you update your sites immediately

1. WordPress 5.6 – 5.7

Vulnerability: Authenticated XXE Within the Media Library Affecting PHP 8 Patched in Version: 5.7 Severity: High

The vulnerability is patched, so you should update WordPress core to 5.7.1+.

2. WordPress 4.7-5.7

Vulnerability: Authenticated Password Protected Pages Exposure Patched in Version: 5.7 Severity: Medium

The vulnerability is patched, so you should update WordPress core to 5.7.1+.

WordPress Plugin Vulnerabilities

1. Livemesh Addons for Elementor

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 6.8 Severity: Medium

The vulnerability is patched, so you should update to version 6.8+.

2. HT Mega – Absolute Addons for Elementor

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.5.7 Severity: Medium

The vulnerability is patched, so you should update to version 1.5.7+.

3. WooLentor – WooCommerce Elementor Addons 

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.8.6 Severity: Medium

The vulnerability is patched, so you should update to version 1.8.6+.

4. BuddyPress

Vulnerability: Multiple Authenticated REST API Vulnerabilities Patched in Version: 7.3.0 Severity: Medium 

The vulnerability is patched, so you should update to version 7.3.0+.

5. PowerPack Addons for Elementor

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 2.3.2 Severity: Medium

The vulnerability is patched, so you should update to version 2.3.2+.

6. Image Hover Effects – Elementor Addon 

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.3.4 Severity: Medium

The vulnerability is patched, so you should update to version 1.3.4+.

7. Rife Elementor Extensions & Templates

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.1.6 Severity: Medium

The vulnerability is patched, so you should update to version 1.1.6+.

8. The Plus Addons for Elementor 

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 2.0.6 Severity: Medium

The vulnerability is patched, so you should update to version 2.0.6+.

9. All-in-One Addons for Elementor

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 2.3.10 Severity: Medium

The vulnerability is patched, so you should update to version 2.3.10.

10. JetWidgets For Elementor

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: Severity: Medium

The vulnerability is patched, so you should update to version 6.8+.

11. Sina Extension for Elementor

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 3.3.12 Severity: Medium 

The vulnerability is patched, so you should update to version 3.3.12+.

12. Ultimate Addons for Elementor

Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.30.0 Severity: Medium

The vulnerability is patched, so you should update to version 1.30.0+.

13. Fitness Calculators

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting Patched in Version: 1.9.6 Severity: High

The vulnerability is patched, so you should update to version 1.9.6+.

14. User Rights Access Manager

Vulnerability: Improper Access Controls Patched in Version: 1.0.4 Severity: Medium

The vulnerability is patched, so you should update to version 1.0.4+.

15. Clever Addons for Elementor

Vulnerability: Stored Cross-Site Scripting XSS Patched in Version: 2.1.0 Severity: Medium 

The vulnerability is patched, so you should update to version 2.1.0+.

16. Easy Digital Downloads

Vulnerability: Unauthorized Stripe Disconnect via CSRF Patched in Version: 2.10.3 Severity: Medium 

The vulnerability is patched, so you should update to version 2.10.3+.

17. Edwiser Bridge

Vulnerability: CSRF Nonce Bypass Patched in Version: 2.0.7 Severity: Medium

The vulnerability is patched, so you should update to version 2.0.7+.

18. WordPress Download Manager

Vulnerability: Unauthorized Download Duplication Patched in Version: 3.1.18 Severity: Medium

The vulnerability is patched, so you should update to version 3.1.18+.

19. Ultimate Maps by Supsystic

Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.2.5 Severity: High

The vulnerability is patched, so you should update to version 1.2.5+.

20. Popup by Supsystic

Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.10.5 Severity: High

The vulnerability is patched, so you should update to version 1.10.5+.

21. Photo Gallery by 10Web

Vulnerability: Multiple Reflected Cross-Site Scripting Patched in Version: 1.5.69 Severity: High

The vulnerability is patched, so you should update to version 1.5.69+.

22. Redirection for Contact Form 7 

Vulnerability: Unauthenticated Arbitrary Nonce Generation Patched in Version: 2.3.4 Severity: Medium

Vulnerability: Authenticated Arbitrary Plugin Installation Patched in Version: 2.3.4 Severity: Medium

Vulnerability: Authenticated PHP Object Injection Patched in Version: 2.3.4 Severity: High

Vulnerability: Authenticated Arbitrary Post Deletion Patched in Version: 2.3.4 Severity: Medium

Vulnerability: Unprotected AJAX Actions Patched in Version: 2.3.4 Severity: Medium

The vulnerabilities are patched, so you should update to version 2.3.4+.

WordPress Themes Vulnerabilities

No new theme vulnerabilities have been disclosed this week.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!