NEWS
WordPress Vulnerabilities Digest - April 2021 Part 3
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
WordPress 5.7.1 is was released on April 15, 2021. This security and maintenance release features26 bug fixesin addition to two security fixes. Because this is asecurity release of WordPress core, it is recommended that you update your sites immediately
1. WordPress 5.6 5.7
Vulnerability: Authenticated XXE Within the Media Library Affecting PHP 8 Patched in Version: 5.7 Severity: High
The vulnerability is patched, so you should update WordPress core to 5.7.1+.
2. WordPress 4.7-5.7
Vulnerability: Authenticated Password Protected Pages Exposure Patched in Version: 5.7 Severity: Medium
The vulnerability is patched, so you should update WordPress core to 5.7.1+.
WordPress Plugin Vulnerabilities
1. Livemesh Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 6.8 Severity: Medium
The vulnerability is patched, so you should update to version 6.8+.
2. HT Mega Absolute Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.5.7 Severity: Medium
The vulnerability is patched, so you should update to version 1.5.7+.
3. WooLentor WooCommerce Elementor Addons
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.8.6 Severity: Medium
The vulnerability is patched, so you should update to version 1.8.6+.
4. BuddyPress
Vulnerability: Multiple Authenticated REST API Vulnerabilities Patched in Version: 7.3.0 Severity: Medium
The vulnerability is patched, so you should update to version 7.3.0+.
5. PowerPack Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 2.3.2 Severity: Medium
The vulnerability is patched, so you should update to version 2.3.2+.
6. Image Hover Effects Elementor Addon
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.3.4 Severity: Medium
The vulnerability is patched, so you should update to version 1.3.4+.
7. Rife Elementor Extensions & Templates
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.1.6 Severity: Medium
The vulnerability is patched, so you should update to version 1.1.6+.
8. The Plus Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 2.0.6 Severity: Medium
The vulnerability is patched, so you should update to version 2.0.6+.
9. All-in-One Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 2.3.10 Severity: Medium
The vulnerability is patched, so you should update to version 2.3.10.
10. JetWidgets For Elementor
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: Severity: Medium
The vulnerability is patched, so you should update to version 6.8+.
11. Sina Extension for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 3.3.12 Severity: Medium
The vulnerability is patched, so you should update to version 3.3.12+.
12. Ultimate Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS) Patched in Version: 1.30.0 Severity: Medium
The vulnerability is patched, so you should update to version 1.30.0+.
13. Fitness Calculators
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting Patched in Version: 1.9.6 Severity: High
The vulnerability is patched, so you should update to version 1.9.6+.
14. User Rights Access Manager
Vulnerability: Improper Access Controls Patched in Version: 1.0.4 Severity: Medium
The vulnerability is patched, so you should update to version 1.0.4+.
15. Clever Addons for Elementor
Vulnerability: Stored Cross-Site Scripting XSS Patched in Version: 2.1.0 Severity: Medium
The vulnerability is patched, so you should update to version 2.1.0+.
16. Easy Digital Downloads
Vulnerability: Unauthorized Stripe Disconnect via CSRF Patched in Version: 2.10.3 Severity: Medium
The vulnerability is patched, so you should update to version 2.10.3+.
17. Edwiser Bridge
Vulnerability: CSRF Nonce Bypass Patched in Version: 2.0.7 Severity: Medium
The vulnerability is patched, so you should update to version 2.0.7+.
18. WordPress Download Manager
Vulnerability: Unauthorized Download Duplication Patched in Version: 3.1.18 Severity: Medium
The vulnerability is patched, so you should update to version 3.1.18+.
19. Ultimate Maps by Supsystic
Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.2.5 Severity: High
The vulnerability is patched, so you should update to version 1.2.5+.
20. Popup by Supsystic
Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.10.5 Severity: High
The vulnerability is patched, so you should update to version 1.10.5+.
21. Photo Gallery by 10Web
Vulnerability: Multiple Reflected Cross-Site Scripting Patched in Version: 1.5.69 Severity: High
The vulnerability is patched, so you should update to version 1.5.69+.
22. Redirection for Contact Form 7
Vulnerability: Unauthenticated Arbitrary Nonce Generation Patched in Version: 2.3.4 Severity: Medium
Vulnerability: Authenticated Arbitrary Plugin Installation Patched in Version: 2.3.4 Severity: Medium
Vulnerability: Authenticated PHP Object Injection Patched in Version: 2.3.4 Severity: High
Vulnerability: Authenticated Arbitrary Post Deletion Patched in Version: 2.3.4 Severity: Medium
Vulnerability: Unprotected AJAX Actions Patched in Version: 2.3.4 Severity: Medium
The vulnerabilities are patched, so you should update to version 2.3.4+.
WordPress Themes Vulnerabilities
No new theme vulnerabilities have been disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!