NEWS
WordPress Vulnerabilities Digest - April 2021 Part 4
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
WordPress 5.7.1was released on April 15, 2021. This security and maintenance release features26 bug fixesin addition to two security fixes. Because this is a security release ofWordPress core, it is recommended that you update your sites immediately!
WordPress Plugin Vulnerabilities
1. Accordion
Vulnerability: Authenticated Reflected Cross-Site Scripting Patched in Version: 2.2.30 Severity: High
The vulnerability is patched, so you should update to version 2.2.30+.
2. RSS for Yandex Turbo
Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.30 Severity: Medium
The vulnerability is patched, so you should update to version 1.30+.
3. Kaswara Modern VC Addons
Vulnerability: Unauthenticated Arbitrary File Upload Patched in Version: No known fix Severity: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
4. WP Content Copy Protection & No Right Click
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF Patched in Version: 3.4 Severity: Critical
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User Patched in Version: 3.5.1 Severity: Critical
The vulnerability is patched, so you should update to version 3.5.1+.
5. Conditional Marketing Mailer for WooCommerce
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF Patched in Version: 1.6 Severity: Critical
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User Patched in Version: 1.5.2 Severity: Critical
The vulnerability is patched, so you should update to version 1.6+.
6. Captchinoo, Google recaptcha for admin login page
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF Patched in Version: No known fix Severity: Critical
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User Patched in Version: No known fix Severity: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
7. WP Maintenance Mode & Site Under Construction
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF Patched in Version: No known fix Severity: Critical
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User Patched in Version: No known fix Severity: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
8. Tree Sitemap
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF Patched in Version: No known fix Severity: Critical
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User Patched in Version: No known fix Severity: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
9. Login Protection Limit Failed Login Attempts
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF Patched in Version: No known fix Severity: Critical
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User Patched in Version: No known fix Severity: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
10. Visitor Traffic Real Time Statistics
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF Patched in Version: 2.13 Severity: Critical
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User Patched in Version: 2.12 Severity: Critical
The vulnerability is patched, so you should update to version 2.13+.
11. Login as User or Customer
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF Patched in Version: 2.1 Severity: Critical
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User Patched in Version: 1.8 Severity: Critical
The vulnerability is patched, so you should update to version 2.1+.
12. Redirect 404 to Parent
Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.3.1 Severity: High
The vulnerability is patched, so you should update to version 1.3.1+.
13. Select All Categories and Taxonomies
Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.3.2 Severity: High
The vulnerability is patched, so you should update to version 1.3.2+..
14. Software License Manager
Vulnerability: CSRF to Stored XSS Patched in Version: 4.4.6 Severity: High
The vulnerability is patched, so you should update to version 4.4.6+.
15. Car Seller Auto Classifieds Script
Vulnerability: Unauthenticated SQL Injection Patched in Version: No known fix Severity: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
16. Store Locator Plus
Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
17. Happy Addons for Elementor Free & Pro
Vulnerability: Stored Cross-Site Scripting Free Patched in Version: 2.24.0 Pro Patched in Version: 1.17.0 Severity: Medium
The vulnerability is patched, so you should update to version 2.24.0+ (Free) / 1.17.0+ (Pro).
18. WP Fastest Cache
Vulnerability: Authenticated Arbitrary File Deletion via Path Traversal Patched in Version: 0.9.1.7 Severity: Low
The vulnerability is patched, so you should update to version 0.9.1.7+.
19. WPGraphQL
Vulnerability: Denial of Service Patched in Version: No known fix Severity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
20. WooCommerce
Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.2.0 Severity: Medium
The vulnerability is patched, so you should update to version 5.2.0+.
WordPress Themes Vulnerabilities
No new theme vulnerabilities have been disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!