NEWS
WordPress Vulnerabilities Digest - August 2021 Part 1
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
No new WordPress core vulnerabilities have been disclosed this month.
WordPress Plugin Vulnerabilities
1. Simple Banner
Plugin: Simple Banner Vulnerability: Authenticated Stored XSS Patched in Version: 2.10.4 Severity Score: Low
The vulnerability is patched, so you should update to version 2.10.4.
2. HD Quiz
Plugin: HD Quiz Vulnerability: Authenticated Stored XSS Patched in Version: 1.8.4 Severity Score: Low
The vulnerability is patched, so you should update to version 1.8.4.
3. Contact Form 7 Captcha
Plugin: Contact Form 7 Captcha Vulnerability: CSRF to Stored XSS Patched in Version: 0.0.9 Severity Score: High
The vulnerability is patched, so you should update to version 0.0.9.
4. WPFront Scroll Top
Plugin: WPFront Scroll Top Vulnerability: Authenticated Stored XSS Patched in Version: 2.0.6.07225 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.07225.
5. WP SMS
Plugin: WP SMS Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.4.13 Severity Score: Low
The vulnerability is patched, so you should update to version 5.4.13.
6. Qyrr
Plugin: Qyrr Vulnerability: Authenticated (contributor+) Stored XSS Patched in Version: 0.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 0.7.
7. Paid Member Subscriptions
Plugin: Paid Member Subscriptions Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.4.2 Severity Score: High
The vulnerability is patched, so you should update to version 2.4.2.
Plugin: Paid Member Subscriptions Vulnerability: Authenticated SQL Injection Patched in Version: 2.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.2.
8. GiveWP
Plugin: GiveWP Vulnerability: Authenticated Stored XSS Patched in Version: 2.12.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.12.0.
9. Slider Hero
Plugin: Slider Hero Vulnerability: CSRF to Stored XSS Patched in Version: 8.2.7 Severity Score: Critical
The vulnerability is patched, so you should update to version 8.2.7.
10. Simple Social Media Share Buttons
Plugin: Simple Social Media Share Buttons Vulnerability: Contributor+ Stored XSS Patched in Version: 3.2.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.2.3.
11. Advanced Shipment Tracking for WooCommerce
Plugin: Advanced Shipment Tracking for WooCommerceVulnerability: Authenticated Options Change Patched in Version: 3.2.7 Severity Score: Critical
The vulnerability is patched, so you should update to version 3.2.7.
12. WP LMS
Plugin: WP LMS Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.1.3 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.3.
13. Blue Admin
Plugin: Blue Admin Vulnerability: CSRF to Stored Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
14. Favicon by RealFaviconGenerator
Plugin: Favicon by RealFaviconGenerator Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
15. uListing
Plugin: uListing Vulnerability: Unauthenticated SQL Injection Patched in Version: 2.0.4 Severity Score: High
The vulnerability is patched, so you should update to version 2.0.4.
Plugin: uListing Vulnerability: Authenticated IDOR Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Authenticated Reflected XSS Patched in Version: 2.0.6 Severity Score: Low
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Multiple CSRF Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Modify User Roles via CSRF Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Settings Update via CSRF Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Unauthenticated Privilege Escalation Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
16. WooCommerce Blocks 2.5 to 5.5
Plugin: WooCommerce Blocks 2.5 to 5.5 Vulnerability: Unauthenticated SQL Injection Patched in Version: 5.5.1 Severity Score: Critical
The vulnerability is patched, so you should update to version 5.5.1.
17. Woocommerce 3.3 to 5.5
Plugin: Woocommerce 3.3 to 5.5 Vulnerability: Authenticated Blind SQL Injection Patched in Version: 5.5.1 Severity Score: High
The vulnerability is patched, so you should update to version 5.5.1.
18. Admin Custom Login
Plugin: Admin Custom Login Vulnerability: CSRF to Stored XSS Patched in Version: 3.2.8 Severity Score: High
The vulnerability is patched, so you should update to version 3.2.8.
19. SEO Backlinks
Plugin: SEO BacklinksVulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
20. Poll Maker
Plugin: Poll Maker Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.2.9 Severity Score: High
The vulnerability is patched, so you should update to version 3.2.9.
21. Post Index
Plugin: Post Index Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
22. Side Menu Lite
Plugin: Side Menu Lite Vulnerability: Authenticated SQL Injection Patched in Version: 2.2.6 Severity Score: High
The vulnerability is patched, so you should update to version 2.2.6.
23. WordPress Download Manager
Plugin: WordPress Download Manager Vulnerability: Authenticated Directory Traversal Patched in Version: 3.1.25 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.1.25.
Plugin: WordPress Download Manager Vulnerability: Authenticated File Upload Patched in Version: 3.1.25 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.1.25.
24. FluentSMTP
Plugin: FluentSMTP Vulnerability: Authenticated Stored XSS Patched in Version: 2.0.1 Severity Score: Low
The vulnerability is patched, so you should update to version 2.0.1.
25. Youtube Feeder
Plugin: Youtube Feeder Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
26. Nifty Newsletters
Plugin: Nifty Newsletters Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
WordPress Themes Vulnerabilities
No new WordPress theme vulnerabilities have been disclosed this month.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!