Threat Alerts / Aug 04, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Simple Banner

Plugin: Simple Banner Vulnerability: Authenticated Stored XSS Patched in Version: 2.10.4 Severity Score: Low

The vulnerability is patched, so you should update to version 2.10.4.

2. HD Quiz

Plugin: HD Quiz Vulnerability: Authenticated Stored XSS Patched in Version: 1.8.4 Severity Score: Low

The vulnerability is patched, so you should update to version 1.8.4.

3. Contact Form 7 Captcha

Plugin: Contact Form 7 Captcha Vulnerability: CSRF to Stored XSS Patched in Version: 0.0.9 Severity Score: High

The vulnerability is patched, so you should update to version 0.0.9.

4. WPFront Scroll Top

Plugin: WPFront Scroll Top Vulnerability: Authenticated Stored XSS Patched in Version: 2.0.6.07225 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.07225.

5. WP SMS

Plugin: WP SMS Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.4.13 Severity Score: Low

The vulnerability is patched, so you should update to version 5.4.13.

6. Qyrr

Plugin: Qyrr Vulnerability: Authenticated (contributor+) Stored XSS Patched in Version: 0.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 0.7.

7. Paid Member Subscriptions

Plugin: Paid Member Subscriptions Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.4.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.4.2.

Plugin: Paid Member Subscriptions Vulnerability: Authenticated SQL Injection Patched in Version: 2.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.2.

8. GiveWP

Plugin: GiveWP Vulnerability: Authenticated Stored XSS Patched in Version: 2.12.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.12.0.

9. Slider Hero

Plugin: Slider Hero Vulnerability: CSRF to Stored XSS Patched in Version: 8.2.7 Severity Score: Critical

The vulnerability is patched, so you should update to version 8.2.7.

10. Simple Social Media Share Buttons

Plugin: Simple Social Media Share Buttons Vulnerability: Contributor+ Stored XSS Patched in Version: 3.2.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.2.3.

11. Advanced Shipment Tracking for WooCommerce 

Plugin: Advanced Shipment Tracking for WooCommerce Vulnerability: Authenticated Options Change Patched in Version: 3.2.7 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.2.7.

12. WP LMS

Plugin: WP LMS Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.1.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.3.

13. Blue Admin

Plugin: Blue Admin Vulnerability: CSRF to Stored Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

14. Favicon by RealFaviconGenerator 

Plugin: Favicon by RealFaviconGenerator Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

15. uListing

Plugin: uListing Vulnerability: Unauthenticated SQL Injection Patched in Version: 2.0.4 Severity Score: High

The vulnerability is patched, so you should update to version 2.0.4.

Plugin: uListing Vulnerability: Authenticated IDOR Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Authenticated Reflected XSS Patched in Version: 2.0.6 Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Multiple CSRF Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Modify User Roles via CSRF Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Settings Update via CSRF Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Unauthenticated Privilege Escalation Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

16. WooCommerce Blocks 2.5 to 5.5

Plugin: WooCommerce Blocks 2.5 to 5.5 Vulnerability: Unauthenticated SQL Injection Patched in Version: 5.5.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 5.5.1.

17. Woocommerce 3.3 to 5.5

Plugin: Woocommerce 3.3 to 5.5 Vulnerability: Authenticated Blind SQL Injection Patched in Version: 5.5.1 Severity Score: High

The vulnerability is patched, so you should update to version 5.5.1.

18. Admin Custom Login

Plugin: Admin Custom Login Vulnerability: CSRF to Stored XSS Patched in Version: 3.2.8 Severity Score: High

The vulnerability is patched, so you should update to version 3.2.8.

19. SEO Backlinks

Plugin: SEO Backlinks Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

20. Poll Maker

Plugin: Poll Maker Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.2.9 Severity Score: High

The vulnerability is patched, so you should update to version 3.2.9.

21. Post Index

Plugin: Post Index Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

22. Side Menu Lite

Plugin: Side Menu Lite Vulnerability: Authenticated SQL Injection Patched in Version: 2.2.6 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.6.

23. WordPress Download Manager

Plugin: WordPress Download Manager Vulnerability: Authenticated Directory Traversal Patched in Version: 3.1.25 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.25.

Plugin: WordPress Download Manager Vulnerability: Authenticated File Upload Patched in Version: 3.1.25 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.25.

24. FluentSMTP

Plugin: FluentSMTP Vulnerability: Authenticated Stored XSS Patched in Version: 2.0.1 Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.1.

25. Youtube Feeder

Plugin: Youtube Feeder Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

26. Nifty Newsletters

Plugin: Nifty Newsletters Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

WordPress Themes Vulnerabilities

No new WordPress theme vulnerabilities have been disclosed this month.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!