Threat Alerts / Aug 11, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Sitewide Notice WP

Plugin: Sitewide Notice WP Vulnerability: Authenticated Stored XSS Patched in Version: 2.3 Severity Score: Low

The vulnerability is patched, so you should update to version 2.3.

2. Business Hours Indicator

Plugin: Business Hours Indicator Vulnerability: Authenticated Stored XSS Patched in Version: 2.3.5 Severity Score: Low

The vulnerability is patched, so you should update to version 2.3.5.

3. Bold Page Builder

Plugin: Bold Page Builder Vulnerability: PHP Object Injection Patched in Version: 3.1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.6.

4. ShareThis Dashboard for Google Analytics

Plugin: ShareThis Dashboard for Google Analytics Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.5.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.5.2.

5. StoryChief

Plugin: StoryChief Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.0.31 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.31.

Plugin: StoryChief Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.0.31 Severity Score: Low

The vulnerability is patched, so you should update to version 1.0.31.

6. WP LMS

Plugin: WP LMS Vulnerability: Unauthenticated Arbitrary User Field Edition/Creation Patched in Version: 1.1.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.5.

7. VDZ Google Analytics or Google Tag Manager / GTM

Plugin: VDZ Google Analytics or Google Tag Manager / GTM Vulnerability: Authenticated Stored XSS Patched in Version: 1.6.0 Severity Score: Low

The vulnerability is patched, so you should update to version 11.6.0.

Plugin: VDZ Google Analytics or Google Tag Manager / GTM Vulnerability: Authenticated Stored XSS Patched in Version: 1.4.9 Severity Score: Low

The vulnerability is patched, so you should update to version 11.6.0.

8. Cooked

Plugin: Cooked Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS) Patched in Version: 1.7.9.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.9.1.

9. Email Encoder – Protect Email Addresses

Plugin: Email Encoder – Protect Email Addresses Vulnerability: Reflected Cross Site Scripting Patched in Version: 2.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.2.

10. SMS Alert Order Notifications – WooCommerce

Plugin: SMS Alert Order Notifications – WooCommerce Vulnerability: Authenticated Cross Site Scripting Patched in Version: 3.4.7 Severity Score: Low

The vulnerability is patched, so you should update to version 3.4.7.

11. HM Multiple Roles

Plugin: HM Multiple Roles Vulnerability: Arbitrary Role Change Patched in Version: 1.3 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.3.

12. WP Customize Login

Plugin: WP Customize Login Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

13. User Rights Access Manager 

Plugin: User Rights Access Manager Vulnerability: Access Restriction Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

14. JiangQie Official Website Mini Program

Plugin: JiangQie Official Website Mini Program Vulnerability: Authenticated SQL Injection Patched in Version: 1.1.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.1.1.

15. Welcart e-Commerce

Plugin: Welcart e-Commerce Vulnerability: Unauthenticated Information Disclosure Patched in Version: 2.2.8 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.8.

Plugin: Welcart e-Commerce Vulnerability: Authenticated System Information Disclosure Patched in Version: 2.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.8.

16. Highlight

Plugin: Highlight Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 0.9.3 Severity Score: Low

The vulnerability is patched, so you should update to version 0.9.3.

17. Cookie Notice & Consent Banner for GDPR & CCPA Compliance

Plugin: Cookie Notice & Consent Banner for GDPR & CCPA Compliance Vulnerability: Authenticated Stored XSS Patched in Version: 1.7.2 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.2.

18. Pods

Plugin: Pods Vulnerability: Multiple Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 2.7.29 Severity Score: Low

The vulnerability is patched, so you should update to version 2.7.29.

WordPress Themes Vulnerabilities

No new WordPress theme vulnerabilities have been disclosed this month.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!