NEWS

WordPress Vulnerabilities Digest - August 2021 Part 2

Threat Alerts / August 12, 2021

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Sitewide Notice WP

Plugin: Sitewide Notice WP Vulnerability: Authenticated Stored XSS Patched in Version: 2.3 Severity Score: Low

The vulnerability is patched, so you should update to version 2.3.

2. Business Hours Indicator

Plugin: Business Hours Indicator Vulnerability: Authenticated Stored XSS Patched in Version: 2.3.5 Severity Score: Low

The vulnerability is patched, so you should update to version 2.3.5.

3. Bold Page Builder

Plugin: Bold Page Builder Vulnerability: PHP Object Injection Patched in Version: 3.1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.6.

4. ShareThis Dashboard for Google Analytics

Plugin: ShareThis Dashboard for Google Analytics Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.5.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.5.2.

5. StoryChief

Plugin: StoryChief Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.0.31 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.31.

Plugin: StoryChief Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.0.31 Severity Score: Low

The vulnerability is patched, so you should update to version 1.0.31.

6. WP LMS

Plugin: WP LMS Vulnerability: Unauthenticated Arbitrary User Field Edition/Creation Patched in Version: 1.1.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.5.

7. VDZ Google Analytics or Google Tag Manager / GTM

Plugin: VDZ Google Analytics or Google Tag Manager / GTM Vulnerability: Authenticated Stored XSS Patched in Version: 1.6.0 Severity Score: Low

The vulnerability is patched, so you should update to version 11.6.0.

Plugin: VDZ Google Analytics or Google Tag Manager / GTM Vulnerability: Authenticated Stored XSS Patched in Version: 1.4.9 Severity Score: Low

The vulnerability is patched, so you should update to version 11.6.0.

8. Cooked

Plugin: Cooked Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS) Patched in Version: 1.7.9.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.9.1.

9. Email Encoder Protect Email Addresses

Plugin: Email Encoder Protect Email Addresses Vulnerability: Reflected Cross Site Scripting Patched in Version: 2.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.2.

10. SMS Alert Order Notifications WooCommerce

Plugin: SMS Alert Order Notifications WooCommerce Vulnerability: Authenticated Cross Site Scripting Patched in Version: 3.4.7 Severity Score: Low

The vulnerability is patched, so you should update to version 3.4.7.

11. HM Multiple Roles

Plugin: HM Multiple Roles Vulnerability: Arbitrary Role Change Patched in Version: 1.3 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.3.

12. WP Customize Login

Plugin: WP Customize Login Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

13. User Rights Access Manager

Plugin: User Rights Access ManagerVulnerability: Access Restriction Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

14. JiangQie Official Website Mini Program

Plugin: JiangQie Official Website Mini Program Vulnerability: Authenticated SQL Injection Patched in Version: 1.1.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.1.1.

15. Welcart e-Commerce

Plugin: Welcart e-Commerce Vulnerability: Unauthenticated Information Disclosure Patched in Version: 2.2.8 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.8.

Plugin: Welcart e-Commerce Vulnerability: Authenticated System Information Disclosure Patched in Version: 2.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.8.

16. Highlight

Plugin: Highlight Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 0.9.3 Severity Score: Low

The vulnerability is patched, so you should update to version 0.9.3.

17. Cookie Notice & Consent Banner for GDPR & CCPA Compliance

Plugin: Cookie Notice & Consent Banner for GDPR & CCPA Compliance Vulnerability: Authenticated Stored XSS Patched in Version: 1.7.2 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.2.

18. Pods

Plugin: Pods Vulnerability: Multiple Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 2.7.29 Severity Score: Low

The vulnerability is patched, so you should update to version 2.7.29.

WordPress Themes Vulnerabilities

No new WordPress theme vulnerabilities have been disclosed this month.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list