Threat Alerts / Aug 18, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Clean Login

Plugin: Clean Login Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.12.6.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.12.6.4.

2. SliceWP

Plugin: SliceWP Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.0.46 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.46.

3. WordPress Download Manager

Plugin: WordPress Download Manager Vulnerability: Email Template Setting Update via CSRF Patched in Version: 3.2.13 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.2.13.

4. SpeakOut! Email Petitions

Plugin: SpeakOut! Email Petitions Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.13.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.13.3.

5. Site Reviews

Plugin: Site Reviews Vulnerability: Authenticated Stored XSS Patched in Version: 5.13.1 Severity Score: Low

The vulnerability is patched, so you should update to version 5.13.1.

6. Tutor LMS

Plugin: Tutor LMS Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.6 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.6.

7. WPFront Notification Bar

Plugin: WPFront Notification Bar Vulnerability: Authenticated Stored XSS Patched in Version: 2.1.08087 Severity Score: Low

The vulnerability is patched, so you should update to version 2.1.08087.

8. Form Builder

Plugin: Form Builder Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.9.8.5 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.8.5.

Plugin: Form Builder Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.9.8.4 Severity Score: Low

The vulnerability is patched, so you should update to version 1.9.8.4.

9. WPvivid Backup

Plugin: WPvivid Backup Vulnerability: Reflected Cross-Site Scripting Patched in Version: 0.9.56 Severity Score: High

The vulnerability is patched, so you should update to version 0.9.56.

10. AddToAny

Plugin: AddToAny Vulnerability: Authenticated Stored XSS Patched in Version: 1.7.46 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.46.

11. Stop Spammers Security

Plugin: Stop Spammers Security Vulnerability: Authenticated Stored XSS Patched in Version: 2021.18 Severity Score: Low

The vulnerability is patched, so you should update to version 2021.18.

12. Keywords & Meta

Plugin: Keywords & Meta Vulnerability: CSRF to Stored Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

13. Titan Framework 

Plugin: Titan Framework Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Affects Plugins:

- 4k-icon-fonts-for-visual-composer – No known fix – plugin closed

- adblock-notify-by-bweb – No known fix

- affiliate-pro – No known fix – plugin closed

- amp-extensions – No known fix

- aoi-tori – No known fix

- awesome-support – No known fix

- betteroptin – No known fix – plugin closed

- border-loading-bar – No known fix

- catchers-helpdesk – No known fix

- categories-gallery – No known fix

- categories-gallery-woocommerce – No known fix

- cf7-customizer – No known fix

- clinicalwp-core – No known fix

- cool-facebook-page-feed-timeline – No known fix – plugin closed

- custom-scroll-bar-designer – No known fix

- custom-text-selection-colors – No known fix

- disable-image-right-click – No known fix

- easy-gallery-slideshow – No known fix

- easy-google-map – No known fix

- easy-justified-gallery – No known fix

- email-my-posts – No known fix

- exit-popup-show – No known fix

- flight-search-widget-blocks – No known fix

- icons-with-links-widget – No known fix – plugin closed

- icustomizer – No known fix

- live-chat-facebook-fanpage – No known fix

- media-mirror – No known fix

- mobile-menu – No known fix

- popup-modal-for-youtube – No known fix

- project-app – No known fix

- seatgeek-affiliate-tickets – No known fix

- seo-dashboard-by-gutewebsites-de – No known fix

- share-woocommerce-email – No known fix

- simple-behace-portfolio – No known fix

- stars-menu – No known fix – plugin closed

- station-pro – No known fix

- sticky-related-posts – No known fix – plugin closed

- tcs3 – No known fix

- template-events-calendar – No known fix

- total-sales-for-woocommerce – No known fix

- tr-easy-google-analytics – No known fix – plugin closed

- venture-event-manager – No known fix

- w3s-cf7-zoho – No known fix

- webhotelier – No known fix

- woo-availability-date – No known fix

- woo-whatsapp-request-quote – No known fix – plugin closed

- woosaleskit-bar – No known fix – plugin closed

- yandex-money-button – No known fix

14. WP Fusion Lite

Plugin: WP Fusion Lite Vulnerability: CSRF to Data Deletion Patched in Version: 3.37.30 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.37.30.

Plugin: WP Fusion Lite Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 3.37.30 Severity Score: High

The vulnerability is patched, so you should update to version 3.37.30.

Plugin: WP Fusion Lite Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 3.37.31 Severity Score: High

The vulnerability is patched, so you should update to version 3.37.31.

15. Block and Stop Bad Bots

Plugin: Block and Stop Bad Bots Vulnerability: Authenticated SQL Injections Patched in Version: 6.60 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.60.

16. WP Simple Booking Calendar

Plugin: WP Simple Booking Calendar Vulnerability: Authenticated SQL Injections Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

17. Paid Member Subscriptions

Plugin: Paid Member Subscriptions Vulnerability: Authenticated SQL Injections Patched in Version: 2.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.2.

18. Favicon by RealFaviconGenerator

Plugin: Favicon by RealFaviconGenerator Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.3.22 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.22.

19. Alipay 

Plugin: Alipay Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

20. Cashtomer 

Plugin: Cashtomer Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

21. WordPress Membership SwiftCloud.io

Plugin: WordPress Membership SwiftCloud.io Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

22. WordPress Membership SwiftCloud.io

Plugin: Comment Highlighter Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

23. Easy Testimonial Manager

Plugin: Easy Testimonial Manager Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

24. Embed Youtube Video 

Plugin: Embed Youtube Video Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

25. Quiz And Survey Master 

Plugin: Quiz And Survey Master Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.1.14 Severity Score: High

The vulnerability is patched, so you should update to version 7.1.14.

26. Book appointment Online

Plugin: Book appointment Online Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.39 Severity Score: Low

The vulnerability is patched, so you should update to version 1.39.

27. miniOrange’s Google Authenticator

Plugin: miniOrange’s Google Authenticator Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.4.40 Severity Score: High

The vulnerability is patched, so you should update to version 5.4.40.

28. Two Factor Authentication

Plugin: Two Factor Authentication Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.8 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.8.

29. Daily Prayer Time

Plugin: Daily Prayer Time Vulnerability: Authenticated Stored XSS Patched in Version: 2021.08.10 Severity Score: Low

The vulnerability is patched, so you should update to version 2021.08.10.

30. Custom Post View Generator 

Plugin: Custom Post View Generator Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

31. FV Flowplayer Video Player

Plugin: FV Flowplayer Video Player Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.5.3.727 Severity Score: High

The vulnerability is patched, so you should update to version 7.5.3.727.

32. Picture Gallery

Plugin: Picture Gallery  Vulnerability: Authenticated Stored XSS Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

33. Software License Manager

Plugin: Software License Manager Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.4.8 (Plugin Closed) Severity Score: High

The vulnerability is patched, so you should update to version 4.4.8.

34. Per Page Add to Head 

Plugin: Per Page Add to Head Vulnerability: Authenticated Stored XSS Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Per Page Add to Head Vulnerability: CSRF to Stored XSS Patched in Version: 1.4.4 (Plugin Closed) Severity Score: High

The vulnerability is patched, so you should update to version 1.4.4.

35. Securimage-WP-Fixed

Plugin: Securimage-WP-Fixed Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

36. Image Export

Plugin: Image Export Vulnerability: Directory Traversal Patched in Version: No known fix Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

37. Content text slider on post 

Plugin: Content text slider on post Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 6.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.

38. Contact Form Generator 

Plugin: Contact Form Generator Vulnerability: Multiple Cross-Site Request Forgery (CSRF) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

39. Calendar_plugin

Plugin: Calendar_plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

40. Add Sidebar

Plugin: Add Sidebar Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

41. WP SEO Tags 

Plugin: WP SEO Tags Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

42. Moova for WooCommerce

Plugin: Moova for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

43. jQuery Tagline Rotator

Plugin: jQuery Tagline Rotator Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

44. Plugmatter Pricing Table Lite

Plugin: Plugmatter Pricing Table Lite Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

45. Simple Popup Newsletter

Plugin: Simple Popup Newsletter Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

46. TypoFR 

Plugin: TypoFR Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

47. WP Songbook 

Plugin: WP Songbook Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

48. Custom Post Type Relations 

Plugin: Custom Post Type Relations Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

49. 2Way VideoCalls and Random Chat

Plugin: 2Way VideoCalls and Random Chat Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

50. WP Fountain 

Plugin: WP Fountain Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

51. Media Usage

Plugin: Media Usage Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

52. Scribble Maps 

Plugin: Scribble Maps Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

53. Multiplayer Games

Plugin: Multiplayer Games Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

54. Skaut bazar

Plugin: Skaut bazar Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

55. Smart Email Alerts

Plugin: Smart Email Alerts Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

56. Simple Behance Portfolio

Plugin: Simple Behance Portfolio Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

WordPress Themes Vulnerabilities

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!