NEWS
WordPress Vulnerabilities Digest - August 2021 Part 3
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
No new WordPress core vulnerabilities have been disclosed this month.
WordPress Plugin Vulnerabilities
1. Clean Login
Plugin: Clean Login Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.12.6.4 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.12.6.4.
2. SliceWP
Plugin: SliceWP Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.0.46 Severity Score: High
The vulnerability is patched, so you should update to version 1.0.46.
3. WordPress Download Manager
Plugin: WordPress Download Manager Vulnerability: Email Template Setting Update via CSRF Patched in Version: 3.2.13 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.2.13.
4. SpeakOut! Email Petitions
Plugin: SpeakOut! Email Petitions Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.13.3 Severity Score: High
The vulnerability is patched, so you should update to version 2.13.3.
5. Site Reviews
Plugin: Site Reviews Vulnerability: Authenticated Stored XSS Patched in Version: 5.13.1 Severity Score: Low
The vulnerability is patched, so you should update to version 5.13.1.
6. Tutor LMS
Plugin: Tutor LMS Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.6 Severity Score: High
The vulnerability is patched, so you should update to version 1.9.6.
7. WPFront Notification Bar
Plugin: WPFront Notification Bar Vulnerability: Authenticated Stored XSS Patched in Version: 2.1.08087 Severity Score: Low
The vulnerability is patched, so you should update to version 2.1.08087.
8. Form Builder
Plugin: Form Builder Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.9.8.5 Severity Score: High
The vulnerability is patched, so you should update to version 1.9.8.5.
Plugin: Form Builder Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.9.8.4 Severity Score: Low
The vulnerability is patched, so you should update to version 1.9.8.4.
9. WPvivid Backup
Plugin: WPvivid Backup Vulnerability: Reflected Cross-Site Scripting Patched in Version: 0.9.56 Severity Score: High
The vulnerability is patched, so you should update to version 0.9.56.
10. AddToAny
Plugin: AddToAny Vulnerability: Authenticated Stored XSS Patched in Version: 1.7.46 Severity Score: Low
The vulnerability is patched, so you should update to version 1.7.46.
11. Stop Spammers Security
Plugin: Stop Spammers Security Vulnerability: Authenticated Stored XSS Patched in Version: 2021.18 Severity Score: Low
The vulnerability is patched, so you should update to version 2021.18.
12. Keywords & Meta
Plugin: Keywords & Meta Vulnerability: CSRF to Stored Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
13. Titan Framework
Plugin: Titan FrameworkVulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Affects Plugins:
- 4k-icon-fonts-for-visual-composer No known fix plugin closed
- adblock-notify-by-bweb No known fix
- affiliate-pro No known fix plugin closed
- amp-extensions No known fix
- aoi-tori No known fix
- awesome-support No known fix
- betteroptin No known fix plugin closed
- border-loading-bar No known fix
- catchers-helpdesk No known fix
- categories-gallery No known fix
- categories-gallery-woocommerce No known fix
- cf7-customizer No known fix
- clinicalwp-core No known fix
- cool-facebook-page-feed-timeline No known fix plugin closed
- custom-scroll-bar-designer No known fix
- custom-text-selection-colors No known fix
- disable-image-right-click No known fix
- easy-gallery-slideshow No known fix
- easy-google-map No known fix
- easy-justified-gallery No known fix
- email-my-posts No known fix
- exit-popup-show No known fix
- flight-search-widget-blocks No known fix
- icons-with-links-widget No known fix plugin closed
- icustomizer No known fix
- live-chat-facebook-fanpage No known fix
- media-mirror No known fix
- mobile-menu No known fix
- popup-modal-for-youtube No known fix
- project-app No known fix
- seatgeek-affiliate-tickets No known fix
- seo-dashboard-by-gutewebsites-de No known fix
- share-woocommerce-email No known fix
- simple-behace-portfolio No known fix
- stars-menu No known fix plugin closed
- station-pro No known fix
- sticky-related-posts No known fix plugin closed
- tcs3 No known fix
- template-events-calendar No known fix
- total-sales-for-woocommerce No known fix
- tr-easy-google-analytics No known fix plugin closed
- venture-event-manager No known fix
- w3s-cf7-zoho No known fix
- webhotelier No known fix
- woo-availability-date No known fix
- woo-whatsapp-request-quote No known fix plugin closed
- woosaleskit-bar No known fix plugin closed
- yandex-money-button No known fix
14. WP Fusion Lite
Plugin: WP Fusion Lite Vulnerability: CSRF to Data Deletion Patched in Version: 3.37.30 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.37.30.
Plugin: WP Fusion Lite Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 3.37.30 Severity Score: High
The vulnerability is patched, so you should update to version 3.37.30.
Plugin: WP Fusion Lite Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 3.37.31 Severity Score: High
The vulnerability is patched, so you should update to version 3.37.31.
15. Block and Stop Bad Bots
Plugin: Block and Stop Bad Bots Vulnerability: Authenticated SQL Injections Patched in Version: 6.60 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.60.
16. WP Simple Booking Calendar
Plugin: WP Simple Booking Calendar Vulnerability: Authenticated SQL Injections Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
17. Paid Member Subscriptions
Plugin: Paid Member Subscriptions Vulnerability: Authenticated SQL Injections Patched in Version: 2.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.2.
18. Favicon by RealFaviconGenerator
Plugin: Favicon by RealFaviconGenerator Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.3.22 Severity Score: High
The vulnerability is patched, so you should update to version 1.3.22.
19. Alipay
Plugin: Alipay Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
20. Cashtomer
Plugin: Cashtomer Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
21. WordPress Membership SwiftCloud.io
Plugin: WordPress Membership SwiftCloud.io Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
22. WordPress Membership SwiftCloud.io
Plugin: Comment Highlighter Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
23. Easy Testimonial Manager
Plugin: Easy Testimonial Manager Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
24. Embed Youtube Video
Plugin: Embed Youtube VideoVulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
25. Quiz And Survey Master
Plugin: Quiz And Survey MasterVulnerability: Reflected Cross-Site Scripting Patched in Version: 7.1.14 Severity Score: High
The vulnerability is patched, so you should update to version 7.1.14.
26. Book appointment Online
Plugin: Book appointment Online Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.39 Severity Score: Low
The vulnerability is patched, so you should update to version 1.39.
27. miniOranges Google Authenticator
Plugin: miniOranges Google Authenticator Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.4.40 Severity Score: High
The vulnerability is patched, so you should update to version 5.4.40.
28. Two Factor Authentication
Plugin: Two Factor Authentication Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.8 Severity Score: High
The vulnerability is patched, so you should update to version 1.0.8.
29. Daily Prayer Time
Plugin: Daily Prayer TimeVulnerability: Authenticated Stored XSS Patched in Version: 2021.08.10 Severity Score: Low
The vulnerability is patched, so you should update to version 2021.08.10.
30. Custom Post View Generator
Plugin: Custom Post View GeneratorVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
31. FV Flowplayer Video Player
Plugin: FV Flowplayer Video Player Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.5.3.727 Severity Score: High
The vulnerability is patched, so you should update to version 7.5.3.727.
32. Picture Gallery
Plugin: Picture GalleryVulnerability: Authenticated Stored XSS Patched in Version: No known fix Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
33. Software License Manager
Plugin: Software License Manager Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.4.8 (Plugin Closed) Severity Score: High
The vulnerability is patched, so you should update to version 4.4.8.
34. Per Page Add to Head
Plugin: Per Page Add to Head Vulnerability: Authenticated Stored XSS Patched in Version: No known fix Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: Per Page Add to Head Vulnerability: CSRF to Stored XSS Patched in Version: 1.4.4 (Plugin Closed) Severity Score: High
The vulnerability is patched, so you should update to version 1.4.4.
35. Securimage-WP-Fixed
Plugin: Securimage-WP-Fixed Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
36. Image Export
Plugin: Image Export Vulnerability: Directory Traversal Patched in Version: No known fix Severity Score: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
37. Content text slider on post
Plugin: Content text slider on post Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 6.9 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.9.
38. Contact Form Generator
Plugin: Contact Form GeneratorVulnerability: Multiple Cross-Site Request Forgery (CSRF) Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
39. Calendar_plugin
Plugin: Calendar_pluginVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
40. Add Sidebar
Plugin: Add Sidebar Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
41. WP SEO Tags
Plugin: WP SEO TagsVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
42. Moova for WooCommerce
Plugin: Moova for WooCommerceVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
43. jQuery Tagline Rotator
Plugin: jQuery Tagline Rotator Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
44. Plugmatter Pricing Table Lite
Plugin: Plugmatter Pricing Table Lite Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
45. Simple Popup Newsletter
Plugin: Simple Popup Newsletter Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
46. TypoFR
Plugin: TypoFR Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
47. WP Songbook
Plugin: WP Songbook Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
48. Custom Post Type Relations
Plugin: Custom Post Type Relations Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
49. 2Way VideoCalls and Random Chat
Plugin: 2Way VideoCalls and Random Chat Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
50. WP Fountain
Plugin: WP FountainVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
51. Media Usage
Plugin: Media Usage Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
52. Scribble Maps
Plugin: Scribble Maps Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
53. Multiplayer Games
Plugin: Multiplayer Games Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
54. Skaut bazar
Plugin: Skaut bazar Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
55. Smart Email Alerts
Plugin: Smart Email Alerts Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
56. Simple Behance Portfolio
Plugin: Simple Behance Portfolio Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
WordPress Themes Vulnerabilities
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!