Threat Alerts / Aug 25, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. rucy

Plugin: rucy Vulnerability: CSRF Bypass Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

2. WP-Backgrounds Lite

Plugin: WP-Backgrounds Lite Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

3. WP Security Question

Plugin: WP Security Question Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

4. Event Espresso 4 Decaf – Event Registration Event Ticketing  

Plugin: WEvent Espresso 4 Decaf – Event Registration Event Ticketing Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

5. WordPress Photo Gallery – Image Gallery 

Plugin: WordPress Photo Gallery – Image Gallery Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

6. Opal Estate

Plugin: Opal Estate Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

7. Sync to Etsy Marketplace from WooCommerce

Plugin: Sync to Etsy Marketplace from WooCommerce Vulnerability: RCSRF Bypass Patched in Version: 3.3.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.3.2.

8. RAYS Grid

Plugin: RAYS Grid Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

9. Sell Media

Plugin: Sell Media Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

10. Simple eCommerce

Plugin: Simple eCommerce Vulnerability: Arbitrary File Upload Patched in Version: No known fix Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

11. WP Courses LMS

Plugin: WP Courses LMS Vulnerability: Authenticated Stored XSS via Video Embed Code Patched in Version: 2.0.44 Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.44.

Plugin: WP Courses LMS Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.0.44 Severity Score: High

The vulnerability is patched, so you should update to version 2.0.44.

12. CBX Bookmark & Favorite

Plugin: CBX Bookmark & Favorite Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.6.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.6.9.

13. Afterpay Gateway for WooCommerce

Plugin: Afterpay Gateway for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.2.1 Severity Score: High

The vulnerability is patched, so you should update to version 3.2.1.

14. Amazon Auto Links

Plugin: Amazon Auto Links Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.6.20 Severity Score: High

The vulnerability is patched, so you should update to version 4.6.20.

15. Post Carousel

Plugin: Post Carousel Vulnerability: Unauthorised AJAX Calls Patched in Version: 2.3.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.3.5.

16. Smash Balloon Social Post Feed

Plugin: Smash Balloon Social Post Feed Vulnerability: Unauthenticated Stored XSS Patched in Version: 2.19.2 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.19.2.

17. Stop User Enumeration

Plugin: Stop User Enumeration Vulnerability: REST API Bypass Patched in Version: 1.3.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.9.

18. Language Bar Flags

Plugin: Language Bar Flags Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

19. Email Artillery

Plugin: Email Artillery Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Email Artillery Vulnerability: Multiple Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Email Artillery Vulnerability: Multiple Authenticated SQL Injections Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Email Artillery Vulnerability: Arbitrary File Upload Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

20. SEOPress 5.0.0  

Plugin: SEOPress 5.0.0 Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.0.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.0.4.

21. SP Project & Document Manager

Plugin: SP Project & Document Manager Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.26 Severity Score: High

The vulnerability is patched, so you should update to version 4.26.

Plugin: SP Project & Document Manager Vulnerability: Authenticated Shell Upload Patched in Version: 4.22 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.22.

22. WordPress Advanced Ticket System

Plugin: WordPress Advanced Ticket System Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.0.64 Severity Score: Low

The vulnerability is patched, so you should update to version 1.0.64.

23. WPHEKA Request For Quote

Plugin: WPHEKA Request For Quote Vulnerability: CSRF Bypass Patched in Version: 1.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.

24. WAll 404 Redirect to Homepage

Plugin: All 404 Redirect to Homepage Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 2.1 Severity Score: Low

The vulnerability is patched, so you should update to version 2.1.

25. Fileviewer 

Plugin: Fileviewer Vulnerability: Arbitrary File Upload/Deletion via CSRF Patched in Version: No known fix Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

26. Shopp eCommerce

Plugin: Shopp eCommerce Vulnerability: Unauthenticated Arbitrary File Upload Patched in Version: No known fix Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

27. MF Gig Calendar

Plugin: MF Gig Calendar Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

28. BuddyPress

Plugin: BuddyPress Vulnerability: Activation Key Disclosure Patched in Version: 9.1.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 9.1.1.

Plugin: BuddyPress Vulnerability: SQL Injections Patched in Version: 9.1.1 Severity Score: High

The vulnerability is patched, so you should update to version 9.1.1.

29. Jock on air now

Plugin: Jock on air now Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.6.3 Severity Score: Low

The vulnerability is patched, so you should update to version 5.6.3.

Plugin: Jock on air now Vulnerability: Arbitrary Plugin’s Settings Update via CSRF Patched in Version: 5.6.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.6.2.

Plugin: Jock on air now Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.6.2 Severity Score: High

The vulnerability is patched, so you should update to version 5.6.2.

30. ThinkTwit

Plugin: ThinkTwit Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.7.1 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.1.

31. Shopping Cart & eCommerce Store

Plugin: Shopping Cart & eCommerce Store Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

32. Gutenslider

Plugin: Gutenslider Vulnerability: Contributor+ Stored XSS Patched in Version: 5.2.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.2.0.

33. Visual Link Preview

Plugin: Visual Link Preview Vulnerability: Unauthorised AJAX Calls Patched in Version: 2.2.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.3.

34. Print My Blog 

Plugin: Print My Blog Vulnerability: Plugin Deactivation via CSRF Patched in Version: 3.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.3.

35. Splash Header 

Plugin: Splash Header Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.20.8 Severity Score: Low

The vulnerability is patched, so you should update to version 1.20.8.

36. youForms for WordPress

Plugin: youForms for WordPress Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

37. Availability Calendar

Plugin: Availability Calendar Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Availability Calendar Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

38. WP Mapa Politico Espana 

Plugin: WP Mapa Politico Espana Vulnerability: Authenticated Stored XSS Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

39. Alojapro Widget

Plugin: Alojapro Widget Vulnerability: Authenticated Stored Cross-Site Scripting(XSS) Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

40. You Shang

Plugin: You Shang Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

41. WP Dialog

Plugin: WP Dialog Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

42. Donate With QRCode

Plugin: Donate With QRCode Vulnerability: Subscriber+ Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

43. WP Mobile Menu

Plugin: Titan Framework  – WP Mobile Menu Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.8.2.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.2.3.

44. W3SCloud Contact Form 7 to Zoho CRM

Plugin: Titan Framework  – W3SCloud Contact Form 7 to Zoho CRM Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.1.0 Severity Score: High

The vulnerability is patched, so you should update to version 2.1.0.

45. Erident Custom Login and Dashboard

Plugin: Erident Custom Login and Dashboard Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 3.5.9 Severity Score: Low

The vulnerability is patched, so you should update to version 3.5.9.

46. WP Cerber Security

Plugin: WP Cerber Security Vulnerability: Rest-API Protection Bypass Patched in Version: 8.9.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 38.9.3.

Plugin: WP Cerber Security Vulnerability: 2FA Authentication Bypass Patched in Version: 8.9.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 8.9.3.

47. Flagallery Photo Portfolio 

Plugin: Flagallery Photo Portfolio Vulnerability: Full Path Disclosure Patched in Version: 4.25 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.25.

48. GRAND Flash Album Gallery 

Plugin: GRAND Flash Album Gallery Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.67 Severity Score: High

The vulnerability is patched, so you should update to version 1.67.

Plugin: GRAND Flash Album Gallery 0.55 Vulnerability: lib/hitcounter.php pid Parameter SQL Injection Patched in Version: 0.60 Severity Score:

The vulnerability is patched, so you should update to version 0.60.

Plugin: GRAND Flash Album Gallery Vulnerability: Reflected Cross-Site Scripting via wp-admin/admin.php skin parameter Patched in Version: 1.76 Severity Score: High

The vulnerability is patched, so you should update to version 1.76.

Plugin: GRAND Flash Album Gallery 1.9.0 & 2.0.0 Vulnerability: Multiple Vulnerabilities Patched in Version: 2.10 Severity Score:

The vulnerability is patched, so you should update to version 2.10.

49. 2Way VideoCalls and Random Chat 

Plugin: 2Way VideoCalls and Random Chat Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.2.8 Severity Score: High

The vulnerability is patched, so you should update to version 5.2.8.

WordPress Themes Vulnerabilities

No new WordPress theme vulnerabilities have been disclosed this month.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!