WordPress Vulnerabilities Digest - August 2021 Part 4

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. rucy

Plugin: rucy Vulnerability: CSRF Bypass Patched in Version: No known fixSeverity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

2. WP-Backgrounds Lite

Plugin: WP-Backgrounds Lite Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

3. WP Security Question

Plugin: WP Security Question Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

4. Event Espresso 4 Decaf Event Registration Event Ticketing

Plugin: WEvent Espresso 4 Decaf Event Registration Event TicketingVulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

5. WordPress Photo Gallery Image Gallery

Plugin: WordPress Photo Gallery Image Gallery Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

6. Opal Estate

Plugin: Opal EstateVulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

7. Sync to Etsy Marketplace from WooCommerce

Plugin: Sync to Etsy Marketplace from WooCommerce Vulnerability: RCSRF Bypass Patched in Version: 3.3.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.3.2.

8. RAYS Grid

Plugin: RAYS GridVulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

9. Sell Media

Plugin: Sell Media Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

10. Simple eCommerce

Plugin: Simple eCommerce Vulnerability: Arbitrary File Upload Patched in Version: No known fix Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

11. WP Courses LMS

Plugin: WP Courses LMS Vulnerability: Authenticated Stored XSS via Video Embed Code Patched in Version: 2.0.44 Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.44.

Plugin: WP Courses LMS Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.0.44 Severity Score: High

The vulnerability is patched, so you should update to version 2.0.44.

12. CBX Bookmark & Favorite

Plugin: CBX Bookmark & Favorite Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.6.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.6.9.

13. Afterpay Gateway for WooCommerce

Plugin: Afterpay Gateway for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.2.1 Severity Score: High

The vulnerability is patched, so you should update to version 3.2.1.

14. Amazon Auto Links

Plugin: Amazon Auto Links Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.6.20 Severity Score: High

The vulnerability is patched, so you should update to version 4.6.20.

15. Post Carousel

Plugin: Post Carousel Vulnerability: Unauthorised AJAX Calls Patched in Version: 2.3.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.3.5.

16. Smash Balloon Social Post Feed

Plugin: Smash Balloon Social Post FeedVulnerability: Unauthenticated Stored XSS Patched in Version: 2.19.2 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.19.2.

17. Stop User Enumeration

Plugin: Stop User Enumeration Vulnerability: REST API Bypass Patched in Version: 1.3.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.9.

18. Language Bar Flags

Plugin: Language Bar Flags Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

19. Email Artillery

Plugin: Email Artillery Vulnerability: CSRF to Stored XSS Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Email Artillery Vulnerability: Multiple Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Email Artillery Vulnerability: Multiple Authenticated SQL Injections Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Email Artillery Vulnerability: Arbitrary File Upload Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

20. SEOPress 5.0.0

Plugin: SEOPress 5.0.0 Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.0.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.0.4.

21. SP Project & Document Manager

Plugin: SP Project & Document Manager Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.26 Severity Score: High

The vulnerability is patched, so you should update to version 4.26.

Plugin: SP Project & Document Manager Vulnerability: Authenticated Shell Upload Patched in Version: 4.22 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.22.

22. WordPress Advanced Ticket System

Plugin: WordPress Advanced Ticket System Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.0.64 Severity Score: Low

The vulnerability is patched, so you should update to version 1.0.64.

23. WPHEKA Request For Quote

Plugin: WPHEKA Request For Quote Vulnerability: CSRF Bypass Patched in Version: 1.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.

24. WAll 404 Redirect to Homepage

Plugin: All 404 Redirect to Homepage Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 2.1 Severity Score: Low

The vulnerability is patched, so you should update to version 2.1.

25. Fileviewer

Plugin: Fileviewer Vulnerability: Arbitrary File Upload/Deletion via CSRF Patched in Version: No known fix Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

26. Shopp eCommerce

Plugin: Shopp eCommerce Vulnerability: Unauthenticated Arbitrary File Upload Patched in Version: No known fix Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

27. MF Gig Calendar

Plugin: MF Gig Calendar Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

28. BuddyPress

Plugin: BuddyPress Vulnerability: Activation Key Disclosure Patched in Version: 9.1.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 9.1.1.

Plugin: BuddyPress Vulnerability: SQL Injections Patched in Version: 9.1.1 Severity Score: High

The vulnerability is patched, so you should update to version 9.1.1.

29. Jock on air now

Plugin: Jock on air now Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.6.3 Severity Score: Low

The vulnerability is patched, so you should update to version 5.6.3.

Plugin: Jock on air now Vulnerability: Arbitrary Plugins Settings Update via CSRF Patched in Version: 5.6.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.6.2.

Plugin: Jock on air now Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.6.2 Severity Score: High

The vulnerability is patched, so you should update to version 5.6.2.

30. ThinkTwit

Plugin: ThinkTwit Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.7.1 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.1.

31. Shopping Cart & eCommerce Store

Plugin: Shopping Cart & eCommerce Store Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

32. Gutenslider

Plugin: Gutenslider Vulnerability: Contributor+ Stored XSS Patched in Version: 5.2.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.2.0.

33. Visual Link Preview

Plugin: Visual Link Preview Vulnerability: Unauthorised AJAX Calls Patched in Version: 2.2.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.3.

34. Print My Blog

Plugin: Print My Blog Vulnerability: Plugin Deactivation via CSRF Patched in Version: 3.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.3.

35. Splash Header

Plugin: Splash Header Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.20.8 Severity Score: Low

The vulnerability is patched, so you should update to version 1.20.8.

36. youForms for WordPress

Plugin: youForms for WordPress Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

37. Availability Calendar

Plugin: Availability Calendar Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

Plugin: Availability Calendar Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

38. WP Mapa Politico Espana

Plugin: WP Mapa Politico Espana Vulnerability: Authenticated Stored XSS Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

39. Alojapro Widget

Plugin: Alojapro Widget Vulnerability: Authenticated Stored Cross-Site Scripting(XSS) Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

40. You Shang

Plugin: You Shang Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

41. WP Dialog

Plugin: WP Dialog Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

42. Donate With QRCode

Plugin: Donate With QRCode Vulnerability: Subscriber+ Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

43. WP Mobile Menu

Plugin: Titan Framework WP Mobile Menu Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.8.2.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.2.3.

44. W3SCloud Contact Form 7 to Zoho CRM

Plugin: Titan Framework W3SCloud Contact Form 7 to Zoho CRM Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.1.0 Severity Score: High

The vulnerability is patched, so you should update to version 2.1.0.

45. Erident Custom Login and Dashboard

Plugin: Erident Custom Login and Dashboard Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 3.5.9 Severity Score: Low

The vulnerability is patched, so you should update to version 3.5.9.

46. WP Cerber Security

Plugin: WP Cerber Security Vulnerability: Rest-API Protection Bypass Patched in Version: 8.9.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 38.9.3.

Plugin: WP Cerber Security Vulnerability: 2FA Authentication Bypass Patched in Version: 8.9.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 8.9.3.

47. Flagallery Photo Portfolio

Plugin: Flagallery Photo Portfolio Vulnerability: Full Path Disclosure Patched in Version: 4.25 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.25.

48. GRAND Flash Album Gallery

Plugin: GRAND Flash Album GalleryVulnerability: Reflected Cross-Site Scripting Patched in Version: 1.67 Severity Score: High

The vulnerability is patched, so you should update to version 1.67.

Plugin: GRAND Flash Album Gallery 0.55Vulnerability: lib/hitcounter.php pid Parameter SQL Injection Patched in Version: 0.60 Severity Score:

The vulnerability is patched, so you should update to version 0.60.

Plugin: GRAND Flash Album GalleryVulnerability: Reflected Cross-Site Scripting via wp-admin/admin.php skin parameter Patched in Version: 1.76 Severity Score: High

The vulnerability is patched, so you should update to version 1.76.

Plugin: GRAND Flash Album Gallery 1.9.0 & 2.0.0Vulnerability: Multiple Vulnerabilities Patched in Version: 2.10 Severity Score:

The vulnerability is patched, so you should update to version 2.10.

49. 2Way VideoCalls and Random Chat

Plugin: 2Way VideoCalls and Random Chat Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.2.8 Severity Score: High

The vulnerability is patched, so you should update to version 5.2.8.

WordPress Themes Vulnerabilities

No new WordPress theme vulnerabilities have been disclosed this month.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!