NEWS
WordPress Vulnerabilities Digest - August 2022 Part 2
Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 6.0.1 was released on July 12, 2022, as a short-cycle maintenance release with 31 bug fixes. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible.
No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
1. MailChimp for Woocommerce
PLUGIN Mailchimp for WooCommerce INSTALLATIONS 700,000+ VULNERABILITY Subscriber+ SSRF; Admin+ SSRF PATCHED IN VERSION 2.7.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.7.1.
2. WooCommerce PDF Invoices & Packing Slips
PLUGIN WooCommerce PDF Invoices & Packing Slips INSTALLATIONS 300,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.0.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.0.1.
3. Anti-Malware Security and Brute-Force Firewall
PLUGIN Anti-Malware Security and Brute-Force Firewall INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.21.83 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.21.83.
4. Download Manager
PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Arbitrary File Deletion; Unauthenticated Reflected Cross-Site Scripting PATCHED IN VERSION 3.2.51 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 3.2.51.
5. String Locator
PLUGIN String locator INSTALLATIONS 100,000+ VULNERABILITY Authenticated PHAR Deserialization PATCHED IN VERSION 2.6.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.6.0.
6. Social Slider Feed
PLUGIN Social Slider Feed INSTALLATIONS 80,000+ VULNERABILITY Admin+ Stored XSS via API Key PATCHED IN VERSION 2.0.6 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.0.6.
7. WP Hide & Security Enhancer
PLUGIN WP Hide & Security Enhancer INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.8 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.8.
8. Export All URLs
PLUGIN Export All URLs INSTALLATIONS 30,000+ VULNERABILITY Admin+ Arbitrary System File Removal PATCHED IN VERSION 4.4 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.4.
9. Ecwid Ecommerce Shopping Cart
PLUGIN Ecwid Ecommerce Shopping Cart INSTALLATIONS 30,000+ VULNERABILITY Settings Update via CSRF PATCHED IN VERSION 6.10.24 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 6.10.24.
10. WPide
PLUGIN WPIDE File Manager & Code Editor INSTALLATIONS 30,000+ VULNERABILITY Admin+ Local File Inclusion PATCHED IN VERSION 3.0 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 3.0.
11. Leaflet Maps Marker
PLUGIN Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) INSTALLATIONS 20,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 3.12.5 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.12.5.
12. Sensei LMS
PLUGIN Sensei LMS Online Courses, Quizzes, & Learning INSTALLATIONS 10,000+ VULNERABILITY Arbitrary Private Message Sending via IDOR; Unauthenticated Private Messages Disclosure via Rest API PATCHED IN VERSION 4.5.2 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 4.5.2.
13. Simply Schedule Appointments
PLUGIN Simply Schedule Appointments WordPress Booking Plugin INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Unauthenticated Email Address Disclosure PATCHED IN VERSION 1.5.7.7 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.5.7.7.
14. Fluent Support
PLUGIN Fluent Support WordPress Helpdesk and Customer Support Ticket Plugin INSTALLATIONS 3,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.5.8 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.5.8.
15. Affiliate For WooCommerce
PLUGIN Affiliate For WooCommerce VULNERABILITY Subscriber+ Paypal Email Update via IDOR PATCHED IN VERSION 4.8.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.8.0.
WordPress Plugin Vulnerabilities No Known Fix
Until a patch is available, immediately uninstall and delete the plugin.
uContext for Amazon
PLUGIN uContext for Amazon VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Banner Cycler
PLUGIN Banner Cycler VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Link Optimizer Lite
PLUGIN Link Optimizer Lite VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
uContext for Clickbank
PLUGIN uContext for Clickbank VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
ActiveDEMAND plugin
PLUGIN ActiveDEMAND VULNERABILITY Unauthenticated Post Creation/Update/Deletion PATCHED IN VERSION No Fix SEVERITY SCORE High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Stop Spam Comments
PLUGIN Stop Spam Comments VULNERABILITY Access Token Bypass PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
Good news! No new WordPress theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!