WordPress Vulnerabilities Digest - August 2022 Part 4

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.1 was released on July 12, 2022, as a short-cycle maintenance release with 31 bug fixes. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Autoptimize

PLUGIN Autoptimize INSTALLATIONS 1,000,000+ VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION 3.1.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.1.1.

2. Broken Link Checker

PLUGIN Broken Link Checker INSTALLATIONS 700,000+ VULNERABILITY Admin+ PHAR Deserialization PATCHED IN VERSION 1.11.17 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.11.17.

3. Post SMTP

PLUGIN Post SMTP Mailer/Email Log INSTALLATIONS 300,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.1.4 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.1.4.

4. WPvivid Backup

PLUGIN Migration, Backup, Staging WPvivid INSTALLATIONS 200,000+ VULNERABILITY Admin+ PHAR Deserialization PATCHED IN VERSION 0.9.75 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.9.75.

5. Titan Anti-spam & Security

PLUGIN Titan Anti-spam & Security INSTALLATIONS 100,000+ VULNERABILITY Protection Bypass due to IP Spoofing PATCHED IN VERSION 7.3.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 7.3.1.

6. Download Manager

PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Contributor+ PHAR Deserialization PATCHED IN VERSION 3.2.50 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.2.50.

7. Login No Captcha reCAPTCHA

PLUGIN Login No Captcha reCAPTCHA INSTALLATIONS 90,000+ VULNERABILITY IP Check Bypass PATCHED IN VERSION 1.7 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.7.

8. WP STAGING

PLUGIN WP STAGING Backup Duplicator & Migration INSTALLATIONS 60,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.9.18 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.9.18.

9. Tutor LMS

PLUGIN Tutor LMS eLearning and online course solution INSTALLATIONS 50,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.0.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.0.9.

10. Ajax Load More

PLUGIN WordPress Infinite Scroll Ajax Load More INSTALLATIONS 50,000+ VULNERABILITY PHAR Deserialization via CSRF; Admin+ Arbitrary File Read PATCHED IN VERSION 5.5.4 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 5.5.4.

11. WP-UserOnline

PLUGIN WP-UserOnline INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.88.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.88.1.

12. All-in-One Video Gallery

PLUGIN All-in-One Video Gallery INSTALLATIONS 20,000+ VULNERABILITY Unauthenticated Arbitrary File Download & SSRF PATCHED IN VERSION 2.6.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.6.1.

13. WP Server Health Stats

PLUGIN WP Server Health Stats INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.7.0 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.7.0.

14. Affiliates Manager

PLUGIN Affiliates Manager INSTALLATIONS 10,000+ VULNERABILITY Reflected Cross-Site Scripting; Admin+ Stored Cross-Site Scripting; Arbitrary Affiliates & Creatives Deletion via CSRF; Affiliate CSV Injection PATCHED IN VERSION 2.9.14 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.9.14.

15. Classima

PLUGIN Classified Listing Classified ads & Business Directory Plugin INSTALLATIONS 6,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.2.14 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.2.14.

16. WBW Currency Switcher for WooCommerce

PLUGIN WBW Currency Switcher for WooCommerce INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.6.6 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.6.6.

17. Mobile Events Manager

PLUGIN Mobile Events Manager INSTALLATIONS 20+ VULNERABILITY Admin+ CSV Injection PATCHED IN VERSION 1.4.8 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.4.8.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Calendar Event Multi View

PLUGIN Calendar Event Multi View VULNERABILITY Unauthenticated Arbitrary Event Deletion; Unauthenticated Arbitrary Event Creation to Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Craw Data

PLUGIN Craw Data VULNERABILITY Server Side Request Forgery PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Hotel Booking

PLUGIN WP Hotel Booking VULNERABILITY Unauthenticated Arbitrary Settings Update PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Taxonomy Import

PLUGIN WP Taxonomy Import VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

1. Classima

THEME Classima VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.1.11 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.1.11.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!