NEWS

WordPress Vulnerabilities Digest - August 2022 Part 5

Threat Alerts / September 07, 2022
WordPress 6.0.2 is now available! This security and maintenance release features 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.2 is now available! This security and maintenance release features 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately.

1. WordPress Core

VULNERABILITY Authenticated Stored Cross-Site Scripting; SQLi via Link API; Reflected Cross-Site Scripting PATCHED IN VERSION 6.0.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 6.0.2.

WordPress Plugin Vulnerabilities

1. All-in-One WP Migration

PLUGIN All-in-One WP Migration INSTALLATIONS 4,000,000+ VULNERABILITY Unauthenticated Reflected XSS PATCHED IN VERSION 7.63 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 7.63.

2. Beaver Builder

PLUGIN Beaver Builder WordPress Page Builder INSTALLATIONS 200,000+ VULNERABILITY Authenticated Stored XSS via Text Editor; Authenticated Stored XSS via Caption On Hover; Authenticated Stored XSS via Caption; Authenticated Stored XSS via Image URL PATCHED IN VERSION 2.5.5.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.5.5.3.

3. WPvivid Backup

PLUGIN Migration, Backup, Staging WPvivid INSTALLATIONS 200,000+ VULNERABILITY Admin+ Arbitrary File Deletion PATCHED IN VERSION 0.9.77 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.9.77.

4. WPtouch

PLUGIN WPtouch INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.3.44 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.3.44.

5. WordPress Ping Optimizer

PLUGIN WordPress Ping Optimizer INSTALLATIONS 70,000+ VULNERABILITY Arbitrary Settings Update via CSRF PATCHED IN VERSION 2.35.1.3.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.35.1.3.0.

6. Ajax Load More

PLUGIN WordPress Infinite Scroll Ajax Load More INSTALLATIONS 50,000+ VULNERABILITY Admin+ Arbitrary File Read PATCHED IN VERSION 5.5.4.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.5.4.1.

7. Site Offline

PLUGIN Site Offline Or Coming Soon Or Maintenance Mode INSTALLATIONS 40,000+ VULNERABILITY Access Bypass PATCHED IN VERSION 1.5.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.5.3.

8. Scroll To Top

PLUGIN Scroll To Top INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.4.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.4.1.

9. Simple File List

PLUGIN Simple File List INSTALLATIONS 5,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.4.12 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.4.12.

10. Zephyr Project Manager

PLUGIN Zephyr Project Manager INSTALLATIONS 1,000+ VULNERABILITY Multiple Unauthenticated SQLi; Reflected Cross-Site Scripting; Unauthorised REST Calls to Stored XSS PATCHED IN VERSION 3.2.5 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 3.2.5.

11. Alphabetic Pagination

PLUGIN Alphabetic Pagination INSTALLATIONS 900+ VULNERABILITY Unauthenticated Arbitrary Option Update PATCHED IN VERSION 3.0.8 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 3.0.8.

12. Form Builder CP

PLUGIN Form Builder CP INSTALLATIONS 900+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.2.32 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.2.32.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Better Font Awesome

PLUGIN Better Font Awesome INSTALLATIONS 100,000+ VULNERABILITY Settings Update via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Visual Composer Website Builder

PLUGIN Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages INSTALLATIONS 80,000+ VULNERABILITY Authenticated Stored XSS via Title; Authenticated Stored XSS via Text Block PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

BadgeOS

PLUGIN BadgeOS INSTALLATIONS 5,000+ VULNERABILITY Subscriber+ SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched. You should deactivate the plugin.

Float to Top Button

PLUGIN Float to Top Button VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Gettext override translations

PLUGIN Gettext override translations VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Slickr Flickr

PLUGIN Slickr Flickr VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

SEO Scout

PLUGIN SEO Scout: Content Optimization, Keyword Research, Rank Tracking + SEO Testing VULNERABILITY Settings Update via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

Good news! No new WordPress theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list