NEWS
WordPress Vulnerabilities Digest - December 2020 Part 1
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
No new WordPress core vulnerabilities have been disclosed this month.
However, a new major version of WordPress core was just released yesterday. WordPress 5.6 includes several new features and improvements, so be sure to update.
WordPress Plugin Vulnerabilities
1. WPJobBoard
WPJobBoard versions below 5.7.0 have Unauthenticated SQL Injection, Reflected XSS, & XFS vulnerabilities. The vulnerability is patched, and you should update to version 5.7.0.
2. WP Google Map Plugin
WP Google Map Plugin versions below 4.1.4 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 4.1.4.
3. BuddyPress
BuddyPress versions below 6.4.0 Lack of Capability Check vulnerability. The vulnerability is patched, and you should update to version 6.4.0.
4. Events Manager
Events Manager versions below 5.9.8 have a Cross-Site Scripting & an SQL Injection vulnerability. The vulnerability is patched, and you should update to version 5.9.8.
5. Age Gate
Age Gate versions below 2.13.5 have an Unauthenticated Open Redirect vulnerability. The vulnerability is patched, and you should update to version 2.13.5.
6. Canto
All versions of Canto have an Unauthenticated Blind SSRF vulnerability. Remove the plugin until a security fix is released.
7. Profile Builder
Profile Builder versions below 3.3.3 have an Authenticated Blind SQL Injection vulnerability. The vulnerability is patched, and you should update to version 2.2.9.
8. Paid Memberships Pro
Paid Memberships Pro versions below 2.5.1 have an Authenticated Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.5.1.
9. Themify Portfolio Post
Themify Portfolio Post versions below 1.1.6 an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.1.6.
10. Easy WP SMTP
Easy WP SMTP versions below 1.4.3 have a Debug Log Disclosure vulnerability. The vulnerability is patched, and you should update to version 1.4.3.
WordPress Themes Vulnerabilities
1. Wibar
Wibar versions below 1.2.1 has an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.2.1.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup.
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!