NEWS

WordPress Vulnerabilities Digest - December 2020 Part 1

Threat Alerts / December 22, 2020

No new WordPress core vulnerabilities have been disclosed this month. However, a new major version of WordPress core was just released yesterday. WordPress 5.6 includes several new features and improvements, so be sure to update.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

However, a new major version of WordPress core was just released yesterday. WordPress 5.6 includes several new features and improvements, so be sure to update.

WordPress Plugin Vulnerabilities

1. WPJobBoard

WPJobBoard versions below 5.7.0 have Unauthenticated SQL Injection, Reflected XSS, & XFS vulnerabilities. The vulnerability is patched, and you should update to version 5.7.0.

2. WP Google Map Plugin

WP Google Map Plugin versions below 4.1.4 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 4.1.4.

3. BuddyPress

BuddyPress versions below 6.4.0 Lack of Capability Check vulnerability. The vulnerability is patched, and you should update to version 6.4.0.

4. Events Manager

Events Manager versions below 5.9.8 have a Cross-Site Scripting & an SQL Injection vulnerability. The vulnerability is patched, and you should update to version 5.9.8.

5. Age Gate

Age Gate versions below 2.13.5 have an Unauthenticated Open Redirect vulnerability. The vulnerability is patched, and you should update to version 2.13.5.

6. Canto

All versions of Canto have an Unauthenticated Blind SSRF vulnerability. Remove the plugin until a security fix is released.

7. Profile Builder

Profile Builder versions below 3.3.3 have an Authenticated Blind SQL Injection vulnerability. The vulnerability is patched, and you should update to version 2.2.9.

8. Paid Memberships Pro

Paid Memberships Pro versions below 2.5.1 have an Authenticated Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.5.1.

9. Themify Portfolio Post

Themify Portfolio Post versions below 1.1.6 an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.1.6.

10. Easy WP SMTP

Easy WP SMTP versions below 1.4.3 have a Debug Log Disclosure vulnerability. The vulnerability is patched, and you should update to version 1.4.3.

WordPress Themes Vulnerabilities

1. Wibar

Wibar versions below 1.2.1 has an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.2.1.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup.

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list