NEWS
WordPress Vulnerabilities Digest - December 2021 Part 4
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
1. All In One SEO
Plugin: All In One SEO Vulnerability: Authenticated SQL Injection Active Installation: 3+ million Patched in Version: 4.1.5.3 Severity Score: High
The vulnerability is patched, so you should update to version 4.1.5.3.
Plugin: All In One SEO Vulnerability: Authenticated Privilege Escalation Active Installation: 3+ million Patched in Version: 4.1.5.3 Severity Score: Critical
The vulnerability is patched, so you should update to version 4.1.5.3.
2. Smash Balloon Social Post Feed
Plugin: Smash Balloon Social Post Feed Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS) Active Installation: 200,000+ Patched in Version: 4.1.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.1.1.
3. Modern Events Calendar Lite
Plugin: Modern Events Calendar Lite Vulnerability: Subscriber+ Category Add Leading to Stored XSS Active Installation: 100,000+ Patched in Version: 6.2.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.2.0.
4. WOOCS
Plugin: WOOCS Vulnerability: Reflected Cross-Site Scripting Active Installation: 60,000+ Patched in Version: 1.3.7.3 Severity Score: High
The vulnerability is patched, so you should update to version 1.3.7.3.
5. Crisp Live Chat
Plugin: Crisp Live Chat Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 60,000+ Patched in Version: 0.32 Severity Score: High
The vulnerability is patched, so you should update to version 0.32.
6. Image Hover Effects Ultimate
Plugin: Image Hover Effects Ultimate Vulnerability: Unauthenticated Arbitrary Option Update Active Installation: 20,000+ Patched in Version: 9.7.0 Severity Score: Critical
The vulnerability is patched, so you should update to version 9.7.0.
7. WP Booking System Booking Calendar
Plugin: WP Booking System Booking Calendar Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS) Active Installation: 10,000+ Patched in Version: 2.0.15 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.15.
8. Landing Page Builder
Plugin: Landing Page Builder Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS) Active Installation: 10,000+ Patched in Version: 1.4.9.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.4.9.6.
9. Fathom Analytics
Plugin: Fathom AnalyticsVulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 2000+
Patched in Version: 3.0.5 Severity Score: Low
The vulnerability is patched, so you should update to version 3.0.5.
10. True Ranker
Plugin: True RankerVulnerability: Unauthenticated Arbitrary File Access via Path Traversal Active Installation: 200+ Patched in Version: 2.2.4 Severity Score: Low
The vulnerability is patched, so you should update to version 2.2.4.
11. Comment Engine Pro
Plugin: Comment Engine Pro Vulnerability: Editor+ Stored Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: Low
This vulnerability has NOT been patched. This plugin has been closed as of October 7, 2021. Uninstall and delete.
12. .htaccess Redirect
Plugin: .htaccess RedirectVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
13. Parsian Bank Gateway for Woocommerce
Plugin: Parsian Bank Gateway for WoocommerceVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
14. Real WYSIWYG
Plugin: Real WYSIWYG Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
15. Link List Manager
Plugin: Link List ManagerVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
16. Simple Image Gallery
Plugin: Simple Image Gallery Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
17. WooCommerce EnvioPack
Plugin: WooCommerce EnvioPackVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of November 15, 2021. Uninstall and delete.
18. Magic Post Voice
Plugin: Magic Post VoiceVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
19. H5P CSS Editor
Plugin: H5P CSS EditorVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
20. duoFAQ
Plugin: duoFAQ Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
21. Magic Post Voice
Plugin: Magic Post VoiceVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
22. WooCommerce myghpay Payment Gateway
Plugin: WooCommerce myghpay Payment Gateway Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 13, 2021. Uninstall and delete.
23. The Plus Addons for Elementor Pro
Plugin: The Plus Addons for Elementor ProVulnerability: Sensitive Data Disclosure Patched in Version: 5.0.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 5.0.7.
24. Lets Box
Plugin: Lets Box Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.13.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.13.3.
25. Share One Drive
Plugin: Share One Drive Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.15.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.15.3.
26. Out of the Box
Plugin: Out of the BoxVulnerability: Reflected Cross-Site Scripting Patched in Version: 1.20.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.20.3.
27. Use Your Drive
Plugin: Use Your Drive Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.18.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.18.3.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!