Threat Alerts / Feb 10, 2021

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. uListing – Critical

uListing versions below 1.7 have multiple vulnerabilities, including Unauthenticated SQL Injections, Unauthenticated Arbitrary Account Creation, and Unauthenticated WordPress Options Change. The vulnerability is patched, and you should update to version 1.7.

2. Super Forms – Critical

Super Forms versions below 4.9.703 have an Unauthenticated PHP File Upload to RCE vulnerability. The vulnerability is patched, and you should update to version 4.9.703.

3. Modern Events Calendar Lite – Critical

Modern Events Calendar Lite versions below 5.16.5 have multiple issues, including an Authenticated Arbitrary File Upload leading to Remote Code Execution vulnerability. The vulnerability is patched, and you should update to version 5.16.5.

4. Ivory Search – Medium

Ivory Search versions below 4.5.11 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 4.5.11.

5. WP Editor – Critical

WP Editor versions below 1.2.7 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 1.2.7.

6. MStore API – High

MStore API versions below 3.2.0 have an Authentication Bypass With Sign In With Apple vulnerability. The vulnerability is patched, and you should update to version 3.2.0.

7. Popup Builder – Medium

Popup Builder versions below 3.74 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.74.

8. Gift Voucher – Critical

All versions of Gift Voucher have an Unauthenticated Blind SQL Injection vulnerability. Remove the plugin until a security fix is released.

9. Name Directory – Medium

Name Directory versions below 1.18 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.18.

10. Contact Form 7 Style – High

All versions of Contact Form 7 Style have Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.

11. Ultimate GDPR & CCPA Compliance Toolkit – Critical

Ultimate GDPR & CCPA Compliance Toolkit versions below 2.5 Unauthenticated Plugin Settings Export and Import leading to a Malicious Redirect vulnerability. The vulnerability is patched, and you should update to version 2.5.

12. Like Button Rating ? LikeBtn – High

Like Button Rating ? LikeBtn versions below 2.6.32 have an Unauthenticated Arbitrary Blog Settings Change and an Unauthenticated Full-Read SSRF vulnerabilities. The vulnerability is patched, and you should update to version 2.6.32.

13. Paid Membership Pro – Medium

Paid Membership Pro versions below 2.5.3 have an Authentication Bypass vulnerability leading to Unauthorized Order Information Disclosure. The vulnerability is patched, and you should update to version 2.5.3.

14. Backup by Supsystic – Critical

All versions of Backup by Supsystic have a Local File Inclusion vulnerability. Remove the plugin until a security fix is released.

15. Contact Form by Supsystic – Critical

All versions of Contact Form by Supsystic have an Authenticated SQL Injection vulnerability. Remove the plugin until a security fix is released.

16. Data Tables Generator by Supsystic – Critical

All versions of Data Tables Generator by Supsystic by Supsystic have an Authenticated SQL Injection vulnerability. Remove the plugin until a security fix is released.

17. Digital Publications by Supsystic – Medium

All versions of Digital Publications by Supsystic have an Authenticated Stored Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.

18. Membership by Supsystic – Critical

All versions of Membership by Supsystic have an Authenticated SQL Injection vulnerability. Remove the plugin until a security fix is released.

19. Newsletter by Supsystic – Critical

All versions of Newsletter by Supsystic have an Authenticated SQL Injection vulnerability. Remove the plugin until a security fix is released.

20. Pricing Table by Supsystic – Critical

All versions of Pricing Table by Supsystic have an Authenticated SQL Injection vulnerability. Remove the plugin until a security fix is released.

21. Ultimate Maps by Supsystic – Critical

All versions of have an Ultimate Maps by Supsystic Authenticated SQL Injection vulnerability. Remove the plugin until a security fix is released.

22. NextGen Gallery – Critical

NextGen Gallery versions below 3.5.0 have CSRF, File Upload, Stored XSS, and RCE vulnerabilities. The vulnerability is patched, and you should update to version 3.5.0.

23. Map Block for Google Maps – Medium

Map Block for Google Maps versions below 1.32 have a Broken Access Control vulnerability leading to an Unauthorized Google API Key change. The vulnerability is patched, and you should update to version 1.32.

WordPress Themes Vulnerabilities

1. Wyzi – Medium

Wyzi versions below 2.4.3 have Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.4.3.

2. Multiple Parallelus Themes – Medium

Multiple Parallelus Themes versions below 2.0 have a Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.0.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup.

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!