Threat Alerts / Jan 13, 2021

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. WP E-Signature

WP E-Signature versions below 1.5.6.8 have an Unauthenticated Remote Code Execution vulnerability. UPDATE NOW:The vulnerability is being actively exploited. The vulnerability is patched, and you should update to version 1.5.6.8.

2. Newsletter Manager

All versions of Newsletter Manager have a Unauthenticated Insecure Deserialization vulnerability. Remove the plugin until a security fix is released.

3. Site Offline

Site Offline versions below 1.4.4 have Multiple Cross-Site Request Forgery vulnerabilities. The vulnerability is patched, and you should update to version 1.4.4.

4. WP Postratings

WP Postratings versions below 1.86.1 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.86.1.

5. Custom Global Variables

All versions of Custom Global Variables have a Stored Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.

6. Stripe Payments

Stripe Payments versions below 2.0.40 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.0.40.

7. Orbit Fox by ThemeIsle

Orbit Fox by ThemeIsle versions below 2.10.3 have an Authenticated Stored Cross Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.10.3.

8. WP Paginate

WP Paginate versions below 2.1.4 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.1.4.

9. WP Quick FrontEnd Editor

All versions of WP Quick FrontEnd Editor have an Authenticated Content Injection vulnerability. Remove the plugin until a security fix is released.

10. LiteSpeed Cache

LiteSpeed Cache versions below 3.6.1 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.6.1.

WordPress Themes Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup.

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!