NEWS

WordPress Vulnerabilities Digest - January 2021 Part 2

Threat Alerts / January 29, 2021

This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Easy Contact Form Pro

Easy Contact Form Pro versions below 1.1.1.9 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.1.1.9.

2. FV Flowplayer Video Player

FV Flowplayer Video Player versions below 7.4.38.727 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 7.4.38.727.

3. Simple Job Board

Simple Job Board versions below 2.9.4 have an Authenticated Path Traversal Leading to Arbitrary File Download vulnerability. The vulnerability is patched, and you should update to version 2.9.4.

4. Easy Media Gallery Pro

Easy Media Gallery Pro versions below 1.3.0 have CSRF and XSS vulnerabilities. The vulnerability is patched, and you should update to version 1.3.0.

5. Contact Form Submissions

All versions of Contact Form Submissionshave an Authenticated SQL Injection vulnerability. Remove the plugin until a security fix is released.

6. 301 Redirects

301 Redirects versions below 2.51 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 2.51.

7. WP Shieldon

All versions of WP Shieldon have an Unauthenticated Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.

8. Contact Form 7 Database Addon

Contact Form 7 Database Addon versions below 1.2.5.6 have an CSV Injection and Authenticated SQL Injections vulnerabilities. The vulnerability is patched, and you should update to version 1.2.5.6.

9. WP24 Domain Check

WP24 Domain Check versions below 1.6.3 have an Authenticated Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.6.3.

WordPress Themes Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup.

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list