NEWS
WordPress Vulnerabilities Digest - January 2022 Part 3
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress 5.9: Core Major Version Update Now Available
WordPress 5.9 Joshine was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this:Full Site Editing (FSE) using the WordPress block editor is here(well, if youwantto use it or your theme supports it).
WordPress 5.9 represents the largest release ofGutenbergfeatures since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes99 enhancementsand100 bug fixes.
You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.
If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.9.
WordPress Plugin Vulnerabilities
1. Anti-Malware Security and Brute-Force Firewall
PLUGIN Anti-Malware Security and Brute-Force Firewall INSTALLATIONS 200,000+ VULNERABILITY Admin+ Reflected Cross-Site Scripting PATCHED IN VERSION 4.20.94 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 4.20.94.
2. Popup Builder
PLUGIN Popup Builder Create highly converting, mobile friendly marketing popups. INSTALLATIONS 200,000+ VULNERABILITY <meta charset=utf-8?>LFI to RCE<br>Admin+ SQL Injection PATCHED IN VERSION 4.0.7 SEVERITY SCORE Critical
The vulnerability has been patched, so you should update to version 4.0.7.
3. Ad Inserter
PLUGIN Ad Inserter Ad Manager & AdSense Ads INSTALLATIONS 200,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.7.10 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.7.10.
4. GiveWP
PLUGIN GiveWP Donation Plugin and Fundraising Platform INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated Reflected Cross-Site Scripting; Reflected Cross-Site Scripting via Import Tool; Reflected Cross-Site Scripting via Donation Forms Dashboard PATCHED IN VERSION 2.17.3 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.17.3.
5. WordPress Download Manager
PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Authenticated SQL Injection to Reflected XSS PATCHED IN VERSION 3.2.34 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.2.34.
6. Database Backup for WordPress
PLUGIN Database Backup for WordPress INSTALLATIONS 100,000+ VULNERABILITY Admin+ SQL Injection PATCHED IN VERSION 2.5.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.5.1.
7. Advanced Database Cleaner
PLUGIN Advanced Database Cleaner INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.0.4 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.0.4.
8. Shield Security
PLUGIN Shield Security Scanners, Security Hardening, Brute Force Protection & Firewall INSTALLATIONS 60,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 13.0.6 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 13.0.6.
9. WOOCS
PLUGIN WOOCS Currency Switcher for WooCommerce. Professional and Free multi currency plugin Pay in selected currency INSTALLATIONS 60,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.3.7.5 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.3.7.5.
10. Image Photo Gallery Final Tiles Grid
PLUGIN Image Photo Gallery Final Tiles Grid INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION 3.5.3 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.5.3.
11. Classic Editor Addon
PLUGIN Classic Editor Addon INSTALLATIONS 30,000+ VULNERABILITY Arbitrary Plugin Installation from Dependency via CSRF; Subscriber+ Arbitrary Plugin Activation PATCHED IN VERSION 2.6.4 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.6.4.
12. Float Menu
PLUGIN Float menu awesome floating side menu INSTALLATIONS 20,000+ VULNERABILITY Arbitrary Menu Deletion via CSRF PATCHED IN VERSION 4.3.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.3.1.
13. FeedWordPress
PLUGIN FeedWordPress INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting (XSS) PATCHED IN VERSION 2022.0123 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2022.0123.
14. Catch Web Tools
PLUGIN Catch Web Tools INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Arbitrary Catch IDs Activation/Deactivation PATCHED IN VERSION 2.7.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.7.1.
15. WP HTML Mail
PLUGIN WordPress Email Template Designer WP HTML Mail INSTALLATIONS 20,000+ VULNERABILITY Unprotected REST-API Endpoint PATCHED IN VERSION 3.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.1.
16. Coming soon and Maintenance mode
PLUGIN Coming soon and Maintenance mode INSTALLATIONS 10,000+ VULNERABILITY Arbitrary Email Sending to Subscribed Users via CSRF; Subscriber+ Arbitrary Email Sending to Subscribed Users PATCHED IN VERSION 3.6.8 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 3.6.8.
17. Duplicate Page or Post
PLUGIN Duplicate Page or Post INSTALLATIONS 10,000+ VULNERABILITY Arbitrary Settings Update to Stored XSS PATCHED IN VERSION 1.5.1 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 1.5.1.
18. WP Debugging
PLUGIN WP Debugging INSTALLATIONS 5,000+ VULNERABILITY Arbitrary Plugin Installation from Dependency via CSRF PATCHED IN VERSION 2.11.7 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.11.7.
19. AnyComment
PLUGIN AnyComment INSTALLATIONS 4,000+ VULNERABILITY Comment Rating Increase/Decrease via Race Condition; Arbitrary HyperComments Import/Revert via CSRF PATCHED IN VERSION 0.2.18 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 0.2.18.
20. Ad Inserter
PLUGIN Ad Inserter Pro VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.7.10 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.7.10.
21. Five Star Business Profile and Schema
PLUGIN Five Star Business Profile and Schema INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ page creation and settings update leading to stored XSS PATCHED IN VERSION 2.1.9 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.1.9.
WordPress Plugin Vulnerabilities No Known Fix
The Buffer Button
PLUGIN The Buffer Button VULNERABILITY Authenticated Stored Cross Site Scripting (XSS) PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
Translation Exchange
PLUGIN Translation Exchange Translate Your WordPress Site In Minutes! VULNERABILITY Authenticated Stored Cross-Site Scripting (XSS) PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
Lean WP
PLUGIN Lean WP VULNERABILITY Subscriber+ Arbitrary Plugin Activation PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
ProfileGrid
PLUGIN ProfileGrid User Profiles, Memberships, Groups and Communities VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
User Registration, Login & Landing Pages
PLUGIN User Registration, Login & Landing Pages LeadMagic VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Theme Vulnerabilities
No new theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!