Threat Alerts / Jul 08, 2020

The WordPress plugins and themes mentioned below have various types of vulnerabilities. Please review the list and remediation steps below.

WordPress Core Vulnerabilities

No WordPress Core vulnerabilities disclosed in July 2020

WordPress Plugin Vulnerabilities

1. Coming Soon Page, Under Construction & Maintenance Mode by SeedProd

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd versions below 5.1.2 have a Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 5.1.2.

2. ACF to REST API

ACF to REST API versions below 3.3.0 have an Unauthenticated Arbitrary wp_options Disclosure vulnerability. The vulnerability is patched, and you should update to version 3.3.0.

3. WPForms

WPForms versions below 1.6.0.2 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.6.0.2.

4. Payment Form for PayPal Pro

Payment Form for PayPal Pro versions below 1.1.65 have an Unauthenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 1.1.65.

5. Testimonials Widget

Testimonials Widget versions 3.5.1 and below have multiple Cross-Site Scripting vulnerabilities. Remove the plugin until a security fix is released.

6. JobSearch WP Job Board 

JobSearch WP Job Board  versions below 1.5.3 have multiple Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 1.5.3.

7. Security & Malware scan by CleanTalk

Security & Malware scan by CleanTalk versions below 2.51 have a Security Nonce Leak leading to Unauthorized AJAX call vulnerability. The vulnerability is patched, and you should update to version 2.51.

8. Adning Advertising

Adning Advertising versions below 1.5.6 have an Unauthenticated Arbitrary File Upload/Deletion vulnerability. The vulnerability is patched, and you should update to version 1.5.6.

WordPress Themes Vulnerabilities

1. Nexos – Real Estate

Nexos – Real Estate versions below 1.8 have an Unauthenticated Reflected XSS & SQL Injection vulnerabilities. The vulnerability is patched, and you should update to version 1.8.

2. CareerUp

CareerUp versions below 2.3.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.3.1.

3. Careerfy

Careerfy versions below 4.1.0 have Multiple Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 4.1.0.

The information for this blog post was taken from iThemes Vulnerability Roundup.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!