Threat Alerts / Jul 24, 2020

The WordPress plugins and themes mentioned below have various types of vulnerabilities. Please review the list and remediation steps below.

WordPress Core Vulnerabilities

There have not been any WordPress core vulnerabilities disclosed in the second half of July.

WordPress Plugin Vulnerabilities

1. Wise Chat

Wise Chat versions below 2.8.4 have a CSV Injection vulnerability. The vulnerability is patched, and you should update to version 2.8.4.

2. Powie’s WHOIS Domain Check

Powie’s WHOIS Domain Check versions below 0.9.33 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 0.9.33.

3. Knight Lab Timeline

Knight Lab Timeline versions below 3.7.0.0 are using an outdated version of the TimelineJS library which could Lead to Stored XSS vulnerability. The vulnerability is patched, and you should update to version 3.7.0.0.

4. Page Builder: KingComposer

Page Builder: KingComposer versions below 2.9.5 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.9.5.

5. SRS Simple Hits Counter

SRS Simple Hits Counter versions below 1.1.0 have an Unauthenticated Blind SQL Injection vulnerability. The vulnerability is patched, and you should update to version 1.1.0.

6. WP-Live Chat by 3CX

WP-Live Chat by 3CX versions below 8.2.0 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 8.2.0.

7. Newsletter

Newsletter versions below 6.7.7 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 6.7.7 .

8. Form Maker by 10Web 

Form Maker by 10Web versions below 1.13.40 have an Authenticated Reflected XSS vulnerability. The vulnerability is patched, and you should update to version 1.13.40.

9. SendPress Newsletters

SendPress Newsletters versions below 1.20.7.13 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.20.7.13.

10. Email Verification for WooCommerce

Email Verification for WooCommerce versions below 1.8.2 have a Loose Comparison to Authentication Bypass vulnerability. The vulnerability is patched, and you should update to version 1.8.2.

11. All in One SEO Pack

All in One SEO Pack versions below 3.6.2 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.6.2.

12. JobSearch WP Job Board

JobSearch WP Job Board WordPress Plugin versions below 1.5.5 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.5.5.

13. Email Subscribers & Newsletters 

Email Subscribers & Newsletters versions below 4.5.1 have an Authenticated SQL injection in es_newsletters_settings_callback() and a Cross-site Request Forgery in send_test_email() vulnerabilities. The vulnerability is patched, and you should update to version 4.5.1.

WordPress Themes Vulnerabilities

There have been no WordPress theme vulnerabilities disclosed in the second half of July.

 

The information for this blog post was taken from iThemes Vulnerability Roundup.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!