Threat Alerts / Jul 21, 2021

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Woocommerce

Plugin: WooCommerce 3.3 to 5.5 Vulnerability: Authenticated SQL Injection Patched in Version: 5.5.1

The vulnerability is patched, so you should update to version 5.5.1.

2. Woocommerce Blocks

Plugin: WooCommerce Blocks 2.5 to 5.5 Vulnerability: Unauthenticated SQL Injection Patched in Version: 5.5.1

The vulnerability is patched, so you should update to version 5.5.1.

3. Advanced Menu Manager

Plugin: Advanced Menu Manager Vulnerability: Unauthorised Menu Creation/Deletion Patched in Version: No known fix – Plugin Closed 

Plugin: Advanced Menu Manager Vulnerability: Unauthorised Menu CEdition via CSRF Patched in Version: No known fix – Plugin Closed

Uninstall and delete the plugin until a patch is released.

4. Wr Age Verification

Plugin: Wr Age Verification Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.0.0

The vulnerability is patched, so you should update to version 2.0.0.

5. Marmoset Viewer

Plugin: Marmoset Viewer Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.3

The vulnerability is patched, so you should update to version 1.9.3.

6. WOWRestro

Plugin: WOWRestro Vulnerability: CSRF Bypass Patched in Version: 1.1

The vulnerability is patched, so you should update to version 1.1.

7. Page View Counts

Plugin: Page View Counts Vulnerability: Contributor+ Stored Cross-Site Scripting (XSS) Patched in Version: 2.4.9

The vulnerability is patched, so you should update to version 2.4.9.

8. Frontend File Manager

Plugin: Frontend File Manager Vulnerability: Privilege Escalation Patched in Version: 18.3

Plugin: Frontend File Manager Vulnerability: Unauthenticated Content Injection and Stored XSS Patched in Version: 18.3

Plugin: Frontend File Manager Vulnerability: Authenticated Arbitrary Settings Change to Arbitrary File Upload Patched in Version: 18.3

Plugin: Frontend File Manager Vulnerability: Unauthenticated Arbitrary Post Deletion Patched in Version: 18.3

Plugin: Frontend File Manager Vulnerability: Unauthenticated Post Meta Change to Arbitrary File Download Patched in Version: 18.3

Plugin: Frontend File Manager Vulnerability: Unauthenticated HTML Injection Patched in Version: 18.3

The vulnerability is patched, so you should update to version 18.3.

9. Stock in & out

Plugin: Stock in & out Vulnerability: Authenticated SQL Injection Patched in Version: No known fix – Plugin Closed Severity Score:

Plugin: Stock in & out Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix – Plugin Closed Severity Score:

Uninstall and delete the plugin until a patch is released.

10. Side Menu Lite – add sticky fixed buttons

Plugin: Side Menu Lite Vulnerability: Authenticated SQL Injection Patched in Version: 2.2.1

The vulnerability is patched, so you should update to version 2.2.1.

11. ProfilePress

Plugin: ProfilePress Vulnerability: Unauthenticated Cross-Site Scripting (XSS) Patched in Version: 3.1.11

The vulnerability is patched, so you should update to version 3.1.11.

12. WP Google Map

Plugin: WP Google Map Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.7.7

The vulnerability is patched, so you should update to version 1.7.7.

13. 10Web Map Builder for Google Maps

Plugin: 10Web Map Builder for Google Maps Vulnerability: Authenticated Stored XSS Patched in Version: 1.0.70

The vulnerability is patched, so you should update to version 1.0.70.

14. Video Posts Webcam Recorder

Plugin: Video Posts Webcam Recorder Vulnerability: Authenticated Reflected XSS Patched in Version: 3.2.4

The vulnerability is patched, so you should update to version 3.2.4.

15. WPFront Notification Bar

Plugin: WPFront Notification Bar Vulnerability: Authenticated Stored XSS Patched in Version: 2.0.0.07176

The vulnerability is patched, so you should update to version 2.0.0.07176.

16. WordPress Popular Posts

Plugin: WordPress Popular Posts Vulnerability: Authenticated Code Injection Patched in Version: 5.3.3

The vulnerability is patched, so you should update to version 5.3.3.

17. Form Maker by 10Web

Plugin: Form Maker by 10Web Vulnerability: Authenticated Stored XSS Patched in Version: 1.13.60

The vulnerability is patched, so you should update to version 1.13.60.

18. Activity Log

Plugin: Activity Log Vulnerability: Authenticated SQL Injection Patched in Version: 2.7.0

The vulnerability is patched, so you should update to version 2.7.0.

19. Current Book

Plugin: Current Book Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: No known fix – Plugin Closed

Uninstall and delete the plugin until a patch is released.

20. ECPay Logistics for WooCommerce

Plugin: ECPay Logistics for WooCommerce Vulnerability: Unauthenticated Reflected XSS Patched in Version: 1.3.1910240

The vulnerability is patched, so you should update to version 1.3.1910240.

21. Event Espresso Core

Plugin: Event Espresso Core Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 4.10.7.p

The vulnerability is patched, so you should update to version 4.10.7.p.

WordPress Themes Vulnerabilities

1. Newsmag

Plugin: Newsmag Vulnerability: Unauthenticated Reflected Cross-site Scripting (XSS) Patched in Version: 5.0 Severity Score:

The vulnerability is patched, so you should update to version 5.0.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!