Threat Alerts / Jul 28, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. VDZ Verification

Plugin: VDZ Verification Vulnerability: Authenticated Stored XSS Patched in Version: 1.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.4+.

2. VDZ CALLBACK

Plugin: VDZ CallBack Vulnerability: Authenticated Stored XSS Patched in Version: 1.1.4.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.4.6.

3. Wonder PDF Embed 

Plugin: Wonder PDF Embed Vulnerability: Contributor+ Stored XSS Patched in Version: 1.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.

4. Wonder Video Embed

Plugin: Wonder Video Embed Vulnerability: Contributor+ Stored XSS Patched in Version: 1.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.8.

5. Profile Builder

Plugin: Profile Builder Vulnerability: Admin Access via Password Reset Bug Patched in Version: 3.4.9 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.4.9.

6. VikRentCar Car Rental Management System

Plugin: VikRentCar Car Rental Management System Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.1.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.10.

7. YouTube Embed

Plugin: YouTube Embed Vulnerability: Contributor+ Stored XSS Patched in Version: 5.2.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.2.2.

8. My Site Audit

Plugin: My Site Audit Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

9. Social Tape

Plugin: Social Tape Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

10. Telugu Bible Verse Daily

Plugin: Telugu Bible Verse Daily Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

11. Verse-O-Matic

Plugin: Verse-O-Matic Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

12. Custom Login Redirect

Plugin: Custom Login Redirect Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

13. Light Messages

Plugin: Light Messages Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

14. Shantz WordPress QOTD

Plugin: Shantz WordPress QOTD Vulnerability: Arbitrary Setting Update via CSRF Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

15. PhoneTrack Meu Site Manager

Plugin: PhoneTrack Meu Site Manager Vulnerability: Authenticated Stored XSS Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

16. RestroPress

Plugin: RestroPress Vulnerability: Unauthorised AJAX Calls Patched in Version: 2.8.3.1 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.3.1.

Plugin: RestroPress Vulnerability: Cart Manipulation via CSRF Patched in Version: 2.8.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.8.3.

17. Photo Gallery

Plugin: Photo Gallery Vulnerability: Stored XSS via Uploaded SVG in Zip Patched in Version: 1.5.79 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.79.

Plugin: Photo Gallery Vulnerability: Stored Cross-Site Scripting via Uploaded SVG Patched in Version: 1.5.75 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.75.

Plugin: Photo Gallery Vulnerability: File Upload Path Traversal Patched in Version: 1.5.75 Severity Score: Low

The vulnerability is patched, so you should update to version 1.5.75.

18. Mimetic Books

Plugin: Mimetic Books Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

19. Elementor Addon Elements

Plugin: Elementor Addon Elements Vulnerability: CSRF Bypass Patched in Version: 1.11.8 Severity Score: Low

The vulnerability is patched, so you should update to version 1.11.8.

20. Cooked Pro

Plugin: Cooked Pro Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

21. NEX Forms

Plugin: NEX Forms Vulnerability: Authentication Bypass for Excel Reports Patched in Version: 7.8.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.8.8.

Plugin: NEX Forms Vulnerability: Authentication Bypass for PDF Reports Patched in Version: 7.8.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.8.8.

22. KN Fix Your Title

Plugin: KN Fix Your Title Vulnerability: Authenticated Stored XSS Patched in Version: no known fix Severity Score: Low

Uninstall and delete the plugin until a patch is released.

23. Giveaway

Plugin: Giveaway Vulnerability: Authenticated SQL Injection Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

24. HM Multiple Roles

Plugin: HM Multiple Roles Vulnerability: Arbitrary Role Change Patched in Version: no known fix Severity Score: Critical

Uninstall and delete the plugin until a patch is released.

25. 10Web Map Builder for Google Maps

Plugin: 10Web Map Builder for Google Maps Vulnerability: Authenticated Stored XSS Patched in Version: 1.0.70 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.70.

26. Maintenance

Plugin: Maintenance Vulnerability: Authenticated Stored XSS Patched in Version: 4.03 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.03.

27. Grid Gallery

Plugin: Grid Gallery Vulnerability: Photo Image Grid Gallery Patched in Version: 1.2.5 Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.5.

28. WP Custom Fields Search

Plugin: WP Custom Fields Search Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS) Patched in Version: 1.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.

29. Google Language Translator

Plugin: Google Language Translator Vulnerability: Authenticated (author+) Cross-Site Scripting (XSS) Patched in Version: 6.0.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.0.10.

Plugin: Google Language Translator Vulnerability: Authenticated Cross-Site Scripting (XSS) Patched in Version: 6.0.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.0.10.

30. SendGrid

Plugin: SendGrid Vulnerability: Authenticated Authorization Bypass Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

31. NewsPlugin

Plugin: NewsPlugin Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

32. Charitable – Donation Plugin

Plugin: Charitable – Donation Plugin Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.6.51 Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.51.

Plugin: Charitable – Donation Plugin Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 1.6.51 Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.51.

33. LifterLMS

Plugin: LifterLMS Vulnerability: Access Other Student Grades/Answers via IDOR Patched in Version: 4.21.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.21.2.

34. WooCommerce Currency Switcher

Plugin: WooCommerce Currency Switcher Vulnerability: Authenticated (Low Privilege) Local File Inclusion Patched in Version: 1.3.7 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.3.7.

35. Simple Post

Plugin: Simple Post Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: Low

Uninstall and delete the plugin until a patch is released.

36. WPGraphQL

Plugin: WPGraphQL Vulnerability: Denial of Service Patched in Version: 1.3.6 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.6.

37. GTranslate 

Plugin: GTranslate Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.8.65 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.8.65.

38. Diary & Availability Calendar

Plugin: Diary & Availability Calendar Vulnerability: Authenticated (subscriber+) SQL Injection Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

39. Email Subscriber

Plugin: Email Subscriber Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

40. M-vSlider

Plugin: M-vSlider Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

41. Project Status

Plugin: Project Status Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

42. AceIDE

Plugin: AceIDE Vulnerability: Authenticated (admin+) Arbitrary File Access Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

43. Broken Link Manager

Plugin: Broken Link Manager Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

44. Edit Comments

Plugin: Edit Comments Vulnerability: Unauthenticated SQL Injection Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

Plugin: Edit Comments Vulnerability: Reflected Cross-Site Scripting Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

45. Simple Events Calendar

Plugin: Simple Events Calendar Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

46. Timeline Calendar

Plugin: Timeline Calendar Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: High

Uninstall and delete the plugin until a patch is released.

47. Paytm – Donation Plugin

Plugin: Paytm – Donation Plugin Vulnerability: 1.3.2 – Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: Medium

Uninstall and delete the plugin until a patch is released.

WordPress Themes Vulnerabilities

1. Newspaper

Theme: Newspaper Vulnerability: Reflected Cross-Site Scripting Patched in Version: 11 Severity Score: High

The vulnerability is patched, so you should update to version 11.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!