NEWS
WordPress Vulnerabilities Digest - July 2021 Part 4
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
No new WordPress core vulnerabilities have been disclosed this month.
WordPress Plugin Vulnerabilities
1. VDZ Verification
Plugin: VDZ Verification Vulnerability: Authenticated Stored XSS Patched in Version: 1.4 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.4+.
2. VDZ CALLBACK
Plugin: VDZ CallBack Vulnerability: Authenticated Stored XSS Patched in Version: 1.1.4.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.1.4.6.
3. Wonder PDF Embed
Plugin: Wonder PDF EmbedVulnerability: Contributor+ Stored XSS Patched in Version: 1.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.7.
4. Wonder Video Embed
Plugin: Wonder Video Embed Vulnerability: Contributor+ Stored XSS Patched in Version: 1.8 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.8.
5. Profile Builder
Plugin: Profile Builder Vulnerability: Admin Access via Password Reset Bug Patched in Version: 3.4.9 Severity Score: Critical
The vulnerability is patched, so you should update to version 3.4.9.
6. VikRentCar Car Rental Management System
Plugin: VikRentCar Car Rental Management System Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.1.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.1.10.
7. YouTube Embed
Plugin: YouTube Embed Vulnerability: Contributor+ Stored XSS Patched in Version: 5.2.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 5.2.2.
8. My Site Audit
Plugin: My Site Audit Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
9. Social Tape
Plugin: Social Tape Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
10. Telugu Bible Verse Daily
Plugin: Telugu Bible Verse Daily Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
11. Verse-O-Matic
Plugin: Verse-O-Matic Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
12. Custom Login Redirect
Plugin: Custom Login Redirect Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
13. Light Messages
Plugin: Light Messages Vulnerability: CSRF to Stored XSS Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
14. Shantz WordPress QOTD
Plugin: Shantz WordPress QOTD Vulnerability: Arbitrary Setting Update via CSRF Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
15. PhoneTrack Meu Site Manager
Plugin: PhoneTrack Meu Site Manager Vulnerability: Authenticated Stored XSS Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
16. RestroPress
Plugin: RestroPress Vulnerability: Unauthorised AJAX Calls Patched in Version: 2.8.3.1 Severity Score: High
The vulnerability is patched, so you should update to version 2.8.3.1.
Plugin: RestroPress Vulnerability: Cart Manipulation via CSRF Patched in Version: 2.8.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.8.3.
17. Photo Gallery
Plugin: Photo Gallery Vulnerability: Stored XSS via Uploaded SVG in Zip Patched in Version: 1.5.79 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.5.79.
Plugin: Photo Gallery Vulnerability: Stored Cross-Site Scripting via Uploaded SVG Patched in Version: 1.5.75 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.5.75.
Plugin: Photo Gallery Vulnerability: File Upload Path Traversal Patched in Version: 1.5.75 Severity Score: Low
The vulnerability is patched, so you should update to version 1.5.75.
18. Mimetic Books
Plugin: Mimetic Books Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
19. Elementor Addon Elements
Plugin: Elementor Addon Elements Vulnerability: CSRF Bypass Patched in Version: 1.11.8 Severity Score: Low
The vulnerability is patched, so you should update to version 1.11.8.
20. Cooked Pro
Plugin: Cooked Pro Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
21. NEX Forms
Plugin: NEX Forms Vulnerability: Authentication Bypass for Excel Reports Patched in Version: 7.8.8 Severity Score: Medium
The vulnerability is patched, so you should update to version 7.8.8.
Plugin: NEX Forms Vulnerability: Authentication Bypass for PDF Reports Patched in Version: 7.8.8 Severity Score: Medium
The vulnerability is patched, so you should update to version 7.8.8.
22. KN Fix Your Title
Plugin: KN Fix Your Title Vulnerability: Authenticated Stored XSS Patched in Version: no known fix Severity Score: Low
Uninstall and delete the plugin until a patch is released.
23. Giveaway
Plugin: Giveaway Vulnerability: Authenticated SQL Injection Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
24. HM Multiple Roles
Plugin: HM Multiple Roles Vulnerability: Arbitrary Role Change Patched in Version: no known fix Severity Score: Critical
Uninstall and delete the plugin until a patch is released.
25. 10Web Map Builder for Google Maps
Plugin: 10Web Map Builder for Google Maps Vulnerability: Authenticated Stored XSS Patched in Version: 1.0.70 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.0.70.
26. Maintenance
Plugin: Maintenance Vulnerability: Authenticated Stored XSS Patched in Version: 4.03 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.03.
27. Grid Gallery
Plugin: Grid Gallery Vulnerability: Photo Image Grid Gallery Patched in Version: 1.2.5 Severity Score: Low
The vulnerability is patched, so you should update to version 1.2.5.
28. WP Custom Fields Search
Plugin: WP Custom Fields Search Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS) Patched in Version: 1.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.0.
29. Google Language Translator
Plugin: Google Language Translator Vulnerability: Authenticated (author+) Cross-Site Scripting (XSS) Patched in Version: 6.0.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.0.10.
Plugin: Google Language Translator Vulnerability: Authenticated Cross-Site Scripting (XSS) Patched in Version: 6.0.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.0.10.
30. SendGrid
Plugin: SendGrid Vulnerability: Authenticated Authorization Bypass Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
31. NewsPlugin
Plugin: NewsPlugin Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
32. Charitable Donation Plugin
Plugin: Charitable Donation Plugin Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.6.51 Severity Score: Low
The vulnerability is patched, so you should update to version 1.6.51.
Plugin: Charitable Donation Plugin Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 1.6.51 Severity Score: Low
The vulnerability is patched, so you should update to version 1.6.51.
33. LifterLMS
Plugin: LifterLMS Vulnerability: Access Other Student Grades/Answers via IDOR Patched in Version: 4.21.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.21.2.
34. WooCommerce Currency Switcher
Plugin: WooCommerce Currency Switcher Vulnerability: Authenticated (Low Privilege) Local File Inclusion Patched in Version: 1.3.7 Severity Score: Critical
The vulnerability is patched, so you should update to version 1.3.7.
35. Simple Post
Plugin: Simple Post Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: Low
Uninstall and delete the plugin until a patch is released.
36. WPGraphQL
Plugin: WPGraphQL Vulnerability: Denial of Service Patched in Version: 1.3.6 Severity Score: High
The vulnerability is patched, so you should update to version 1.3.6.
37. GTranslate
Plugin: GTranslateVulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.8.65 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.8.65.
38. Diary & Availability Calendar
Plugin: Diary & Availability Calendar Vulnerability: Authenticated (subscriber+) SQL Injection Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
39. Email Subscriber
Plugin: Email Subscriber Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS) Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
40. M-vSlider
Plugin: M-vSlider Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
41. Project Status
Plugin: Project Status Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
42. AceIDE
Plugin: AceIDE Vulnerability: Authenticated (admin+) Arbitrary File Access Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
43. Broken Link Manager
Plugin: Broken Link Manager Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
44. Edit Comments
Plugin: Edit Comments Vulnerability: Unauthenticated SQL Injection Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
Plugin: Edit Comments Vulnerability: Reflected Cross-Site Scripting Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
45. Simple Events Calendar
Plugin: Simple Events Calendar Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
46. Timeline Calendar
Plugin: Timeline Calendar Vulnerability: Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: High
Uninstall and delete the plugin until a patch is released.
47. Paytm Donation Plugin
Plugin: Paytm Donation Plugin Vulnerability: 1.3.2 Authenticated (admin+) SQL Injection Patched in Version: no known fix Severity Score: Medium
Uninstall and delete the plugin until a patch is released.
WordPress Themes Vulnerabilities
1. Newspaper
Theme: Newspaper Vulnerability: Reflected Cross-Site Scripting Patched in Version: 11 Severity Score: High
The vulnerability is patched, so you should update to version 11.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!