NEWS

WordPress Vulnerabilities Digest - July 2022 Part 2

Threat Alerts / July 25, 2022
WordPress 6.0.1 was released on July 12, 2022, as a short-cycle maintenance release with 31 bug fixes. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.1 was released on July 12, 2022, as a short-cycle maintenance release with 31 bug fixes. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. CAPTCHA 4WP

PLUGIN CAPTCHA 4WP INSTALLATIONS 200,000+ VULNERABILITY Local File Inclusion via CSRF PATCHED IN VERSION 7.1.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 7.1.0.

2. GiveWP

PLUGIN GiveWP Donation Plugin and Fundraising Platform INSTALLATIONS 100,000+ VULNERABILITY DoS via CSRF; Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.21.3 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.21.3.

3. Featured Image from URL

PLUGIN Featured Image from URL (FIFU) INSTALLATIONS 80,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Arbitrary Settings Update to Stored XSS via CSRF PATCHED IN VERSION 4.0.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.0.1.

4. Simple Membership

PLUGIN Simple Membership INSTALLATIONS 50,000+ VULNERABILITY Membership Privilege Escalation; Unauthenticated Membership Privilege Escalation PATCHED IN VERSION 4.1.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.1.3.

5. Advanced WordPress Reset

PLUGIN Advanced WordPress Reset INSTALLATIONS 40,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.6.

6. Visualizer: Tables and Charts Manager for WordPress

PLUGIN Visualizer: Tables and Charts Manager for WordPress INSTALLATIONS 40,000+ VULNERABILITY Contributor+ PHAR Deserialization PATCHED IN VERSION 3.7.10 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 3.7.10.

7. YOP Poll

PLUGIN YOP Poll INSTALLATIONS 20,000+ VULNERABILITY IP Spoofing PATCHED IN VERSION 6.4.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.4.3.

8. Youzify

PLUGIN Youzify BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress INSTALLATIONS 8,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 1.2.0 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.2.0.

9. YaySMTP

PLUGIN YaySMTP Simple WP SMTP Mail INSTALLATIONS 2,000+ VULNERABILITY Subscriber+ Logs Disclosure; Subscriber+ SMTP Credentials Leak PATCHED IN VERSION 2.2.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.2.1.

10. Microsoft Advertising Universal Event Tracking

PLUGIN Microsoft Advertising Universal Event Tracking (UET) INSTALLATIONS 2,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.0.4 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.0.4.

11. Counter Box

PLUGIN Counter Box WordPress plugin for countdown, timer, counter INSTALLATIONS 1,000+ VULNERABILITY Arbitrary Counter Activation/Deactivation via CSRF PATCHED IN VERSION 1.2.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.1.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Shortcode For Current Date

PLUGIN Shortcode for Current Date INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Event Timeline

PLUGIN Event Timeline Vertical Timeline INSTALLATIONS 2,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

Login with phone number

PLUGIN Login with phone number INSTALLATIONS 900+ VULNERABILITY multiple Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

Copyright Proof

PLUGIN Copyright Proof VULNERABILITY Reflected Cross-Site-Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Popup

PLUGIN Popups WordPress Popup VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Flexi Quote Rotator

PLUGIN Flexi Quote Rotator VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

FreeMind WP Browser

PLUGIN FreeMind WP Browser VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

AnyMind Widget

PLUGIN AnyMind Widget VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Project Source Code Download

PLUGIN WordPress project source code download VULNERABILITY Unauthenticated Backup Download PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Progressive License

PLUGIN Progressive License VULNERABILITY CSRF to Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Invitation Based Registrations

PLUGIN Invitation Based Registrations VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

Good news! No new WordPress theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list