NEWS

WordPress Vulnerabilities Digest - July 2022 Part 3

Threat Alerts / July 28, 2022

No new WordPress core vulnerabilities were disclosed this week. WordPress Plugin Vulnerabilities: Slide Anything, Crowdsignal Polls & Ratings, weForms, etc.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.1 was released on July 12, 2022, as a short-cycle maintenance release with 31 bug fixes. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Slide Anything

PLUGIN Slide Anything Responsive Content / HTML Slider and Carousel INSTALLATIONS 100,000+ VULNERABILITY Author+ Cross Site Scripting in slide title PATCHED IN VERSION 2.3.47 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.3.47.

2. Crowdsignal Polls & Ratings

PLUGIN Crowdsignal Dashboard Polls, Surveys & more INSTALLATIONS 70,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.0.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.0.8.

3. weForms

PLUGIN weForms Easy Drag & Drop Contact Form Builder For WordPress INSTALLATIONS 30,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.6.14 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.6.14.

4. Directorist Business Directory Plugin

PLUGIN Directorist WordPress Business Directory Plugin with Classified Ads Listings INSTALLATIONS 10,000+ VULNERABILITY Admin+ Arbitrary File Upload PATCHED IN VERSION 7.2.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 7.2.3.

5. Easy Username Updater

PLUGIN Easy Username Updater INSTALLATIONS 9,000+ VULNERABILITY Arbitrary Username Update via CSRF PATCHED IN VERSION 1.0.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.0.5.

6. Website File Changes Monitor

PLUGIN Website File Changes Monitor INSTALLATIONS 6,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.8.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.8.3.

7. Name Directory

PLUGIN Name Directory INSTALLATIONS 3,000+ VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION 1.25.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.25.5.

8. YaySMTP

PLUGIN YaySMTP Simple WP SMTP Mail INSTALLATIONS 2,000+ VULNERABILITY Subscriber+ Stored Cross-Site Scripting; Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.2.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.2.1.

9. WP Comments Fields

PLUGIN WordPress Comments Fields INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 4.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 4.1.

10. User Private Files

PLUGIN Frontend File Manager & Sharing User Private Files INSTALLATIONS 400+ VULNERABILITY Subscriber+ Arbitrary File Upload PATCHED IN VERSION 1.1.3 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 1.1.3.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

WP DS Blog Map

PLUGIN WP DS Blog Map VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low