WordPress Vulnerabilities Digest - July 2022 Part 4

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.1 was released on July 12, 2022, as a short-cycle maintenance release with 31 bug fixes. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. WP-DBManager

PLUGIN WP-DBManager INSTALLATIONS 90,000+ VULNERABILITY Admin+ Remote Command Execution PATCHED IN VERSION 2.80.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.80.8.

2. SearchWP Live Ajax Search

PLUGIN SearchWP Live Ajax Search INSTALLATIONS 60,000+ VULNERABILITY Unauthenticated Arbitrary Post Title Disclosure PATCHED IN VERSION 1.6.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.6.2.

3. Simple Banner

PLUGIN Simple Banner INSTALLATIONS 50,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.12.0 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.12.0.

4. WP-UserOnline

PLUGIN WP-UserOnline INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.88.0 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.88.0.

5. Flipbox

PLUGIN Flipbox Awesomes Flip Boxes Image Overlay INSTALLATIONS 10,000+ VULNERABILITY Authenticated Arbitrary Options Update PATCHED IN VERSION 2.6.1 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.6.1.

6. Digital Publications by Supsystic

PLUGIN Digital Publications by Supsystic INSTALLATIONS 2,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.7.4 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.7.4.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Testimonials

PLUGIN Testimonials VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

E Unlocked Student Result

PLUGIN E Unlocked Student Result VULNERABILITY Arbitrary File Upload via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Easy Student Results

PLUGIN Easy Student Results VULNERABILITY Sensitive Information Disclosure via REST API; Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Stockists Manager for Woocommerce

PLUGIN Stockists Manager for Woocommerce VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

VR Calendar

PLUGIN VR Calendar VULNERABILITY Unauthenticated Arbitrary Function Call PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Homepage Product Organizer for WooCommerce

PLUGIN Homepage Product Organizer for WooCommerce VULNERABILITY Subscriber+ SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Duplicate Page and Post Plugin

PLUGIN Duplicate Page and Post VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Transposh WordPress Translation

PLUGIN Transposh WordPress Translation VULNERABILITY Unauthenticated Settings Change; Usernames Disclosure PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Elementor Contact Form DB

PLUGIN Elementor Contact Form DB VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

1. GREYD.SUITE

THEME GREYD.SUITE VULNERABILITY Unauthenticated File Upload to RCE PATCHED IN VERSION 1.2.7 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 1.2.7.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!