WordPress Vulnerabilities Digest - June 2020

The WordPress plugins and themes mentioned below have various types of vulnerabilities ranging from low risk to high risk. There are no critical level vulnerabilities in the list.

WordPress Core Vulnerabilities

1. Update to WordPress 5.4.2 - CRITICAL

WordPress versions 5.4.2 is now available. This is an important security and maintenance release. Earlier versions are affected by multiple security bugs, which are fixed in version 5.4.2. If you havent yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.

WordPress Plugin Vulnerabilities

1. Drag and Drop Multiple File Upload for Contact Form 7 - CRITICAL

Drag and Drop Multiple File Upload for Contact Form 7 versions below 1.3.3.3 have an Unauthenticated File Upload Bypass vulnerability. The vulnerability is patched, and you should update to version 1.3.3.3.

2. Page Builder: PageLayer Drag and Drop website builder - HIGH

Page Builder: PageLayer Drag and Drop website builder versions below 1.1.2 have an Unprotected AJAXs leading to XSS and a CSRF leading to XSS vulnerabilities. The vulnerability is patched, and you should update to version 1.1.2.

3. MapPress Maps - CRITICAL

MapPress Maps versions below 2.54.6 have an Improper Capability Checks in AJAX Calls vulnerability. The vulnerability is patched, and you should update to version 2.54.6.

4. Image Photo Gallery Final Tiles Grid - CRITICAL

Image Photo Gallery Final Tiles Grid versions below 3.4.19 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.4.19.

5. bbPress - CRITICAL

bbPress versions below 2.6.5 have an Unauthenticated Privilege Escalation vulnerability when New User Registration enabled. The vulnerability is patched, and you should update to version 2.6.5.

6. Multi Scheduler - HIGH

All versions of Multi Scheduler have an Arbitrary Record Deletion via CSRF vulnerability. Remove the plugin until a security fix is released.

7. JobSearch - HIGH

JobSearch versions below 1.5.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.5.1.

8. AdRotate - Medium

AdRotate versions below 5.8.4 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 5.8.4.

9. Elementor Page Builder - HIGH

Elementor Page Builder versions below 2.9.10 have an Authenticated Stored XSS vulnerability. The vulnerability is patched, and you should update to version 2.9.10.

10. SportsPress - HIGH

SportsPress versions below 2.7.2 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.7.2.

WordPress Themes Vulnerabilities

1. Careerfy - HIGH

Careerfy versions below 3.9.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.9.0.

2. Newspaper - HIGH

Newspaper versions below 10.3.4 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 10.3.4.

The information for this blog post was taken from iThemes Vulnerability Roundup.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!