NEWS
WordPress Vulnerabilities Digest - June 2021 Part 1
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
As of today, the current version of WordPress is 5.7.2. Be sure to make sure all your websites are up to date!
Good news! No new WordPress core vulnerabilities have been disclosed in June 2021.
WordPress Plugin Vulnerabilities
1. iFlyChat
Plugin: iFlyChat Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
2. Easy Preloader
Plugin: Easy Preloader Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
3. SP Project & Document Manager
Plugin: SP Project & Document Manager Vulnerability: Authenticated Shell Upload Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
4. Cookie Law Bar
Plugin: Cookie Law Bar Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
5. Multivendor Marketplace Solution for WooCommerce
Plugin: Multivendor Marketplace Solution for WooCommerce Vulnerability: Unauthenticated Arbitrary Product Comment Patched in Version: 3.7.4 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.7.4+.
6. Gallery From Files
Plugin: Gallery From Files Vulnerability: Unauthenticated RCE Patched in Version: No known fix Severity Score: Critical
Plugin: Gallery From Files Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
7. Simple 301 Redirects by BetterLinks
Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Unauthenticated Redirect Export Patched in Version: 2.0.4 Severity Score: Critical
Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Unauthenticated Redirect Import Patched in Version: 2.0.4 Severity Score: Critical
Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Arbitrary Plugin Installation Patched in Version: 2.0.4 Severity Score: High
Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Update and Retrieve Wildcard Value Patched in Version: 2.0.4 Severity Score: Medium
Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Arbitrary Plugin Activation Patched in Version: 2.0.4 Severity Score: High
The vulnerabilities have been patched, so you should update to version 2.0.4+.
8. Visitors
Plugin: Visitors Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
9. Sendit WP Newsletter
Plugin: Sendit WP Newsletter Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
10. Side Menu
Plugin: Side MenuVulnerability: Authenticated SQL Injection Patched in Version: 3.1.5 Severity Score: High
The vulnerability is patched, so you should update to version 3.1.5+.
11. Xllentech English Islamic Calendar
Plugin: Xllentech English Islamic Calendar Vulnerability: Authenticated SQL Injection Patched in Version: 2.6.8 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.6.8+.
12. NinjaFirewall
Plugin: NinjaFirewall Vulnerability: Authenticated PHAR Deserialization Patched in Version: 4.3.4 Severity Score: Low
The vulnerability is patched, so you should update to version 4.3.4+.
WordPress Themes Vulnerabilities
1. JNews
Theme: JNews Vulnerability: Reflected Cross-Site Scripting Patched in Version: 8.0.6 Severity: Medium
The vulnerability is patched, so you should update to version 8.0.6+.
2. CityBook
Theme: CityBook Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS) Patched in Version: 2.4.4 Severity Score: High
The vulnerability is patched, so you should update to version 2.4.4+.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!