Threat Alerts / Jun 02, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

As of today, the current version of WordPress is 5.7.2. Be sure to make sure all your websites are up to date!

Good news! No new WordPress core vulnerabilities have been disclosed in June 2021.

WordPress Plugin Vulnerabilities

1. iFlyChat

Plugin: iFlyChat Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

2. Easy Preloader

Plugin: Easy Preloader Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

3. SP Project & Document Manager

Plugin: SP Project & Document Manager Vulnerability: Authenticated Shell Upload Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

4. Cookie Law Bar

Plugin: Cookie Law Bar Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

5. Multivendor Marketplace Solution for WooCommerce

Plugin: Multivendor Marketplace Solution for WooCommerce Vulnerability: Unauthenticated Arbitrary Product Comment Patched in Version: 3.7.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.7.4+.

6. Gallery From Files

Plugin: Gallery From Files Vulnerability: Unauthenticated RCE Patched in Version: No known fix Severity Score: Critical

Plugin: Gallery From Files Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

7. Simple 301 Redirects by BetterLinks

Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Unauthenticated Redirect Export Patched in Version: 2.0.4 Severity Score: Critical

Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Unauthenticated Redirect Import Patched in Version: 2.0.4 Severity Score: Critical

Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Arbitrary Plugin Installation Patched in Version: 2.0.4 Severity Score: High

Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Update and Retrieve Wildcard Value Patched in Version: 2.0.4 Severity Score: Medium

Plugin: Simple 301 Redirects by BetterLinks Vulnerability: Arbitrary Plugin Activation Patched in Version: 2.0.4 Severity Score: High

The vulnerabilities have been patched, so you should update to version 2.0.4+.

8. Visitors

Plugin: Visitors Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

9. Sendit WP Newsletter

Plugin: Sendit WP Newsletter Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

10. Side Menu 

Plugin: Side Menu Vulnerability: Authenticated SQL Injection Patched in Version: 3.1.5 Severity Score: High

The vulnerability is patched, so you should update to version 3.1.5+.

11. Xllentech English Islamic Calendar

Plugin: Xllentech English Islamic Calendar Vulnerability: Authenticated SQL Injection Patched in Version: 2.6.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.6.8+.

12. NinjaFirewall

Plugin: NinjaFirewall Vulnerability: Authenticated PHAR Deserialization Patched in Version: 4.3.4 Severity Score: Low

The vulnerability is patched, so you should update to version 4.3.4+.

WordPress Themes Vulnerabilities

1. JNews

Theme: JNews Vulnerability: Reflected Cross-Site Scripting Patched in Version: 8.0.6 Severity: Medium

The vulnerability is patched, so you should update to version 8.0.6+.

2. CityBook

Theme: CityBook Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS) Patched in Version: 2.4.4 Severity Score: High

The vulnerability is patched, so you should update to version 2.4.4+.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!