Threat Alerts / Jun 09, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

As of today, the current version of WordPress is 5.7.2. Be sure to make sure all your websites are up to date!

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. The Plus Addons for Elementor

Plugin: The Plus Addons for Elementor Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.1.12 Severity: Medium

Plugin: The Plus Addons for Elementor Vulnerability: Open Redirect Patched in Version: 4.1.10 Severity: Medium

Plugin: The Plus Addons for Elementor Vulnerability: Arbitrary Reset Pwd Email Sending Patched in Version: 4.1.11 Severity: High

The vulnerability is patched, so you should update to version 4.1.11+.

2. Yes/No Chart

Plugin: Yes/No Chart Vulnerability: Authenticated Blind SQL Injection Patched in Version: 1.0.12 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.12+.

3. FooGallery

Plugin: FooGallery Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.0.35 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.35+.

4. Event Calendar WD

Plugin: Event Calendar WD Vulnerability: Cross-Site Scripting Patched in Version: 1.1.45 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.45+.

5. MC4WP: Mailchimp for WordPress

Plugin: MC4WP: Mailchimp for WordPress Vulnerability: Authenticated Arbitrary Redirect Patched in Version: 4.8.5 Severity Score: Medium

Plugin: MC4WP: Mailchimp for WordPress Vulnerability: Unauthorized Actions via CSRF Patched in Version: 4.8.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.8.5+.

6. All 404 Redirect to Homepage

Plugin: All 404 Redirect to Homepage Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

7. Fancy Product Designer

Plugin: Fancy Product Designer Vulnerability: Unauthenticated Arbitrary File Upload and RCE Patched in Version: 4.6.9 Severity Score: Critical

The vulnerability is patched, so you should update to version 4.6.9+.

8. GetPaid

Plugin: GetPaid Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.3.4 Severity Score: High

The vulnerability is patched, so you should update to version 2.3.4+.

9. Quiz And Survey Master

Plugin: Quiz And Survey Master Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 7.1.19 Severity Score: High

Plugin: Quiz And Survey Master Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.1.18Severity Score: High

The vulnerability is patched, so you should update to version 7.1.18+.

10. Jetpack

Plugin: Jetpack Vulnerability: Carousel Non-Published Page/Post Attachment Comment Leak Patched in Version: 9.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 9.8+.

WordPress Themes Vulnerabilities

No new WordPress theme vulnerabilities to report.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!