Threat Alerts / Jun 16, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

As of today, the current version of WordPress is 5.7.2. Be sure to make sure all your websites are up to date!

No new WordPress core vulnerabilities have been disclosed this month. Make sure you’re running WordPress 5.7.2 on all your sites.

WordPress Plugin Vulnerabilities

1. Recently

Plugin: Recently Vulnerability: Authenticated Code Injection Patched in Version: 3.0.5 Severity: High

Plugin: Recently Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 3.0.5 Severity: Medium

2. WordPress Popular Posts

Plugin: WordPress Popular Posts Vulnerability: Authenticated Code Injection Patched in Version: 5.3.3 Severity Score: High

Plugin: WordPress Popular Posts Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.3.3 Severity Score: Medium

3. WP Hardening

Plugin: WP Hardening Vulnerability: Reflected Cross-Site Scripting via URI Patched in Version: 1.2.2 Severity Score: Medium

Plugin: WP Hardening Vulnerability: Reflected Cross-Site Scripting via historyvalue Patched in Version: 1.2.2 Severity Score: High

4. Comments Like Dislike

Plugin: Comments Like Dislike Vulnerability: Add Like/Dislike Bypass Patched in Version: 1.1.4 Severity Score: Medium 

5. WP Config File Editor

Plugin: WP Config File Editor Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

6. Admin Columns Free & Pro

Plugin: Admin Columns Free Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 4.3 Severity Score: Medium

Plugin: Admin Columns Pro Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 5.5.1 Severity Score: Medium

7. WP Google Maps

Plugin: WP Google Maps Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 8.1.12 Severity Score: Medium

8. Stripe Payment Gateway for WooCommerce

Plugin: Stripe Payment Gateway for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.6.0 Severity Score: High

9. Qtranslate Slug

Plugin: Qtranslate Slug Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

10. Custom css-js-php

Plugin: Custom css-js-php Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

11. Multiple Roles

Plugin: Multiple Roles Vulnerability: CSRF Bypass Patched in Version: No known fix Severity Score: Medium

12. Multivendor Marketplace Solution for WooCommerce

Plugin: Multivendor Marketplace Solution for WooCommerce Vulnerability: CSRF Bypass Patched in Version: 3.74 Severity Score: Medium

13. JoomSport

Plugin: JoomSport Vulnerability: Unauthenticated PHP Object Injection Patched in Version: 5.1.8 Severity Score: Medium

14. Smart Slider 3

Plugin: Smart Slider 3 Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 3.5.0.9 Severity Score: Medium

15. Easy Cookie Policy

Plugin: Easy Cookie Policy Vulnerability: Broken Access Control to Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: High

16. Welcart e-Commerce

Plugin: Welcart e-Commerce Vulnerability: Cross-Site Scripting Patched in Version: 2.2.4 Severity Score: Medium

17. WP Prayer

Plugin: WP Prayer Vulnerability: Arbitrary Plugin Settings Update via CSRF Patched in Version: 1.6.7 Severity Score: Medium

WordPress Themes Vulnerabilities

1. Jannah

Theme: Jannah Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.4.4 Severity Score: High

2. Motor theme

Theme: Motor theme Vulnerability: Unauthenticated Local File Inclusion Patched in Version: 3.1.0 Severity Score: High

3. Real Estate 7

Theme: Real Estate 7 Vulnerability: 3.1.1 Patched in Version: Reflected Cross-Site Scripting Severity Score: High

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!