Threat Alerts / Jun 23, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. BCS BatchLine Book Importer

Plugin: BCS BatchLine Book Importer Vulnerability: Unauthenticated Product Import Patched in Version: 1.5.8 Severity: High

The vulnerability is patched, so you should update to version 1.5.8+.

2. WP SVG Images

Plugin: WP SVG Images Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 3.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.4+.

3. Vik Rent Car

Plugin: Vik Rent Car Vulnerability: CSRF to Stored XSS Patched in Version: 1.1.7 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.7+.

4. WP FoodBakery

Plugin: FoodBakery Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2+.

5. wpForo Forum

Plugin: wpForo Forum Vulnerability: Open Redirect Patched in Version: 1.9.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.7+.

6. WooCommerce Stock Manager

Plugin: WooCommerce Stock Manager Vulnerability: CSRF to Arbitrary File Upload Patched in Version: 2.6.0 Severity Score: High

The vulnerability is patched, so you should update to version 2.6.0+.

7. Smooth Scroll Page Up/Down Buttons

Plugin: Smooth Scroll Page Up/Down Buttons Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

8. Request a Quote

Plugin: Request a Quote Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.3.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.3.4+.

9. WP YouTube Lyte

Plugin: WP YouTube Lyte Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.7.16 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.16+.

10. WP JobSearch

Plugin: WP JobSearch Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.7.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.4+.

11. WP Reset

Plugin: WP Reset Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.90 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.90+.

12. Backup by 10Web

Plugin: Backup by 10Web Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

13. W3 Total Cache

Plugin: W3 Total Cache Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.1.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.3+.

14. WP Fluent Forms

Plugin: WP Fluent Forms Vulnerability: Cross-Site Request Forgery Patched in Version: 3.6.67 Severity Score: High

The vulnerability is patched, so you should update to version 3.6.67+.

15. Advanced AJAX Product Filters

Plugin: Advanced AJAX Product Filters Vulnerability: Unauthenticated Reflected Cross-Site Scripting Patched in Version: 1.5.4.7 Severity Score: High

The vulnerability is patched, so you should update to version 1.5.4.7+.

16. Filebird

Plugin: Filebird Vulnerability: Unauthenticated SQL Injection Patched in Version: 4.7.3 Severity Score: High

The vulnerability is patched, so you should update to version 4.7.3+.

17. 404 to 301

Plugin: 404 to 301 Vulnerability: Broken Access Control Patched in Version: 3.0.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.8+.

WordPress Themes Vulnerabilities

1. Jannah

Theme: Jannah Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.4.5 Severity Score: High

The vulnerability is patched, so you should update to version 5.4.5+.

2. FoodBakery

Plugin: FoodBakery Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2+.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!