Threat Alerts / Jun 30, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Browser Screenshots

Plugin: Browser Screenshots Vulnerability: Stored Cross-Site Scripting Patched in Version: 1.7.6 Severity: Medium

The vulnerability is patched, so you should update to version 1.7.6+.

2. Sign-up Sheets

Plugin: Sign-up Sheets Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.0.14 Severity Score: Medium

Plugin: Sign-up Sheets Vulnerability: Authenticated CSV Injection Patched in Version: 1.0.14 Severity Score: Medium

The vulnerabilities have been patched, so you should update to version 1.0.14+.

3. Prismatic

Plugin: Prismatic Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.8 Severity Score: High

Plugin: Prismatic Vulnerability: Stored Cross-Site Scripting Patched in Version: 2.8 Severity Score: Medium

The vulnerabilities have been patched, so you should update to version 2.8+.

4. Glass

Plugin: Glass Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

5. Simple Sort&Search

Plugin: Simple Sort&Search Vulnerability: Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

6. Salon Booking System

Plugin: Salon Booking System Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 6.3.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 6.3.1+.

7. Qtranslate Slug

Plugin: Qtranslate Slug Vulnerability: CSRF Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

8. Multivendor Marketplace Solution for WooCommerce 

Plugin: Multivendor Marketplace Solution for WooCommerce Vulnerability: CSRF Patched in Version: 3.7.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.7.4+.

9. Custom css-js-php

Plugin: Custom css-js-php Vulnerability: CSRF Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

10. Absolute Reviews

Plugin: Absolute Reviews Vulnerability: CSRF Patched in Version: 1.0.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.9+.

11. Advanced Popups

Plugin: Advanced Popups Vulnerability: CSRF Patched in Version: 1.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.2+.

12. Remove Schema

Plugin: Remove Schema Vulnerability: CSRF Patched in Version: 1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6+.

13. Multiple Roles

Plugin: Multiple Roles Vulnerability: CSRF Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

14. Sunshine Photo Cart

Plugin: Sunshine Photo Cart Vulnerability: CSRF Patched in Version: 2.8.29 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.8.29+.

15. Ultimate Gift Cards

Plugin: Ultimate Gift Cards Vulnerability: CSRF Patched in Version: 2.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.2+.

16. wp-mpdf

Plugin: wp-mpdf Vulnerability: CSRF Patched in Version: 3.5.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.5.2+.

17. Export Users With Meta

Plugin: Export Users With Meta Vulnerability: Authenticated SQL Injection Patched in Version: 0.6.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 0.6.5+.

18. YOP Poll

Plugin: YOP Poll Vulnerability: 6.2.8 Patched in Version: Unauthenticated Stored Cross-Site Scripting Severity Score: Medium

The vulnerability is patched, so you should update to version 6.2.8+.

19. Fudousan

Plugin: Fudousan Vulnerability: Authenticated Cross-Site Scripting Patched in Version: 5.7.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.7.2+.

20. Poll, Survey, Questionnaire and Voting system

Plugin: Poll, Survey, Questionnaire and Voting system Vulnerability: Unauthenticated Blind SQL Injection Patched in Version: 1.5.3 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.5.3+.

21. CiviCRM

Plugin: CiviCRM Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 5.28.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.28.1+.

22. WP Image Zoom

Plugin: WP Image Zoom Vulnerability: Local File Inclusion Patched in Version: 1.47 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.47+

23. ZoomSounds

Plugin: ZoomSounds Vulnerability: Unauthenticated Arbitrary File Upload Patched in Version: 6.05 Severity Score: Critical

The vulnerability is patched, so you should update to version 6.05+.

24. Include Me

Plugin: Include Me Vulnerability: Authenticated Remote Code Execution Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

WordPress Themes Vulnerabilities

No new WordPress theme vulnerabilities to report.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!