NEWS

WordPress Vulnerabilities Digest - June 2022 Part 2

Threat Alerts / June 16, 2022

The weekly WordPress Vulnerability Report powered by WPScan. WordPress Plugin Vulnerabilities: GTM4WP, Ultimate Member, Download manager, Nested Pages, etc.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0 Arturo has been released! This major version release of WordPress was built to help you unlock your creative aspirations and make your site-building experience more intuitive, including almost 1,000 enhancements and bug fixes. See whats new in WordPress 6.0.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. GTM4WP

PLUGIN GTM4WP INSTALLATIONS 600,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.15.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.15.2.

2. Ultimate Member

PLUGIN Ultimate Member User Profile, User Registration, Login & Membership Plugin INSTALLATIONS 200,000+ VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION 2.4.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.4.0.

3. Download manager

PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.2.43 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.2.43.

4. Nested Pages

PLUGIN Nested Pages INSTALLATIONS 90,000+ VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION 3.1.21 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.1.21.

5. Co-Authors-Plus

PLUGIN Co-Authors Plus INSTALLATIONS 30,000+ VULNERABILITY Guest Authors Email Address Disclosure PATCHED IN VERSION 3.5.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.5.2.

6. Icegram

PLUGIN Popups, Welcome Bar, Optins and Lead Generation Plugin Icegram INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION 2.1.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.1.8.

7. My Private Site

PLUGIN My Private Site INSTALLATIONS 30,000+ VULNERABILITY Arbitrary Settings Update via CSRF PATCHED IN VERSION 3.0.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.0.8.

8. miniOranges Google Authenticator

PLUGIN miniOrange's Google Authenticator WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 5.5.6 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 5.5.6.

9. New User Approve

PLUGIN New User Approve INSTALLATIONS 20,000+ VULNERABILITY Arbitrary Settings Update & Invitation Code Creation via CSRF PATCHED IN VERSION 2.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.4.

10. Easy Pricing Tables

PLUGIN Pricing Tables WordPress Plugin Easy Pricing Tables INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site-Scripting PATCHED IN VERSION 3.2.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.2.1.

11. Easy SVG Support

PLUGIN Easy SVG Support INSTALLATIONS 10,000+ VULNERABILITY Author+ Stored Cross Site Scripting via SVG PATCHED IN VERSION 3.3.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.3.0.

12. WP Ultimate CSV Importer

PLUGIN Import Export All WordPress Images, Users & Post Types INSTALLATIONS 10,000+ VULNERABILITY Admin+ Blind SSRF PATCHED IN VERSION 6.5.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.5.3.

13. Active Products Tables for WooCommerce

PLUGIN Active Products Tables for WooCommerce. Professional products tables for WooCommerce store INSTALLATIONS 3,000+ VULNERABILITY Reflected Cross-Site-Scripting PATCHED IN VERSION 1.0.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.0.5.

14. ARMember

PLUGIN ARMember Membership Plugin, Content Restriction, Member Levels, User Profile & User signup INSTALLATIONS 2,000+ VULNERABILITY Unauthenticated Admin Account Takeover PATCHED IN VERSION 3.4.8 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 3.4.8.

15. Product Configurator for WooCommerce

PLUGIN Product Configurator for WooCommerce INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated Arbitrary File Deletion PATCHED IN VERSION 1.2.32 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.2.32.

16. WP Post Styling

PLUGIN WP Post Styling INSTALLATIONS 800+ VULNERABILITY Multiple CSRF PATCHED IN VERSION 1.3.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.1.

17. Login using WordPress Users

PLUGIN Login using WordPress Users ( WP as SAML IDP ) INSTALLATIONS 700+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.13.4 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.13.4.

18. miniOrange Google Authenticator

PLUGIN Google Authenticator VULNERABILITY CSRF to Stored Cross-Site Scripting PATCHED IN VERSION 1.0.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.0.5.

19. Modern Events Calendar Lite

PLUGIN Modern Events Calendar Lite VULNERABILITY Authenticated Stored Cross-Site Scripting PATCHED IN VERSION 6.3.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.3.0.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

XCloner

PLUGIN Backup, Restore and Migrate WordPress Sites With the XCloner Plugin INSTALLATIONS 20,000+ VULNERABILITY Unauthenticated Plugin Settings Reset PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Qubely

PLUGIN Qubely Advanced Gutenberg Blocks INSTALLATIONS 10,000+ VULNERABILITY Authenticated Arbitrary Settings Update PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Flower Delivery by Florist One

PLUGIN Flower Delivery by Florist One INSTALLATIONS 100+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched. You should deactivate the plugin.

HTML2WP

PLUGIN HTML2WP VULNERABILITY Subscriber+ Arbitrary File Deletion; Arbitrary Settings Update via CSRF; Unauthenticated Arbitrary File Upload PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

MailPress

PLUGIN MailPress VULNERABILITY Arbitrary Settings Update & Log Files Purge via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Site Offline or Coming Soon

PLUGIN Site Offline or Coming Soon VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Ultimate WooCommerce CSV Importer

PLUGIN Ultimate WooCommerce CSV Importer VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Sentry

PLUGIN WP Sentry VULNERABILITY Arbitrary Settings Update to Stored XSS via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium