NEWS
WordPress Vulnerabilities Digest - June 2022 Part 3
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 6.0 Arturo has been released! This major version release of WordPress was built to help you unlock your creative aspirations and make your site-building experience more intuitive, including almost 1,000 enhancements and bug fixes. See whats new in WordPress 6.0.
No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
1. Elementor
PLUGIN Elementor Website Builder INSTALLATIONS 5,000,000+ VULNERABILITY DOM Reflected Cross-Site Scripting PATCHED IN VERSION 3.5.6 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.5.6.
2. Ninja Forms
PLUGIN Ninja Forms Contact Form The Drag and Drop Form Builder for WordPress INSTALLATIONS 1,000,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting via Import; Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.6.10 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 3.6.10.
3. WooCommerce PDF Invoices & Packing Slips
PLUGIN WooCommerce PDF Invoices & Packing Slips INSTALLATIONS 300,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.15.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.15.0.
4. ShortPixel Image Optimizer
PLUGIN ShortPixel Image Optimizer INSTALLATIONS 300,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.22.10 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.22.10.
5. Clearfy Cache
PLUGIN Clearfy Cache WordPress optimization plugin, Minify HTML, CSS & JS, Defer INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.0.5 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.0.5.
6. WooCommerce Menu Cart
PLUGIN WooCommerce Menu Cart INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.12.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.12.0.
7. Modula Image Gallery
PLUGIN Customizable WordPress Gallery Plugin Modula Image Gallery INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.6.7 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.6.7.
8. Flexible Shipping
PLUGIN Table Rate Shipping Method for WooCommerce by Flexible Shipping INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.11.9 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.11.9.
9. 404 to 301
PLUGIN 404 to 301 Redirect, Log and Notify 404 Errors INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.1.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.1.2.
10. WP All Export
PLUGIN Export any WordPress data to XML/CSV INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.3.6 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.3.6.
11. Checkout Fields Manager for WooCommerce
PLUGIN Checkout Fields Manager for WooCommerce INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.5.7 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 5.5.7.
12. WordPress Real Cookie Banner
PLUGIN Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.18.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.18.2.
13. Woody Code Snippets
PLUGIN Woody code snippets Insert Header Footer Code, AdSense Ads INSTALLATIONS 80,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.4.6 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.4.6.
14. Gravity PDF
PLUGIN Gravity PDF INSTALLATIONS 50,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 6.3.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 6.3.1.
15. Easy Testimonials
PLUGIN Easy Testimonials INSTALLATIONS 30,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.9 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.9.
16. WP Contact Slider
PLUGIN WP Contact Slider INSTALLATIONS 10,000+ VULNERABILITY Editor+ Stored Cross-Site Scripting PATCHED IN VERSION 2.4.7 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.4.7.
17. Gallery
PLUGIN Gallery Image and Video Gallery with Thumbnails INSTALLATIONS 1,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.0.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.0.0.
WordPress Plugin Vulnerabilities No Known Fix
Until a patch is available, immediately uninstall and delete the plugin.
Gallery Bank
PLUGIN Gallery Bank WordPress Photo Gallery Plugin VULNERABILITY Author+ Stored XSS via Media Upload Module; Author+ Stored XSS via Gallery Description PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Copify
PLUGIN Copify VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Toolbar To Share
PLUGIN ToolBar to Share VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
Good news! No new WordPress theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!