WordPress Vulnerabilities Digest - June 2022 Part 5

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0 Arturo was released on May 24, 2022. This major version release of WordPress was built to help you unlock your creative aspirations and make your site-building experience more intuitive, including almost 1,000 enhancements and bug fixes. See whats new in WordPress 6.0.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Contact Form 7 Captcha

PLUGIN Contact Form 7 Captcha INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 0.1.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.1.2.

2. Download Manager

PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting; Contributor+ Stored Cross-Site Scripting; Unauthenticated Reflected Cross-Site Scripting PATCHED IN VERSION 3.2.44 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.2.44.

3. LearnPress

PLUGIN LearnPress WordPress LMS Plugin INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.1.6.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.1.6.7.

4. Woo Discount Rules

PLUGIN Discount Rules for WooCommerce INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.4.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.4.2.

5. Advanced Database Cleaner

PLUGIN Advanced Database Cleaner INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.1.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.1.1.

6. Brizy Page Builder

PLUGIN Brizy Page Builder INSTALLATIONS 90,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting via Element Content; Contributor+ Stored Cross-Site Scripting via Element URL PATCHED IN VERSION 2.4.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.4.2.

7. Accept Stripe Payments

PLUGIN Accept Stripe Payments INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.0.64 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.0.64.

8. Data Tables Generator by Supsystic

PLUGIN Data Tables Generator by Supsystic INSTALLATIONS 30,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.10.20 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.10.20.

9. Insights from Google PageSpeed

PLUGIN Insights from Google PageSpeed INSTALLATIONS 30,000+ VULNERABILITY Multiple CSRF PATCHED IN VERSION 4.0.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.0.7.

10. miniOranges Google Authenticator

PLUGIN miniOranges Google Authenticator WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.5.75 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.5.75.

11. Jquery Validation For Contact Form 7

PLUGIN Jquery Validation For Contact Form 7 INSTALLATIONS 10,000+ VULNERABILITY Arbitrary Options Update via CSRF PATCHED IN VERSION 5.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 5.3.

12. Loading Page with Loading Screen

PLUGIN Loading Page with Loading Screen INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.0.83 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.0.83.

13. Simple Post Notes

PLUGIN Simple Post Notes INSTALLATIONS 9,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.7.6 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.7.6.

14. OAuth Single Sign On

PLUGIN OAuth Single Sign On SSO (OAuth Client) INSTALLATIONS 3,000+ VULNERABILITY Authentication Bypass PATCHED IN VERSION 6.22.6 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 6.22.6.

15. Page Generator Plugin

PLUGIN Page Generator INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Arbitrary Keywords Deletion/Duplication via CSRF PATCHED IN VERSION 1.6.5 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.6.5.

16. CDI

PLUGIN CDI Collect and Deliver Interface for Woocommerce INSTALLATIONS 300+ VULNERABILITY Reflected Cross-Site-Scripting PATCHED IN VERSION 5.1.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.1.9.

17. DX Share Selection

PLUGIN DX Share Selection INSTALLATIONS 10+ VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION 1.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.5.

18. 404s

PLUGIN 404s INSTALLATIONS 10+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.5.1 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.5.1.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

LinkedIn Company Updates

PLUGIN LinkedIn Company Updates VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Import CSV Files

PLUGIN Import CSV Files VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Very Simple Breadcrumb

PLUGIN Very Simple Breadcrumb VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Free Live Chat Support

PLUGIN Free Live Chat Support VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Best Contact Management Software

PLUGIN Best Contact Management Software for WordPress VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

Good news! No new WordPress theme vulnerabilities were disclosed this week.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!