NEWS
WordPress Vulnerabilities Digest - June 2022 Part 5
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 6.0 Arturo was released on May 24, 2022. This major version release of WordPress was built to help you unlock your creative aspirations and make your site-building experience more intuitive, including almost 1,000 enhancements and bug fixes. See whats new in WordPress 6.0.
No new WordPress core vulnerabilities were disclosed this week.
WordPress Plugin Vulnerabilities
1. Contact Form 7 Captcha
PLUGIN Contact Form 7 Captcha INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 0.1.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 0.1.2.
2. Download Manager
PLUGIN Download Manager INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting; Contributor+ Stored Cross-Site Scripting; Unauthenticated Reflected Cross-Site Scripting PATCHED IN VERSION 3.2.44 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.2.44.
3. LearnPress
PLUGIN LearnPress WordPress LMS Plugin INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 4.1.6.7 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.1.6.7.
4. Woo Discount Rules
PLUGIN Discount Rules for WooCommerce INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 2.4.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.4.2.
5. Advanced Database Cleaner
PLUGIN Advanced Database Cleaner INSTALLATIONS 90,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 3.1.1 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.1.1.
6. Brizy Page Builder
PLUGIN Brizy Page Builder INSTALLATIONS 90,000+ VULNERABILITY Contributor+ Stored Cross-Site Scripting via Element Content; Contributor+ Stored Cross-Site Scripting via Element URL PATCHED IN VERSION 2.4.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 2.4.2.
7. Accept Stripe Payments
PLUGIN Accept Stripe Payments INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.0.64 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.0.64.
8. Data Tables Generator by Supsystic
PLUGIN Data Tables Generator by Supsystic INSTALLATIONS 30,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.10.20 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.10.20.
9. Insights from Google PageSpeed
PLUGIN Insights from Google PageSpeed INSTALLATIONS 30,000+ VULNERABILITY Multiple CSRF PATCHED IN VERSION 4.0.7 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 4.0.7.
10. miniOranges Google Authenticator
PLUGIN miniOranges Google Authenticator WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login INSTALLATIONS 20,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.5.75 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 5.5.75.
11. Jquery Validation For Contact Form 7
PLUGIN Jquery Validation For Contact Form 7 INSTALLATIONS 10,000+ VULNERABILITY Arbitrary Options Update via CSRF PATCHED IN VERSION 5.3 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 5.3.
12. Loading Page with Loading Screen
PLUGIN Loading Page with Loading Screen INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.0.83 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.0.83.
13. Simple Post Notes
PLUGIN Simple Post Notes INSTALLATIONS 9,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.7.6 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.7.6.
14. OAuth Single Sign On
PLUGIN OAuth Single Sign On SSO (OAuth Client) INSTALLATIONS 3,000+ VULNERABILITY Authentication Bypass PATCHED IN VERSION 6.22.6 SEVERITY SCORE Critical
The vulnerability has been patched, so you should update to version 6.22.6.
15. Page Generator Plugin
PLUGIN Page Generator INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Arbitrary Keywords Deletion/Duplication via CSRF PATCHED IN VERSION 1.6.5 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.6.5.
16. CDI
PLUGIN CDI Collect and Deliver Interface for Woocommerce INSTALLATIONS 300+ VULNERABILITY Reflected Cross-Site-Scripting PATCHED IN VERSION 5.1.9 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 5.1.9.
17. DX Share Selection
PLUGIN DX Share Selection INSTALLATIONS 10+ VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION 1.5 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.5.
18. 404s
PLUGIN 404s INSTALLATIONS 10+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.5.1 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 3.5.1.
WordPress Plugin Vulnerabilities No Known Fix
Until a patch is available, immediately uninstall and delete the plugin.
LinkedIn Company Updates
PLUGIN LinkedIn Company Updates VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Import CSV Files
PLUGIN Import CSV Files VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Very Simple Breadcrumb
PLUGIN Very Simple Breadcrumb VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Free Live Chat Support
PLUGIN Free Live Chat Support VULNERABILITY Stored Cross-Site Scripting via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Best Contact Management Software
PLUGIN Best Contact Management Software for WordPress VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
Good news! No new WordPress theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!