NEWS
WordPress Vulnerabilities Digest - June 2020 Part 2
The WordPress plugins and themes mentioned below have various types of vulnerabilities. Please review the list and remediation steps below.
WordPress Core Vulnerabilities
No WordPress Core vulnerabilities disclosed in the second half of June 2020
WordPress Plugin Vulnerabilities
1. Brizy Page Builder
Brizy Page Builder versions below 1.0.126 have an Improper Access Controls on AJAX Calls vulnerability. The vulnerability is patched, and you should update to version 1.0.126.
2. wpDiscuz
wpDiscuz versions below 5.3.6 have an Unauthenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 5.3.6v.
3. Page Builder: KingComposer
Page Builder: KingComposer versions below 2.9.4 have multiple security issues including Arbitrary File Deletion and Remote Code Execution vulnerabilities. The vulnerability is patched, and you should update to version 2.9.4.
4. Delete All Comments Easily
All versions of Delete All Comments Easily have Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.
5. Testimonial Rotator
Testimonial Rotator versions below 3.0.3 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.0.3.
6. All in One Support Button
All in One Support Button versions below 1.8.8 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.8.8.
7. YITH WooCommerce Ajax Product Filter
YITH WooCommerce Ajax Product Filter versions below 3.11.1 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.11.1.
8. WP Pro Quiz
All versions of WP Pro Quiz have a Cross-Site Request Forgery vulnerability. Remove the plugin until a security fix is released.
9. WooCommerce
WooCommerce versions below 4.2.1 have a Potential Cross-Site Scripting vulnerability via SelectWoo. The vulnerability is patched, and you should update to version 4.2.1.
WordPress Themes Vulnerabilities
1. Travel Booking
Travel Booking versions below 2.8.2 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.8.2.
2. TownHub
TownHub versions below 1.3.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.3.0.
3. CityBook
CityBook versions below 2.4.4 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.4.4.
The information for this blog post was taken from iThemes Vulnerability Roundup.
What you should do
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!