NEWS

WordPress Vulnerabilities Digest - March 2021 Part 3

Threat Alerts / June 03, 2021
What to do if you run one of the vulnerable plugins or themes on your website: Tutor LMS, WP Super Cache, SEO Redirection, Flo Forms and other plugins.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month

WordPress Plugin Vulnerabilities

1. Tutor LMS

Vulnerability: Multiple SQL Injection & Unprotected AJAX including Privilege Escalation Patched in Version: 1.7.7 Severity: High

2. WP Super Cache

Vulnerability: Authenticated RCE Patched in Version: 1.7.2 Severity: Critical

3. SEO Redirection

Vulnerability: Authenticated Reflected Cross-Site Scripting Patched in Version: No Known Fix Severity: Medium

4. Flo Forms

Vulnerability: Authenticated Options Change to Stored XSS Patched in Version: 1.0.36 Severity: Critical

5. Social Slider Widget

Vulnerability: Authenticated Reflected Cross-Site Scripting Patched in Version: 1.8.5 Severity: Critical

6. Paid Membership Pro

Vulnerability: Authenticated SQL Injection Patched in Version: 2.5.6 Severity: Medium

7. BuddyPress

Vulnerability: Multiple vulnerabilities, including REST API Privilege Escalation Patched in Version: 7.2.1 Severity: High

8. Elementor

Vulnerability: Multiple Authenticated Stored Cross-Site Scripting Patched in Version: 3.1.2 Severity: Medium

9. WordPress Related Posts

Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No Known Fix Severity: Medium

10. WP Page Builder

Vulnerability: Insecure default configuration Allows Subscribers Editing Access to Posts Patched in Version: 1.2.4 Severity: Medium

11. PhastPress

Vulnerability: Open Redirect Patched in Version: 1.111 Severity: Medium

12. WordPress Related Posts

Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No Known Fix Severity: Medium

13. WooCommerce Help Scout

Vulnerability: Unauthenticated Arbitrary File Upload leading to RCE Patched in Version: No Known Fix (Actively Being Exploited Remove Now) Severity: Critical

14. Controlled Admin Access

Vulnerability: Improper Access Control & Privilege Escalation Patched in Version: 1.5.2 Severity: High

WordPress Themes Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup.

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!