Threat Alerts / Mar 30, 2021

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. GiveWP

Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.10.0 Severity: High

2. Mapplic and Mapplic Lite

Vulnerability: SSRF to Stored Cross-Site Scripting Patched in Version: Mapplic Lite 1.0.1 & Mapplic 6.2.1 Severity: High

3. MapifyLife

Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity: Medium

4. Thrive AB Page Testing

Vulnerability: Unauthenticated Option Update Patched in Version: 1.4.13.3 Severity: Medium

5. Thrive Comments

Vulnerability: Unauthenticated Option Update Patched in Version: 1.4.15.3 Severity: Medium

6. Thrive Headline Optimizer 

Vulnerability: Unauthenticated Option Update Patched in Version: 1.3.7.3 Severity: Medium

7. Thrive Leads

Vulnerability: Unauthenticated Option Update Patched in Version: 2.3.9.4 Severity: Medium

8. Thrive Ultimatum

Vulnerability: Unauthenticated Option Update Patched in Version: 2.3.9.4 Severity: Medium

9. Thrive Quiz Builder

Vulnerability: Unauthenticated Option Update Patched in Version: 2.3.9.4 Severity: Medium

10. Thrive Apprentice

Vulnerability: Unauthenticated Option Update Patched in Version: 2.3.9.4 Severity: Medium

11. Thrive Visual Editor

Vulnerability: Unauthenticated Option Update Patched in Version: 2.6.7.4 Severity: Medium

12. Thrive Dashboard

Vulnerability: Unauthenticated Option Update Patched in Version: 2.3.9.3 Severity: Medium

13. Thrive Ovation

Vulnerability: Unauthenticated Option Update Patched in Version: 2.4.5 Severity: Medium

14. JH 404 Logger

Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity: Critical 

15. Business Directory

Vulnerability: Unauthenticated Reflected Cross-Site Scripting Patched in Version: No known fix Severity: Medium

16. Facebook for WordPress

Vulnerability: PHP Object Injection with POP Chain Patched in Version: 3.0.0 Severity: Critical

Vulnerability: CSRF to Stored XSS and Settings Deletion Patched in Version: 3.0.4 Severity: High

17. Vertical News Scroller

Vulnerability: Authenticated Reflected Cross-Site Scripting Patched in Version: 1.17 Severity: Critical

18. Quiz And Survey Master

Vulnerability: Authenticated SQL injection via shortcode Patched in Version: 7.1.12 Severity: High

Vulnerability: Authenticated SQL injection via Rest API Patched in Version: 7.1.14 Severity: High

19. WP-Curricul Vitea Free

Vulnerability: Unauthenticated Arbitrary File Upload to RCE Patched in Version: No known fix Severity: Critical

20. N5 Upload Form

Vulnerability: Unauthenticated Arbitrary File Upload to RCE Patched in Version: No known fix Severity: Critical

21. Easy Form Builder

Vulnerability: Authenticated Arbitrary File Upload Patched in Version: No known fix Severity: Critical

22. Patreon WordPress

Vulnerability: Unauthenticated Local File Disclosure Patched in Version: 1.7.0 Severity: High

Vulnerability: CSRF to Overwrite/Create User Meta Patched in Version: 1.7.0 Severity: Medium

Vulnerability: CSRF to Disconnect Sites From Patreon Patched in Version: 1.7.0 Severity: Medium

Vulnerability: CSRF to Disconnect Sites From Patreon Patched in Version: 1.7.0 Severity: High

Vulnerability: Reflected XSS on Login Form Patched in Version: 1.7.2 Severity: High

Vulnerability:  Reflected XSS on patreon_save_attachment_patreon_level AJAX action Patched in Version: 1.7.2 Severity: High

23. AccessAlly

Vulnerability: $_SERVER Superglobal Leakage Patched in Version: 3.5.7 Severity: High

WordPress Themes Vulnerabilities

1. All Thrive Themes Legacy Themes

Affected Themes: Rise, Luxe, Minus, Ignition, Focusblog, Squared, Voice, Performag, Pressive, & Storied Vulnerability: Unauthenticated Arbitrary File Upload and Option Deletion Patched in Version: 2.0.0 Severity: Critical

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup.

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!