Threat Alerts / May 13, 2020

The WordPress plugins and themes mentioned below have various types of vulnerabilities ranging from low risk to high risk. There are no critical level vulnerabilities in the list.

WordPress Plugin Vulnerabilities

1. WP Advanced Search - HIGH

WP-Advanced-Search versions below 3.3.7 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 3.3.7.

2. LearnPress - HIGH

LearnPress versions below 3.2.6.9 have multiple critical vulnerabilities. The vulnerability is patched, and you should update to version 3.2.6.9.

3. Gmedia Photo Gallery - MEDIUM

Gmedia Photo Gallery versions below 1.18.5 have Multiple Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 1.18.5.

4. Ninja Forms - HIGH

Ninja Forms versions below 3.4.24.2 have a CSRF to Stored XSS vulnerability. The vulnerability is patched, and you should update to version 3.4.24.2.

5. WTI Like Post - LOW

All versions of WTI Like Post have an Authenticated Stored Cross-Site Scripting vulnerability. Recommendation: Remove the plugin. It is closed on WordPress.org pending review.

6. Advanced Order Export For WooCommerce - LOW

Advanced Order Export For WooCommerce versions below 3.1.4 have an Authenticated Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.1.4.

7. Elementor - MEDIUM

Elementor versions below 2.9.8 have a SVG Sanitizer Bypass leading to Authenticated Stored XSS vulnerability. The vulnerability is patched, and you should update to version 2.9.8.

8. Ultimate Addons for Elementor - HIGH

Ultimate Addons for Elementor versions below 1.24.2 have Registration Bypass vulnerability. The vulnerability is patched, and you should update to version 2.2.9.

9. Elementor Pro - HIGH

Elementor Pro versions below 2.9.4 have an Authenticated Arbitrary File Upload vulnerability. The vulnerability is patched, and you should update to version 2.9.4.

10. Chopslider - HIGH

All versions of Chopslider have an Unauthenticated Blind SQL Injection vulnerability. There is not a patch available and you should remove the plugin.

11. Page Builder by SiteOrigin - HIGH

Page Builder by SiteOrigin versions below 2.10.16 have an CSRF to Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.10.16.

12. WooCommerce - LOW

WooCommerce versions below 4.1.0 have an Unescaped Metadata when Duplicating Products vulnerability. The vulnerability is patched, and you should update to version 4.1.0.

WordPress Themes Vulnerabilities

1. Avada - HIGH

Avada versions below 6.2.3 have Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS vulnerability. The vulnerability is patched, and you should update to version 6.2.3.

The information for this blog post was taken from iThemes Vulnerability Roundup.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!