Threat Alerts / May 12, 2021

Each vulnerability includes a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Simple Admin Language Change 

Plugin: Simple Admin Language Change Vulnerability: Arbitrary User Locale Change Patched in Version: 2.0.2 Severity Score: 4.3 Medium

The vulnerability is patched, so you should update to version 2.0.2+.

2. Ship To Ecourier

Plugin: Ship to eCourier Vulnerability: Plugin’s Settings Update via CSRF Patched in Version: 1.0.2 Severity Score: 5.4 Medium

The vulnerability is patched, so you should update to version 1.0.2+.

3. Parcel Tracker eCourier

Plugin: Parcel Tracker eCourier Vulnerability: Plugin’s Settings Update via CSRF Patched in Version: 1.0.2 Severity Score: 5.4 Medium

The vulnerability is patched, so you should update to version 1.0.2+.

4. PickPlugins Product Slider for WooCommerce

Plugin: PickPlugins Product Slider for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.13.22 Severity Score: 7.1 High

The vulnerability is patched, so you should update to version 1.13.22+.

5. Hana Flv Player

Plugin: Hana Flv Player Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: 3.8 Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

6. Hotjar Connecticator

Plugin: Hotjar Connecticator Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: 3.8 Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

7. GA Google Analytics

Plugin: GA Google Analytics Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: 5.9 Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

8. Target First Plugin

Plugin: Target First Plugin Vulnerability: Unauthenticated Stored Cross-Site Scripting via Licence Key Patched in Version: 1.0 Severity Score: 7.2 High

The vulnerability is patched, so you should update to version 1.0+.

9. Leads-5050 Visitor Insights

Plugin: Leads-5050 Visitor Insights Vulnerability: Unauthorized License Change Patched in Version: 1.1.0 Severity Score: 7.1 High

The vulnerability is patched, so you should update to version 1.1.0+.

10. DSGVO All in one for WP

Plugin: DSGVO All in one for WP Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 4.0 Severity Score: 8.3 High

The vulnerability is patched, so you should update to version 4.0+

11. UltimateWoo 

Plugin: UltimateWoo Vulnerability: PHP Object Injection Patched in Version: No known fix – plugin closed Severity Score: 5.6 Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

12. Ultimate Member

Plugin: Ultimate Member Vulnerability: Authenticated Reflected Cross-Site Scripting Patched in Version: 2.1.20 Severity Score: 4.4 Medium

The vulnerability is patched, so you should update to version 2.1.20+.

13. Autoptimize

Plugin: Autoptimize Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.8.4 Severity Score: 6.6 Medium

The vulnerability is patched, so you should update to version 2.8.4+.

14. Zlick Paywall

Plugin: Zlick Paywall Vulnerability: CSRF Bypasses Patched in Version: 2.2.2 Severity Score: 3.1 Low

The vulnerability is patched, so you should update to version 2.2.2+.

15. ThemeHigh WooCommerce Wishlist and Comparison

Plugin: ThemeHigh WooCommerce Wishlist and Comparison Vulnerability: Unauthorized AJAX call Patched in Version: 1.0.5 Severity Score: 7.2 High

The vulnerability is patched, so you should update to version 1.0.5+.

16. Simple Giveaways

Plugin: Simple Giveaways Vulnerability: Unauthenticated Reflected Cross-Site Scripting Patched in Version: 2.36.2 Severity Score: 7.1 High

The vulnerability is patched, so you should update to version 2.36.2+.

17. ReDi Restaurant Reservations

Plugin: ReDi Restaurant Reservations Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 21.0426 Severity Score: 7.1 High

The vulnerability is patched, so you should update to version 21.0426+.

18. All in One SEO Pack

Plugin: All in One SEO Pack Vulnerability: Remote Code Execution Patched in Version: 4.1.0.2 Severity Score: 6.6 Medium

The vulnerability is patched, so you should update to version 4.1.0.2+.

19. LifterLMS

Plugin: LifterLMS Vulnerability: Authenticated Stored Cross-Site Scripting in Edit Profile Patched in Version: 4.21.1 Severity Score: 7.4 High

Vulnerability: Reflected Cross-Site Scripting via Coupon Code in Checkout Patched in Version: 4.21.1 SeverityScore: 6.1 Medium

The vulnerability is patched, so you should update to version 4.21.1+.

WordPress Themes Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!