Threat Alerts / May 19, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

This week, we saw a WordPress 5.7.2 security release with one security issue affecting WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix an Object Injection in PHPMailer security issue.

1. WordPress 5.7.2 Security Release

Vulnerability: Object Injection in PHPMailer Patched in Version: 5.7.2 Severity Score: Medium

The vulnerability has been patched, so you should update all your sites today to WordPress 5.7.2.

WordPress Plugin Vulnerabilities

1. Photo Gallery

Plugin: Photo Gallery Vulnerability: Authenticated Stored Cross-Site Scripting via Gallery Title Patched in Version: 1.5.67 Severity: Medium

The vulnerability is patched, so you should update to version 1.5.67+.

2. Weekly Schedule

Plugin: Weekly Schedule Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 3.4.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.4.3+.

3. External Media 

Plugin: External Media Vulnerability: Authenticated Arbitrary File Upload Patched in Version: 1.0.34 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.0.34+.

4. WP Super Cache

Plugin: WP Super Cache Vulnerability: Authenticated Remote Code Execution Patched in Version: 1.7.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.7.3+.

5. Database Backup for WordPress

Plugin: Database Backup for WordPress Vulnerability: Authenticated Persistent Cross-Site Scripting Patched in Version: 2.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4+.

WordPress Themes Vulnerabilities

1. Mediumish

Theme: Mediumish Vulnerability: Unauthenticated Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

2. Listeo

Theme: Listeo Vulnerability: Multiple XSS & XFS vulnerabilities Patched in Version: 1.6.11 Severity Score: Medium

Vulnerability: Multiple Authenticated IDOR Vulnerabilities Patched in Version: 1.6.11 SeverityScore: Medium

The vulnerability is patched, so you should update to version 1.6.11+.

3. Bello

Theme: Listeo Vulnerability: Authenticated XSS & XFS Patched in Version: 1.6.0 Severity Score: Medium

Vulnerability: Unauthenticated Reflected XSS & XFS Patched in Version: 1.6.0 SeverityScore: Medium

Vulnerability: Unauthenticated Blind SQL Injection Patched in Version: 1.6.0 SeverityScore: Critical

The vulnerability is patched, so you should update to version 1.6.0+.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!