Threat Alerts / Nov 25, 2020

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

WordPress Core Vulnerabilities

Good news! No new WordPress core vulnerabilities disclosed in November.

Keep in mind that WordPress 5.6 is due out December 8, so mark your calendars.

WordPress Plugin Vulnerabilities

1. Good LMS

Good LMS versions below 2.1.5 have an Unauthenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 2.1.5.

2. BA Book Everything

BA Book Everything versions below 1.3.25 have Unauthenticated Reflected XSS & XFS vulnerabilities. The vulnerability is patched, and you should update to version 1.3.25.

3. AIT CSV Import / Export

All versions of AIT CSV Import / Export have an Unauthenticated Arbitrary File Upload vulnerability. Remove the plugin until a security fix is released.

4. Fancy Product Designer

Fancy Product Designer versions below 4.5.1 have an Unauthenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 4.5.1.

5. Contextual Related Posts

Contextual Related Posts versions below 2.9.4 have an CSRF Nonce Validation Bypass vulnerability. The vulnerability is patched, and you should update to version 2.9.4.

6. Import and export users and customers

Import and export users and customers versions below 1.16.3.6 have a CSV Injection vulnerability. The vulnerability is patched, and you should update to version 1.16.3.6.

7. Easy Registration Forms

Easy Registration Forms versions below 2.0.6 have an CSV Injection vulnerability. The vulnerability is patched, and you should update to version 2.0.6.

8. Spam protection, AntiSpam, FireWall by CleanTalk

Spam protection, AntiSpam, FireWall by CleanTalk versions below 5.149 have Multiple Authenticated SQL Injections vulnerabilities. The vulnerability is patched, and you should update to version 5.149.

9. Secure File Manager

All version of Secure File Manager have an Authenticated Remote Command Execution vulnerability. Remove the plugin until a security fix is released.

10. Media Library Assistant

Media Library Assistant versions below 2.90 have an Authenticated Blind SQL Injection vulnerability. The vulnerability is patched, and you should update to version 2.90.

11. WooCommerce Anti-Fraud

WooCommerce Anti-Fraud versions below 3.3 have an Unauthenticated Order Status Manipulation vulnerability. The vulnerability is patched, and you should update to version 3,3.

WordPress Themes Vulnerabilities

1. Love Travel

Love Travel versions below 3.8 have Unauthenticated Reflected XSS & XFS vulnerabilities. The vulnerability is patched, and you should update to version 3.8.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup.

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!