Threat Alerts / Nov 03, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.1. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. Reviews Plus

Plugin: Reviews Plus Vulnerability: Subscriber+ Reviews DoS Patched in Version: 1.2.14 Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.14.

2. Slideshow Gallery

Plugin: Slideshow Gallery Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.7.4 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.4.

3. MainWP Child 

Plugin: MainWP Child Vulnerability: Admin+ SQL Injection Patched in Version: 4.1.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.8.

4. eCommerce Product Catalog for WordPress

Plugin: eCommerce Product Catalog for WordPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.0.39 Severity Score: High

The vulnerability is patched, so you should update to version 3.0.39.

5. Falang multilanguage for WordPress

Plugin: Falang multilanguage for WordPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.3.18 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.18.

6. Video Lessons Manager

Plugin: Video Lessons Manager Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.7.2 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.2.

7. WP Spell Check

Plugin: WP Spell Check Vulnerability: Reflected Cross-Site Scripting Patched in Version: 9.3 Severity Score: High

The vulnerability is patched, so you should update to version 9.3.

8. Ecommerce – Two Factor Authentication

Plugin: Ecommerce – Two Factor Authentication Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.5 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.5.

9. MAZ Loader

Plugin: MAZ Loader Vulnerability: Arbitrary Loader Deletion via CSRF Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

10. Age Gate

Plugin: Age Gate Vulnerability: Unauthenticated Import Settings Patched in Version: 2.17.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.17.1.

11. Duplicate Post

Plugin: Duplicate Post Vulnerability: Authenticated SQL Injection Patched in Version: 1.2.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.0.

12. Notification

Plugin: Notification Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 8.0.0 Severity Score: Low

The vulnerability is patched, so you should update to version 8.0.0.

13. Connections Business Directory

Plugin: Connections Business Directory Vulnerability: Admin+ CSV Injection Patched in Version: 9.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 9.7.

14. Media-Tags

Plugin: Media-Tags Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 28, 2021. Uninstall and delete.

15. About Author Box

Plugin: About Author Box Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.0.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.2.

16. Subscriptions & Memberships for PayPal

Plugin: Subscriptions & Memberships for PayPal Vulnerability: Reflected Cross-Site Scripting via page Parameter Patched in Version: 1.1.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.3.

17. Accept Donations with PayPal

Plugin: Accept Donations with PayPal Vulnerability: Reflected Cross-Site Scripting via page Parameter Patched in Version: 1.3.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.1.

18. Easy PayPal Events

Plugin: Easy PayPal Events Vulnerability: Reflected Cross-Site Scripting via page Parameter Patched in Version: 1.1.2 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.2.

19. Popup Anything

Plugin: Popup Anything Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.0.4 Severity Score: High

The vulnerability is patched, so you should update to version 2.0.4.

20. JS Job Manager

Plugin: JS Job Manager Vulnerability: Unauthenticated Arbitrary Plugin Installation/Activation Patched in Version: 1.1.9 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.1.9.

21. Bulk Datetime Change

Plugin: Bulk Datetime Change Vulnerability: Missing Authorisation Patched in Version: 1.12 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.12.

22. Ninja Forms

Plugin: Ninja Forms Vulnerability: Admin+ SQL Injection Patched in Version: 3.6.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.6.4.

23. WP Attachment Export 

Plugin: WP Attachment Export Vulnerability: Unauthenticated Posts Download Patched in Version: 0.2.4 Severity Score: High

The vulnerability is patched, so you should update to version 0.2.4.

24. Content text slider on post

Plugin: Content text slider on post Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 6.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.

25. HashThemes Demo Importer

Plugin: HashThemes Demo Importer Vulnerability: Improper Access Control to Blog Reset Patched in Version: 1.1.2 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.1.2.

26. Registrations for The Events Calendar 

Plugin: Registrations for The Events Calendar Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.7.5 Severity Score: High

The vulnerability is patched, so you should update to version 2.7.5.

27. Mang Board WP

Plugin: Mang Board WP Vulnerability: SQL Injection Patched in Version: 1.6.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.6.9.

28. OptinMonster

Plugin: OptinMonster Vulnerability: Unprotected REST-API Endpoints Patched in Version: 2.6.5 Severity Score: High

The vulnerability is patched, so you should update to version 2.6.5.

29. NextScripts: Social Networks Auto-Poster

Plugin: NextScripts: Social Networks Auto-Poster Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.3.21 Severity Score: High

The vulnerability is patched, so you should update to version 4.3.21.

30. Smash Balloon Social Post Feed

Plugin: Smash Balloon Social Post Feed Vulnerability: Subscriber+ Arbitrary Plugin Settings Update to Stored XSS Patched in Version: 4.0.1 Severity Score: High

The vulnerability is patched, so you should update to version 4.0.1.

31. WP-Pro-Quiz

Plugin: WP-Pro-Quiz Vulnerability: Arbitrary Quiz Deletion via CSRF Patched in Version: No known fix – plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of July 17, 2020. Uninstall and delete.

32. Contact Form by Supsystic

Plugin: Contact Form by Supsystic Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: no known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

33. WP-Stats

Plugin: WP-Stats  Vulnerability: CSRF to Stored Cross-Site Scripting (XSS) Patched in Version: 2.52 Severity Score: High

This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!