WordPress Vulnerabilities Digest - November 2021 Part 2

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.1. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. Contest Gallery

Plugin: Contest Gallery Vulnerability: Subscriber+ Email Address Disclosure Patched in Version: 13.1.0.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 13.1.0.7.

Plugin: Contest Gallery Vulnerability: Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure Patched in Version: 13.1.0.6 Severity Score: High

The vulnerability is patched, so you should update to version 13.1.0.6.

2. Check & Log Email

Plugin: Check & Log Email Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.4 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.4.

3. BSK PDF Manager

Plugin: BSK PDF Manager Vulnerability: Admin+ SQL Injection Patched in Version: 3.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.2.

4. Stylish Cost Calculator

Plugin: Stylish Cost Calculator Vulnerability: Subscriber+ Unauthorised AJAX Calls to Stored XSS Patched in Version: 7.0.4 Severity Score: High

The vulnerability is patched, so you should update to version 7.0.4.

5. Shop Page WP

Plugin: Shop Page WP Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.2.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.8.

6. Ibtana Ecommerce Product Addons

Plugin: Ibtana Ecommerce Product Addons Vulnerability: Reflected Cross-Site Scripting Patched in Version: 0.2.4 Severity Score: High

The vulnerability is patched, so you should update to version 0.2.4.

7. WP RSS Aggregator

Plugin: WP RSS Aggregator Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 4.19.2 Severity Score: Low

The vulnerability is patched, so you should update to version 4.19.2.

8. GenerateBlocks

Plugin: GenerateBlocksVulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.4.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.4.0.

9. Email Before Download

Plugin: Email Before Download Vulnerability: Admin+ SQL Injection Patched in Version: 6.8 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.8.

10. myCred

Plugin: myCred Vulnerability: Subscriber+ SQL Injection Patched in Version: 2.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.3.

11. Google Maps Easy

Plugin: Google Maps Easy Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.10.1 Severity Score: Low

The vulnerability is patched, so you should update to version 1.10.1.

12. My Calendar

Plugin: My Calendar Vulnerability: Subscriber+ Reflected Cross-Site Scripting Patched in Version: 3.2.18 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.2.18.

13. ARForms Form Builder

Plugin: ARForms Form Builder Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.5 Severity Score: Low

The vulnerability is patched, so you should update to version 1.5.

14. WP DSGVO Tools

Plugin: WP DSGVO Tools Vulnerability: Unauthenticated Arbitrary Post Deletion Patched in Version: 3.1.24 Severity Score: High

The vulnerability is patched, so you should update to version 3.1.24.

15. WP All Import

Plugin: WP All Import Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.6.3 Severity Score: Low

The vulnerability is patched, so you should update to version 3.6.3.

16. WPS Hide Login

Plugin: WPS Hide Login Vulnerability: Protection Bypass with Referer-Header Patched in Version: 1.9.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.1.

17. WP Google Fonts

Plugin: WP Google Fonts Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.1.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.5.

18. Event Manager for WooCommerce

Plugin: Event Manager for WooCommerce Vulnerability: Unauthenticated Arbitrary Elementor Template Import Patched in Version: 3.5.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.5.3.

Plugin: Event Manager for WooCommerce Vulnerability: Unauthenticated Arbitrary Options Reset Patched in Version: 3.5.3 Severity Score: High

The vulnerability is patched, so you should update to version 3.5.3.

19. AutomatorWP

Plugin: AutomatorWP Vulnerability: Missing Authorization and Privilege Escalation Patched in Version: 1.7.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.6.

20. Logo Slider and Showcase

Plugin: Logo Slider and Showcase Vulnerability: Editor Plugins Settings Update Patched in Version: 1.3.37 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.37.

21. Stylish Price List

Plugin: Stylish Price ListVulnerability: Unauthenticated Arbitrary Image Upload Patched in Version: 6.9.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.0.

Plugin: Stylish Price ListVulnerability: Subscriber+ Arbitrary Image Upload Patched in Version: 6.9.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.1.

22. WP Debugging

Plugin: WP Debugging Vulnerability: Unauthenticated Plugins Settings Update Patched in Version: 2.11.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.11.0.

23. Hotel Listing

Plugin: Hotel Listing Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.3.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.3.

24. Email Tracker

Plugin: Email Tracker Vulnerability: Reflected Cross-Site Scripting Patched in Version: 5.2.6 Severity Score: High

The vulnerability is patched, so you should update to version 5.2.6.

25. Contact Form by Supsystic

Plugin: Contact Form by Supsystic Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.7.20 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.20.

26. Restaurant Menu by MotoPress

Plugin: Restaurant Menu by MotoPress Vulnerability: Admin+ Stored Cross Site Scripting Patched in Version: 2.4.2 Severity Score: Low

The vulnerability is patched, so you should update to version 2.4.2.

27. SEO Redirection

Plugin: SEO Redirection Vulnerability: Subscriber+ SQL Injection Patched in Version: 8.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 8.2.

28. Tutor LMS

Plugin: Tutor LMS Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.11 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.11.

29. Ninja Forms

Plugin: Ninja Forms Vulnerability: Admin+ SQL Injection Patched in Version: 3.6.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.6.4.

30. Registrations for The Events Calendar

Plugin: Registrations for The Events Calendar Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.7.5 Severity Score: High

The vulnerability is patched, so you should update to version 2.7.5.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!