WordPress Vulnerabilities Digest - November 2021 Part 3

Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

1. WordPress

Vulnerability: Expired DST Root CA X3 Certificate Patched in Version: 5.8.2 Explanation: The wp-includes/certificates/ca-bundle.crt file contains a DST Root CA X3 which expired on September 30th, 2021, raising security warning in some cases.

The vulnerability has been patched, so make sure you are running WordPress 5.8.2.

WordPress Plugin Vulnerabilities

1. Registrations for the Events Calendar

Plugin: Registrations for the Events Calendar Vulnerability: Unauthenticated SQL Injection Patched in Version: 2.7.6 Severity Score: High

The vulnerability is patched, so you should update to version 2.7.6.

2. LoginWP

Plugin: LoginWPVulnerability: Reflected Cross-Site Scripting Patched in Version: 3.0.0.5 Severity Score: High

The vulnerability is patched, so you should update to version 3.0.0.5.

3. WooCommerce Currency Switcher

Plugin: WooCommerce Currency Switcher Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.3.7.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.7.1.

4. Secure Copy Content Protection and Content Locking

Plugin: Secure Copy Content Protection and Content Locking Vulnerability: Subscriber+ Email Address Disclosure Patched in Version: 2.8.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.2.

5. Bookly

Plugin: BooklyVulnerability: Staff Member Stored Cross-Site Scripting Patched in Version: 20.3.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 20.3.1.

6. Email Log

Plugin: Email Log Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.4.8 Severity Score: High

The vulnerability is patched, so you should update to version 2.4.8.

7. Tawk.to Live Chat

Plugin: Tawk.to Live Chat Vulnerability: Subscriber+ Visitor Monitoring & Chat Removal Patched in Version: 0.6.0 Severity Score: High

The vulnerability is patched, so you should update to version 0.6.0.

8. WP Data Access

Plugin: WP Data Access Vulnerability: Admin+ SQL Injection Patched in Version: 5.0.0 Severity Score: High

The vulnerability is patched, so you should update to version 5.0.0.

9. PDF.js Viewer

Plugin: PDF.js Viewer Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.0.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.2.

10. Backup and Restore

Plugin: Backup and Restore Vulnerability: Admin+ Arbitrary File Deletion Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

11. LearnPress

Plugin: LearnPressVulnerability: Admin+ SQL Injection Patched in Version: 4.1.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.4.

12. Get Custom Field Values

Plugin: Get Custom Field Values Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 4.0.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.0.1.

13. Booking Package

Plugin: Booking Package Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.5.11 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.11.

14. Like Button Rating

Plugin: Like Button Rating Vulnerability: Unauthorised Vote Export to Email & IP Addresses Disclosure Patched in Version: 2.6.38 Severity Score: High

The vulnerability is patched, so you should update to version 2.6.38.

15. Caldera Forms

Plugin: Caldera Forms Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.9.5 Severity Score: Low

The vulnerability is patched, so you should update to version 1.9.5.

16. Starter Templates

Plugin: Starter Templates Vulnerability: Contributor+ Block Import to Stored XSS Patched in Version: 2.7.1 Severity Score: High

The vulnerability is patched, so you should update to version 2.7.1.

17. Contact Form Email

Plugin: Contact Form Email Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.3.25 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.25.

18. Video Gallery Vimeo and YouTube Gallery

Plugin: Video Gallery Vimeo and YouTube GalleryVulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.1.5 Severity Score: Low

The vulnerability is patched, so you should update to version 1.1.5.

19. WordPress Popular Posts

Plugin: WordPress Popular Posts Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 5.3.4 Severity Score: Low

The vulnerability is patched, so you should update to version 5.3.4.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!