NEWS
WordPress Vulnerabilities Digest - October 2020 Part 2
The WordPress plugins and themes mentioned below have various types of vulnerabilities. Please review the list and remediation steps below.
WordPress Core Vulnerabilities
WordPress 5.5.2 was released on October 29th and included 10 security fixes.
Here is the list of security fixes mentioned in the WordPress 5.5.2 release post.
WordPress Plugin Vulnerabilities
1. Live Chat Live support
Live Chat Live support versions below 3.2.0 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 3.2.0.
2. Quick Chat
All versions of Quick Chat have an Unauthenticated Stored Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.
3. Child Theme Creator by Orbisius
Child Theme Creator by Orbisius versions below 1.5.2 have an CSRF to Arbitrary File Modification/Creation vulnerability. The vulnerability is patched, and you should update to version 1.5.2.
4. Realia
All versions of Realia have an Unauthenticated IDOR leading to Arbitrary Post Deletion vulnerability. Remove the plugin until a security fix is released.
5. Comment Press
Comment Press versions below 2.7.2 have an Unauthenticated Cross-Frame Scripting vulnerability. The vulnerability is patched, and you should update to version 2.7.2.
6. Super Store Finder for WordPress
Super Store Finder for WordPress versions below 6.2 have an Unauthenticated Arbitrary File Upload vulnerability. The vulnerability is patched, and you should update to version 6.2.
7. Super Interactive Maps for WordPress
Super Interactive Maps for WordPress versions below 2.0 have an Unauthenticated Arbitrary File Upload vulnerability. The vulnerability is patched, and you should update to version 2.0.
8. Super Logos Showcase for WordPress
Super Logos Showcase for WordPress versions below 2.3 have an Unauthenticated Arbitrary File Upload vulnerability. The vulnerability is patched, and you should update to version 2.3.
9. Simple Download Monitor
Simple Download Monitor versions below 3.8.9 have Unauthenticated Cross-Site Scripting and SQL Injection vulnerabilities. The vulnerability is patched, and you should update to version 3.8.9.
10. Loginizer
Loginizer versions below 1.6.4 have an Unauthenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 1.6.4.
11. Helios Solutions Brand Logo Slider
All versions Helios Solutions Brand Logo Slider have an Authenticated Arbitrary File Upload vulnerability. Remove the plugin until a security fix is released.
12. CM Download Manager
CM Download Manager versions below 2.8.0 have an Authenticated Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.8.0.
13. Advanced Booking Calendar
Advanced Booking Calendar versions below 1.6.2 have an Unauthenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 1.6.2.
WordPress Themes Vulnerabilities
There have not been any WordPress theme vulnerabilities reported in the second half of October.
What you should do
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup.
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!