Threat Alerts / Oct 06, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The lastest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. WP DSGVO Tools

Plugin: WP DSGVO Tools Vulnerability: Unauthenticated Plugin’s Settings Update to Stored Cross-Site Scripting Patched in Version: 3.1.24 – plugin closed Severity Score: High

This vulnerability has been patched, but the plugin has been closed. You should find a replacement ASAP.

2. Great Quotes

Plugin: Great Quotes Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

3. WP Debugging

Plugin: WP Debugging Vulnerability: Unauthenticated Plugin’s Settings Update Patched in Version: 2.11.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.11.0.

4. Check & Log Email

Plugin: Check & Log Email Vulnerability: Admin+ SQL Injections Patched in Version: 1.0.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.3.

5. Permalink Manager Lite

Plugin: Permalink Manager Lite Vulnerability: Admin+ SQL Injection Patched in Version: 2.2.13.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.13.1.

6. WooCommerce Product Table Lite

Plugin: WooCommerce Product Table Lite Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.4.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.0.

7. WP Table Builder

Plugin: WP Table Builder Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.3.10 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.10.

8. Visual Form Builder

Plugin: Visual Form Builder Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.0.4 Severity Score: Low

The vulnerability is patched, so you should update to version 3.0.4.

9. NinjaForms

Plugin: NinjaForms Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.5.8.2 Severity Score: Low

The vulnerability is patched, so you should update to version 3.5.8.2.

10. Wappointment

Plugin: Wappointment Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 2.2.5 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.5.

11. Countdown and CountUp, WooCommerce Sales Timers

Plugin: Countdown and CountUp, WooCommerce Sales Timers Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.5.8 Severity Score: High

The vulnerability is patched, so you should update to version 1.5.8.

12. uListing

Plugin: uListing Vulnerability: Settings Update via CSRF Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Unauthenticated SQL Injection Patched in Version: 2.0.4 Severity Score: High

The vulnerability is patched, so you should update to version 2.0.4.

Plugin: uListing Vulnerability: Unauthenticated Privilege Escalation Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Modify User Roles via CSRF Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Multiple CSRF Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

Plugin: uListing Vulnerability: Authenticated IDOR Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

13. YITH Maintenance Mode

Plugin: YITH Maintenance Mode Vulnerability: Multiple Admin+ Stored Cross-Site Scripting Patched in Version: 1.4.0 Severity Score: Low

The vulnerability is patched, so you should update to version 1.4.0.

Plugin: YITH Maintenance Mode Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.3.8 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.8.

14. WordPress Contact Forms by Cimatti

Plugin: WordPress Contact Forms by Cimatti Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.4.12 Severity Score: Low

The vulnerability is patched, so you should update to version 1.4.12.

15. OG Tags

Plugin: OG Tags Vulnerability: Plugin’s Settings Update via CSRF Patched in Version: 2.0.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.2.

16. Connections Business Directory

Plugin: Connections Business Directory Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 10.4.3 Severity Score: Low

The vulnerability is patched, so you should update to version 10.4.3.

17. Flat Preloader

Plugin: Flat Preloader Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.5.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.5.

Plugin: Flat Preloader Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.54 Severity Score: High

The vulnerability is patched, so you should update to version 1.5.4.

18. Cool Tag Cloud

Plugin: Cool Tag Cloud Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.26 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.26.

19. underConstruction

Plugin: underConstruction Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.19 Severity Score: High

The vulnerability is patched, so you should update to version 1.19.

20. Restaurant Menu by MotoPress

Plugin: Restaurant Menu by MotoPress Vulnerability: Authenticated Stored Cross Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 20, 2021. Uninstall and delete.

21. AutomatorWP

Plugin: AutomatorWP Vulnerability: Missing Authorization and Privilege Escalation Patched in Version: 1.7.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.6.

22. WP Reactions Lite

Plugin: WP Reactions Lite Vulnerability: Authenticated Stored Cross Site Scripting Patched in Version: 1.3.6 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.6.

23. Stylish Price List

Plugin: Stylish Price List Vulnerability: Subscriber+ Arbitrary Image Upload Patched in Version: 6.9.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.1.

Plugin: Stylish Price List Vulnerability: Unauthenticated Arbitrary Image Upload Patched in Version: 6.9.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.0.

24. Easy Social Icons 

Plugin: Easy Social Icons Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.0.9 Severity Score: High

The vulnerability is patched, so you should update to version 3.0.9.

Plugin: Easy Social Icons Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.1.3 Severity Score: High

The vulnerability is patched, so you should update to version 3.1.3.

25. WPeMatico RSS Feed Fetcher

Plugin: WPeMatico RSS Feed Fetcher Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.6.12 Severity Score: Low

The vulnerability is patched, so you should update to version 2.6.12.

26. WordPress Download Manager

Plugin: WordPress Download Manager Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.2.16 Severity Score: Low

The vulnerability is patched, so you should update to version 3.2.16.

27. Modern Events Calendar Lite

Plugin: Modern Events Calendar Lite Vulnerability: Authenticated Stored Cross Site Scripting Patched in Version: 5.22.3 Severity Score: Low

The vulnerability is patched, so you should update to version 5.22.3.

28. Credova_Financial

Plugin: Credova_Financial Vulnerability: Sensitive Information Disclosure Patched in Version: 1.4.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.4.9.

29. JS Job Manager 

Plugin: JS Job Manager Vulnerability: Unauthenticated Arbitrary Plugin Installation/Activation Patched in Version: No known fix – plugin closed Severity Score: Critical

This vulnerability has NOT been patched. This plugin has been closed as of September 30, 2021. Uninstall and delete.

30. Events Made Easy

Plugin: Events Made Easy Vulnerability: Multi CSRF to Stored Cross-Site Scripting & Event Deletion Patched in Version: 1.5.50 Severity Score: High

The vulnerability is patched, so you should update to version 1.5.50.

31. Stripe For WooCommerce

Plugin: Stripe For WooCommerce Vulnerability: Missing Authorization Controls to Financial Account Hijacking Patched in Version: 3.3.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.3.10.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!