NEWS
WordPress Vulnerabilities Digest - October 2021 Part 1
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
The lastest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
1. WP DSGVO Tools
Plugin: WP DSGVO Tools Vulnerability: Unauthenticated Plugins Settings Update to Stored Cross-Site Scripting Patched in Version: 3.1.24 plugin closed Severity Score: High
This vulnerability has been patched, but the plugin has been closed. You should find a replacement ASAP.
2. Great Quotes
Plugin: Great Quotes Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix plugin closed Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
3. WP Debugging
Plugin: WP Debugging Vulnerability: Unauthenticated Plugins Settings Update Patched in Version: 2.11.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.11.0.
4. Check & Log Email
Plugin: Check & Log Email Vulnerability: Admin+ SQL Injections Patched in Version: 1.0.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.0.3.
5. Permalink Manager Lite
Plugin: Permalink Manager Lite Vulnerability: Admin+ SQL Injection Patched in Version: 2.2.13.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.2.13.1.
6. WooCommerce Product Table Lite
Plugin: WooCommerce Product Table Lite Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.4.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.0.
7. WP Table Builder
Plugin: WP Table Builder Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.3.10 Severity Score: High
The vulnerability is patched, so you should update to version 1.3.10.
8. Visual Form Builder
Plugin: Visual Form Builder Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.0.4 Severity Score: Low
The vulnerability is patched, so you should update to version 3.0.4.
9. NinjaForms
Plugin: NinjaForms Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.5.8.2 Severity Score: Low
The vulnerability is patched, so you should update to version 3.5.8.2.
10. Wappointment
Plugin: Wappointment Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 2.2.5 Severity Score: High
The vulnerability is patched, so you should update to version 2.2.5.
11. Countdown and CountUp, WooCommerce Sales Timers
Plugin: Countdown and CountUp, WooCommerce Sales Timers Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.5.8 Severity Score: High
The vulnerability is patched, so you should update to version 1.5.8.
12. uListing
Plugin: uListing Vulnerability: Settings Update via CSRF Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Unauthenticated SQL Injection Patched in Version: 2.0.4 Severity Score: High
The vulnerability is patched, so you should update to version 2.0.4.
Plugin: uListing Vulnerability: Unauthenticated Privilege Escalation Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Modify User Roles via CSRF Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Multiple CSRF Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
Plugin: uListing Vulnerability: Authenticated IDOR Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
13. YITH Maintenance Mode
Plugin: YITH Maintenance Mode Vulnerability: Multiple Admin+ Stored Cross-Site Scripting Patched in Version: 1.4.0 Severity Score: Low
The vulnerability is patched, so you should update to version 1.4.0.
Plugin: YITH Maintenance Mode Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.3.8 Severity Score: Low
The vulnerability is patched, so you should update to version 1.3.8.
14. WordPress Contact Forms by Cimatti
Plugin: WordPress Contact Forms by Cimatti Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.4.12 Severity Score: Low
The vulnerability is patched, so you should update to version 1.4.12.
15. OG Tags
Plugin: OG Tags Vulnerability: Plugins Settings Update via CSRF Patched in Version: 2.0.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.2.
16. Connections Business Directory
Plugin: Connections Business Directory Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 10.4.3 Severity Score: Low
The vulnerability is patched, so you should update to version 10.4.3.
17. Flat Preloader
Plugin: Flat Preloader Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.5.5 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.5.5.
Plugin: Flat Preloader Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.54 Severity Score: High
The vulnerability is patched, so you should update to version 1.5.4.
18. Cool Tag Cloud
Plugin: Cool Tag Cloud Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.26 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.26.
19. underConstruction
Plugin: underConstruction Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.19 Severity Score: High
The vulnerability is patched, so you should update to version 1.19.
20. Restaurant Menu by MotoPress
Plugin: Restaurant Menu by MotoPress Vulnerability: Authenticated Stored Cross Site Scripting Patched in Version: No known fix plugin closed Severity Score: Low
This vulnerability has NOT been patched. This plugin has been closed as of September 20, 2021. Uninstall and delete.
21. AutomatorWP
Plugin: AutomatorWP Vulnerability: Missing Authorization and Privilege Escalation Patched in Version: 1.7.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.7.6.
22. WP Reactions Lite
Plugin: WP Reactions Lite Vulnerability: Authenticated Stored Cross Site Scripting Patched in Version: 1.3.6 Severity Score: Low
The vulnerability is patched, so you should update to version 1.3.6.
23. Stylish Price List
Plugin: Stylish Price List Vulnerability: Subscriber+ Arbitrary Image Upload Patched in Version: 6.9.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.9.1.
Plugin: Stylish Price List Vulnerability: Unauthenticated Arbitrary Image Upload Patched in Version: 6.9.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.9.0.
24. Easy Social Icons
Plugin: Easy Social Icons Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.0.9 Severity Score: High
The vulnerability is patched, so you should update to version 3.0.9.
Plugin: Easy Social IconsVulnerability: Reflected Cross-Site Scripting Patched in Version: 3.1.3 Severity Score: High
The vulnerability is patched, so you should update to version 3.1.3.
25. WPeMatico RSS Feed Fetcher
Plugin: WPeMatico RSS Feed Fetcher Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.6.12 Severity Score: Low
The vulnerability is patched, so you should update to version 2.6.12.
26. WordPress Download Manager
Plugin: WordPress Download Manager Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.2.16 Severity Score: Low
The vulnerability is patched, so you should update to version 3.2.16.
27. Modern Events Calendar Lite
Plugin: Modern Events Calendar Lite Vulnerability: Authenticated Stored Cross Site Scripting Patched in Version: 5.22.3 Severity Score: Low
The vulnerability is patched, so you should update to version 5.22.3.
28. Credova_Financial
Plugin: Credova_Financial Vulnerability: Sensitive Information Disclosure Patched in Version: 1.4.9 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.4.9.
29. JS Job Manager
Plugin: JS Job ManagerVulnerability: Unauthenticated Arbitrary Plugin Installation/Activation Patched in Version: No known fix plugin closed Severity Score: Critical
This vulnerability has NOT been patched. This plugin has been closed as of September 30, 2021. Uninstall and delete.
30. Events Made Easy
Plugin: Events Made Easy Vulnerability: Multi CSRF to Stored Cross-Site Scripting & Event Deletion Patched in Version: 1.5.50 Severity Score: High
The vulnerability is patched, so you should update to version 1.5.50.
31. Stripe For WooCommerce
Plugin: Stripe For WooCommerce Vulnerability: Missing Authorization Controls to Financial Account Hijacking Patched in Version: 3.3.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.3.10.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!