Threat Alerts / Oct 20, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. WPSchoolPress

Plugin: WPSchoolPress Vulnerability: Multiple Admin+ Stored Cross-Site Scripting Patched in Version: 2.1.17 Severity Score: Low

The vulnerability is patched, so you should update to version 2.1.17.

Plugin: WPSchoolPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.1.10 Severity Score: High

The vulnerability is patched, so you should update to version 2.1.10.

Plugin: WPSchoolPress Vulnerability: Multiple Authenticated SQL Injections Patched in Version: 2.1.10 Severity Score: High

The vulnerability is patched, so you should update to version 2.1.10.

2. YITH WooCommerce Multi Vendor

Plugin: Squaretype MYITH WooCommerce Multi Vendor Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.8.1 Severity Score: High

The vulnerability is patched, so you should update to version 3.8.1.

3. Print-O-Matic

Plugin: Print-O-Matic Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.0.3 Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.3.

4. Pie Register

Plugin: Pie Register Vulnerability: Unauthenticated SQL Injection Patched in Version: 3.7.1.6 Severity Score: High

The vulnerability is patched, so you should update to version 3.7.1.6.

Plugin: Pie Register Vulnerability: Unauthenticated SQL Injection Patched in Version: 3.7.1.6 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.7.1.6.

5. Coupon Affiliates for WooCommerce

Plugin: Coupon Affiliates for WooCommerce Vulnerability: Arbitrary Referral Visits Deletion via CSRF Patched in Version: 4.11.3.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.11.3.4.

6. MAZ Loader

Plugin: MAZ Loader Vulnerability: Contributor+ SQL Injection Patched in Version: 1.3.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.3.

7. Storefront Footer Text

Plugin: Storefront Footer Text Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of October 6, 2021. Uninstall and delete.

8. Quiz Tool Lite

Plugin: Quiz Tool Lite Vulnerability: Multiple Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 28, 2021. Uninstall and delete.

9. Qwizcards

Plugin: Qwizcards Vulnerability: Admin+ Stored Cross Site Scripting Patched in Version: 3.62 Severity Score: Low

The vulnerability is patched, so you should update to version 3.62.

10. Loco Translate 

Plugin: Loco Translate Vulnerability:  Authenticated PHP Code Injection Patched in Version: 2.5.4 Severity Score: High

The vulnerability is patched, so you should update to version 2.5.4.

11. iPanorama 360 WordPress Virtual Tour Builder

Plugin: iPanorama 360 WordPress Virtual Tour Builder Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.6.22 Severity Score: High

The vulnerability is patched, so you should update to version 1.6.22.

12. Vision Interactive For WordPress

Plugin: Vision Interactive For WordPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

13. ImageLinks Interactive Image Builder for WordPress

Plugin: ImageLinks Interactive Image Builder for WordPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

14. WordPress Easy Custom Js And Css Plugin

Plugin: WordPress Easy Custom Js And Css Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

15. iPages Flipbook For WordPress

Plugin: iPages Flipbook For WordPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.4.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.4.3.

16. 404 to 301

Plugin: 404 to 301 Vulnerability: Logs Deletion via CSRF Patched in Version: 3.0.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.9.

17. Post Expirator

Plugin: Post Expirator Vulnerability: Contributor+ Arbitrary Post Schedule Patched in Version: 2.6.0 Severity Score: High

The vulnerability is patched, so you should update to version 1.6.22.

18. WP Header Images

Plugin: WP Header Images Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.0.1 Severity Score: High

The vulnerability is patched, so you should update to version 2.0.1.

19. Subscriptions & Memberships for PayPal

Plugin: Subscriptions & Memberships for PayPal Vulnerability: Reflected Cross-Site Scripting via page Parameter Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of September 30, 2021. Uninstall and delete.

20. Accept Donations with PayPal

Plugin: Accept Donations with PayPal Vulnerability: Reflected Cross-Site Scripting via page Parameter Patched in Version: 1.3.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.1.

21. PayPal Events 

Plugin: PayPal Events Vulnerability: Reflected Cross-Site Scripting via page Parameter Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of September 30, 2021. Uninstall and delete.

22. Header Footer Code Manager

Plugin: Header Footer Code Manager Vulnerability: Admin+ SQL Injections Patched in Version: 1.1.14 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.14.

23. wpDiscuz 

Plugin: wpDiscuz Vulnerability: Arbitrary Comment Addition/Edition/Deletion via CSRF Patched in Version: 7.3.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.3.4.

24. 3D Print Lite

Plugin: 3D Print Lite Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.1.6 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.1.6.

25. Asgaros Forum

Plugin: Asgaros Forum Vulnerability: Redirect Deletion via CSRF Patched in Version: 1.15.13 Severity Score: High

The vulnerability is patched, so you should update to version 1.15.13.

26. WP SEO Redirect 301

Plugin: WP SEO Redirect 301 Vulnerability: Redirect Deletion via CSRF Patched in Version: 2.3.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.3.2.

27. WCFM – Frontend Manager for WooCommerce

Plugin: WCFM – Frontend Manager for WooCommerce Vulnerability: Customer/Subscriber+ SQL Injection Patched in Version: 6.5.12 Severity Score: High

The vulnerability is patched, so you should update to version 6.5.12.

28. Affiliate Manager

Plugin: Affiliate Manager Vulnerability: Admin+ SQL Injections Patched in Version: 2.8.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.8.7.

29. Similar Posts

Plugin: Similar Posts Vulnerability: Admin+ Arbitrary PHP Code Execution Patched in Version: 3.1.6 Severity Score: High

The vulnerability is patched, so you should update to version 3.1.6.

30. WooCommerce Products Table

Plugin: WooCommerce Products Table Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.4.

31. Discounts Manager for Products

Plugin: Discounts Manager for Products Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.4.5 Severity Score: High

The vulnerability is patched, so you should update to version 3.4.5.

32. Testimonial Builder

Plugin: Testimonial Builder Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.6.0 Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.0.

33. Brizy

Plugin: Brizy Vulnerability: Incorrect Authorization to Post Modification Patched in Version: 2.3.12 Severity Score: High

The vulnerability is patched, so you should update to version 2.3.12.

Plugin: Brizy Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.3.12 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.3.12.

Plugin: Brizy Vulnerability: Authenticated File Upload and Path Traversal Patched in Version: 2.3.12 Severity Score: High

The vulnerability is patched, so you should update to version 2.3.12.

34. Colorful Categories

Plugin: Colorful Categories Vulnerability: Arbitrary Colors Update via CSRF Patched in Version: 2.0.15 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.15.

35. WP Fastest Cache

Plugin: WP Fastest Cache Vulnerability: Subscriber+ SQL Injection Patched in Version: 0.9.5 Severity Score: High

The vulnerability is patched, so you should update to version 0.9.5.

Plugin: WP Fastest Cache Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 0.9.5 Severity Score: High

The vulnerability is patched, so you should update to version 0.9.5.

36. Business Manager

Plugin: Business Manager Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

37. Job Board Vanila

Plugin: Job Board Vanila Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

38. WpGenius Job Listing 

Plugin: WpGenius Job Listing Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

39. Job Manager

Plugin: Job Manager Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

40. Job Portal

Plugin: Job Portal Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

41. MyBB Cross-Poster

Plugin: MyBB Cross-Poster Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

42. KJM Admin Notices

Plugin: KJM Admin Notices Vulnerability: Incorrect Authorization to Post Modification Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

43. HAL

Plugin: HAL Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.2 Severity Score: Low

The vulnerability is patched, so you should update to version 2.2.

44. Author Bio Box 

Plugin: Author Bio Box Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.4.0 Severity Score: Low

The vulnerability is patched, so you should update to version 3.4.0.

45. WordPress + Microsoft Office 365

Plugin: WordPress + Microsoft Office 365 Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 15.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 15.4.

46. YOP Poll 

Plugin: YOP Poll Vulnerability: Author+ Stored Cross-Site Scripting via Options Module Patched in Version: 6.3.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.3.1.

Plugin: YOP Poll Vulnerability: Author+ Stored Cross-Site Scripting via Preview Module Patched in Version: 6.3.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.3.1.

47. Indeed Job Importer

Plugin: Indeed Job Importer Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of October 14, 2021. Uninstall and delete.

48. MPL-Publisher – Self-publish your book & ebook

Plugin: MPL-Publisher – Self-publish your book & ebook Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

49. JobBoardWP

Plugin: JobBoardWP Vulnerability: Incorrect Authorization to Post Modification Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 14, 2021. Uninstall and delete

WordPress Theme Vulnerabilities

1. Squaretype Modern Blog

Theme: Squaretype Modern Blog Vulnerability: Unauthenticated Private/Schedule Posts Disclosure Patched in Version: 3.0.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.4.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!