Threat Alerts / Oct 27, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. Shared Files

Plugin: Shared Files Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.6.61 Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.61.

2. QR Redirector

Plugin: QR Redirector Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.6.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6.1.

Plugin: QR Redirector Vulnerability: Subscriber+ Arbitrary QR Redirect Response Status Update Patched in Version: 1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6.

3. MouseWheel Smooth Scroll 

Plugin: MouseWheel Smooth Scroll Vulnerability: Plugin’s Setting Update via CSRF Patched in Version: 5.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.7.

4. Insert Pages

Plugin: Insert Pages Vulnerability: Contributor+ Arbitrary Posts/Pages Access Patched in Version: 3.7.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.7.0.

Plugin: Insert Pages Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 3.7.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.7.0.

5. SEO Redirection

Plugin: SEO Redirection Vulnerability: Subscriber+ SQL Injection Patched in Version: 8.2 Severity Score: High

The vulnerability is patched, so you should update to version 8.2.

6. Paypal Donation

Plugin: Paypal Donation Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.3.2 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.2.

7. IMPress for IDX Broker

Plugin: IMPress for IDX Broker Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.0.6 Severity Score: High

The vulnerability is patched, so you should update to version 3.0.6.

8. Simple JWT Login

Plugin: Simple JWT Login Vulnerability: Arbitrary Settings Update to Site Takeover via CSRF Patched in Version: 3.2.1 Severity Score: High

The vulnerability is patched, so you should update to version 3.2.1.

9. My Tickets

Plugin: My Tickets Vulnerability: Subscriber+ SQL Injection Patched in Version: 1.8.31 Severity Score: High

The vulnerability is patched, so you should update to version 1.8.31.

10. Client Invoicing by Sprout Invoices 

Plugin: Client Invoicing by Sprout Invoices Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 19.9.7 Severity Score: Low

The vulnerability is patched, so you should update to version 19.9.7.

11. Email Log

Plugin: Email Log Vulnerability: Admin+ SQL Injection Patched in Version: 2.4.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.7.

12. WP Performance Score Booster

Plugin WP Performance Score Booster Vulnerability: Settings Change via CSRF Patched in Version: 2.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.

13. Active Directory Integration / LDAP Integration

Plugin: Active Directory Integration / LDAP Integration Vulnerability: Subscriber+ SQL Injection Patched in Version: 3.6.95 Severity Score: High

The vulnerability is patched, so you should update to version 3.6.95.

14. TableOn

Plugin: TableOn Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.1.

15. Responsive Image Slider, Photo Gallery And Carousel

Plugin: Responsive Image Slider, Photo Gallery And Carousel Vulnerability: Slider Clone/Save/Delete via CSRF Patched in Version: 1.3.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.2.

Plugin: Responsive Image Slider, Photo Gallery And Carousel Vulnerability: Subscriber+ Arbitrary Post Access Patched in Version: 1.3.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.6.

16. WP Sitemap Page

Plugin: WP Sitemap Page Vulnerability: Admin+ Stored Cross Site Scripting Patched in Version: 1.7.0 Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.0.

17. Stream

Plugin: Stream Vulnerability: Admin+ SQL Injection Patched in Version: 3.8.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.8.2.

18. Helpful

Plugin: Helpful Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 4.4.59 Severity Score: Low

The vulnerability is patched, so you should update to version 4.4.59.

19. LearnPress

Plugin: LearnPress Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 4.1.3.2 Severity Score: Low

The vulnerability is patched, so you should update to version 4.1.3.2.

20. Content Staging 

Plugin: Content Staging Vulnerability: Admin+ Stored Cross-Site Scriptin Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 15, 2021. Uninstall and delete.

21. Leaky Paywall

Plugin: Leaky Paywall Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

22. Tutor LMS

Plugin: Tutor LMS Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.11 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.11.

23. Logo Showcase with Slick Slider

Plugin: Logo Showcase with Slick Slider Vulnerability: Author+ Stored Cross Site Scripting Patched in Version: 1.2.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.4.

24. Formidable Form Builder

Plugin: Formidable Form Builder Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 4.09.05 Severity Score: Low

The vulnerability is patched, so you should update to version 4.09.05.

25. Download Plugin 

Plugin: Download Plugin Vulnerability: Subscriber+ Arbitrary Plugin Activation Patched in Version: 1.6.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6.1.

26. Images to WebP 

Plugin: Images to WebP Vulnerability: Multiple Cross Site Request Forgery (CSRF) Patched in Version: 1.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.

Plugin: Images to WebP Vulnerability: Authenticated Local File Inclusion Patched in Version: 1.9 Severity Score: Low

The vulnerability is patched, so you should update to version 1.9.

27. MStore API

Plugin: MStore API Vulnerability: Unauthenticated PHP File Upload Patched in Version: 3.4.5 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.4.5.

28. Easy Digital Downloads

Plugin: Easy Digital Downloads Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.11.2.1 Severity Score: High

The vulnerability is patched, so you should update to version 2.11.2.1.

29. Advanced Access Manager

Plugin: Advanced Access Manager Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 6.8.0 Severity Score: Low

The vulnerability is patched, so you should update to version 6.8.0.

30. YOP Poll

Plugin: YOP Poll Vulnerability: Reflected Cross-Site Scripting Patched in Version: 6.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.1.2.

31. WP Attachment Export

Plugin: WP Attachment Export Vulnerability: Unauthenticated Posts Download Patched in Version: 0.2.4 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.4.

32. Content text slider on post 

Plugin: Content text slider on post Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 6.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.

33. Icegram

Plugin: Icegram Vulnerability:  Admin+ Stored Cross-Site Scripting Patched in Version: 2.0.3 Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.3.

34. BetterLinks

Plugin: BetterLinks Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.2.6 Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.6.

35. LearnDash

Plugin: LearnDash Vulnerability: Unauthenticated Arbitrary File Upload Patched in Version: 2.5.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.5.4.

36. ImageBoss

Plugin: ImageBoss Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.0.6 Severity Score: Low

The vulnerability is patched, so you should update to version 3.0.6.

37. Forminator 

Plugin: Forminator Vulnerability: Admin + Stored Cross Site Scripting Patched in Version: 1.2.4 Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.4.

38. MPL-Publisher

Plugin: MPL-Publisher Vulnerability: Admin+ Stored Cross Site Scripting Patched in Version: 1.30.4 Severity Score: Low

The vulnerability is patched, so you should update to version 1.30.4.

39. Elementor 

Plugin: Elementor Vulnerability: DOM Cross Site Scripting Patched in Version: 3.1.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.4.

40. Sassy Social Share

Plugin: Sassy Social Share Vulnerability: Missing Access Controls to PHP Object Injection Patched in Version: 3.3.24 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.3.24.

41. Pie Register

Plugin: Pie Register Vulnerability: Open Redirect Patched in Version: 3.7.2.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.7.2.4.

42. Advanced Forms

Plugin: Advanced Forms Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR Patched in Version: 1.6.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.6.9.

Plugin: Advanced Forms Pro Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR Patched in Version: 1.6.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.6.9.

43. Catch Themes Demo Import

Plugin: Catch Themes Demo Import Vulnerability: Admin+ Arbitrary File Upload Patched in Version: 1.8 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.8.

44. Simple Job Board

Plugin: Simple Job Board Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.9.5 Severity Score: Low

The vulnerability is patched, so you should update to version 2.9.5.

45. Ivory Search

Plugin: Ivory Search Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.7 Severity Score: High

The vulnerability is patched, so you should update to version 4.7.

46. Age Gate

Plugin: Age Gate Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.16.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.16.4.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!