NEWS
WordPress Vulnerabilities Digest - October 2021 Part 4
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
1. Shared Files
Plugin: Shared Files Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.6.61 Severity Score: Low
The vulnerability is patched, so you should update to version 1.6.61.
2. QR Redirector
Plugin: QR Redirector Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.6.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.6.1.
Plugin: QR Redirector Vulnerability: Subscriber+ Arbitrary QR Redirect Response Status Update Patched in Version: 1.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.6.
3. MouseWheel Smooth Scroll
Plugin: MouseWheel Smooth ScrollVulnerability: Plugins Setting Update via CSRF Patched in Version: 5.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 5.7.
4. Insert Pages
Plugin: Insert Pages Vulnerability: Contributor+ Arbitrary Posts/Pages Access Patched in Version: 3.7.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.7.0.
Plugin: Insert Pages Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 3.7.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.7.0.
5. SEO Redirection
Plugin: SEO Redirection Vulnerability: Subscriber+ SQL Injection Patched in Version: 8.2 Severity Score: High
The vulnerability is patched, so you should update to version 8.2.
6. Paypal Donation
Plugin: Paypal Donation Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.3.2 Severity Score: Low
The vulnerability is patched, so you should update to version 1.3.2.
7. IMPress for IDX Broker
Plugin: IMPress for IDX Broker Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.0.6 Severity Score: High
The vulnerability is patched, so you should update to version 3.0.6.
8. Simple JWT Login
Plugin: Simple JWT Login Vulnerability: Arbitrary Settings Update to Site Takeover via CSRF Patched in Version: 3.2.1 Severity Score: High
The vulnerability is patched, so you should update to version 3.2.1.
9. My Tickets
Plugin: My Tickets Vulnerability: Subscriber+ SQL Injection Patched in Version: 1.8.31 Severity Score: High
The vulnerability is patched, so you should update to version 1.8.31.
10. Client Invoicing by Sprout Invoices
Plugin: Client Invoicing by Sprout Invoices Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 19.9.7 Severity Score: Low
The vulnerability is patched, so you should update to version 19.9.7.
11. Email Log
Plugin: Email Log Vulnerability: Admin+ SQL Injection Patched in Version: 2.4.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.7.
12. WP Performance Score Booster
Plugin WP Performance Score Booster Vulnerability: Settings Change via CSRF Patched in Version: 2.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.1.
13. Active Directory Integration / LDAP Integration
Plugin: Active Directory Integration / LDAP Integration Vulnerability: Subscriber+ SQL Injection Patched in Version: 3.6.95 Severity Score: High
The vulnerability is patched, so you should update to version 3.6.95.
14. TableOn
Plugin: TableOn Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.0.1.
15. Responsive Image Slider, Photo Gallery And Carousel
Plugin: Responsive Image Slider, Photo Gallery And Carousel Vulnerability: Slider Clone/Save/Delete via CSRF Patched in Version: 1.3.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.3.2.
Plugin: Responsive Image Slider, Photo Gallery And Carousel Vulnerability: Subscriber+ Arbitrary Post Access Patched in Version: 1.3.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.3.6.
16. WP Sitemap Page
Plugin: WP Sitemap Page Vulnerability: Admin+ Stored Cross Site Scripting Patched in Version: 1.7.0 Severity Score: Low
The vulnerability is patched, so you should update to version 1.7.0.
17. Stream
Plugin: Stream Vulnerability: Admin+ SQL Injection Patched in Version: 3.8.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.8.2.
18. Helpful
Plugin: Helpful Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 4.4.59 Severity Score: Low
The vulnerability is patched, so you should update to version 4.4.59.
19. LearnPress
Plugin: LearnPress Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 4.1.3.2 Severity Score: Low
The vulnerability is patched, so you should update to version 4.1.3.2.
20. Content Staging
Plugin: Content StagingVulnerability: Admin+ Stored Cross-Site Scriptin Patched in Version: No known fix plugin closed Severity Score: Low
This vulnerability has NOT been patched. This plugin has been closed as of October 15, 2021. Uninstall and delete.
21. Leaky Paywall
Plugin: Leaky Paywall Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
22. Tutor LMS
Plugin: Tutor LMS Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.11 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.9.11.
23. Logo Showcase with Slick Slider
Plugin: Logo Showcase with Slick Slider Vulnerability: Author+ Stored Cross Site Scripting Patched in Version: 1.2.4 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.2.4.
24. Formidable Form Builder
Plugin: Formidable Form Builder Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 4.09.05 Severity Score: Low
The vulnerability is patched, so you should update to version 4.09.05.
25. Download Plugin
Plugin: Download PluginVulnerability: Subscriber+ Arbitrary Plugin Activation Patched in Version: 1.6.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.6.1.
26. Images to WebP
Plugin: Images to WebPVulnerability: Multiple Cross Site Request Forgery (CSRF) Patched in Version: 1.9 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.9.
Plugin: Images to WebPVulnerability: Authenticated Local File Inclusion Patched in Version: 1.9 Severity Score: Low
The vulnerability is patched, so you should update to version 1.9.
27. MStore API
Plugin: MStore API Vulnerability: Unauthenticated PHP File Upload Patched in Version: 3.4.5 Severity Score: Critical
The vulnerability is patched, so you should update to version 3.4.5.
28. Easy Digital Downloads
Plugin: Easy Digital Downloads Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.11.2.1 Severity Score: High
The vulnerability is patched, so you should update to version 2.11.2.1.
29. Advanced Access Manager
Plugin: Advanced Access Manager Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 6.8.0 Severity Score: Low
The vulnerability is patched, so you should update to version 6.8.0.
30. YOP Poll
Plugin: YOP Poll Vulnerability: Reflected Cross-Site Scripting Patched in Version: 6.1.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.1.2.
31. WP Attachment Export
Plugin: WP Attachment Export Vulnerability: Unauthenticated Posts Download Patched in Version: 0.2.4 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.4.
32. Content text slider on post
Plugin: Content text slider on postVulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 6.9 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.9.
33. Icegram
Plugin: Icegram Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.0.3 Severity Score: Low
The vulnerability is patched, so you should update to version 2.0.3.
34. BetterLinks
Plugin: BetterLinks Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.2.6 Severity Score: Low
The vulnerability is patched, so you should update to version 1.2.6.
35. LearnDash
Plugin: LearnDash Vulnerability: Unauthenticated Arbitrary File Upload Patched in Version: 2.5.4 Severity Score: Critical
The vulnerability is patched, so you should update to version 2.5.4.
36. ImageBoss
Plugin: ImageBoss Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 3.0.6 Severity Score: Low
The vulnerability is patched, so you should update to version 3.0.6.
37. Forminator
Plugin: ForminatorVulnerability: Admin + Stored Cross Site Scripting Patched in Version: 1.2.4 Severity Score: Low
The vulnerability is patched, so you should update to version 1.2.4.
38. MPL-Publisher
Plugin: MPL-Publisher Vulnerability: Admin+ Stored Cross Site Scripting Patched in Version: 1.30.4 Severity Score: Low
The vulnerability is patched, so you should update to version 1.30.4.
39. Elementor
Plugin: ElementorVulnerability: DOM Cross Site Scripting Patched in Version: 3.1.4 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.1.4.
40. Sassy Social Share
Plugin: Sassy Social Share Vulnerability: Missing Access Controls to PHP Object Injection Patched in Version: 3.3.24 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.3.24.
41. Pie Register
Plugin: Pie Register Vulnerability: Open Redirect Patched in Version: 3.7.2.4 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.7.2.4.
42. Advanced Forms
Plugin: Advanced Forms Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR Patched in Version: 1.6.9 Severity Score: High
The vulnerability is patched, so you should update to version 1.6.9.
Plugin: Advanced Forms Pro Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR Patched in Version: 1.6.9 Severity Score: High
The vulnerability is patched, so you should update to version 1.6.9.
43. Catch Themes Demo Import
Plugin: Catch Themes Demo Import Vulnerability: Admin+ Arbitrary File Upload Patched in Version: 1.8 Severity Score: Critical
The vulnerability is patched, so you should update to version 1.8.
44. Simple Job Board
Plugin: Simple Job Board Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.9.5 Severity Score: Low
The vulnerability is patched, so you should update to version 2.9.5.
45. Ivory Search
Plugin: Ivory Search Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.7 Severity Score: High
The vulnerability is patched, so you should update to version 4.7.
46. Age Gate
Plugin: Age Gate Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.16.4 Severity Score: Critical
The vulnerability is patched, so you should update to version 2.16.4.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!