WordPress Vulnerabilities Digest - October 2022 Part 2

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.2 was released on August 30, 2022. This security and maintenance release features 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Smart Slider 3

PLUGIN Smart Slider 3 INSTALLATIONS 900,000+ VULNERABILITY PHP Object Injection PATCHED IN VERSION 3.5.1.11 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.5.1.11.

2. Ocean Extra

PLUGIN Ocean Extra INSTALLATIONS 700,000+ VULNERABILITY Admin+ PHP Objection Injection PATCHED IN VERSION 2.0.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.0.5.

3. Easy WP SMTP

PLUGIN Easy WP SMTP INSTALLATIONS 600,000+ VULNERABILITY Admin+ PHP Objection Injection PATCHED IN VERSION 1.5.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.5.0.

4. Customizer Export/Import

PLUGIN Customizer Export/Import INSTALLATIONS 200,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 0.9.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.9.5.

5. Envira Gallery Lite

PLUGIN Gallery Plugin for WordPress Envira Photo Gallery INSTALLATIONS 100,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 1.8.4.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.8.4.7.

6. PublishPress Capabilities

PLUGIN PublishPress Capabilities User Role Access, Editor Permissions, Admin Menus INSTALLATIONS 100,000+ VULNERABILITY Admin+ PHP Objection Injection PATCHED IN VERSION 2.5.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.5.2.

7. LearnPress

PLUGIN LearnPress WordPress LMS Plugin INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated PHP Object Injection via REST API PATCHED IN VERSION 4.1.7.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.1.7.2.

8. eCommerce Product Catalog Plugin for WordPress

PLUGIN eCommerce Product Catalog Plugin for WordPress INSTALLATIONS 10,000+ VULNERABILITY Reflected XSS PATCHED IN VERSION 3.0.71 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.0.71.

9. WP Contact Slider

PLUGIN WP Contact Slider INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.4.8 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.4.8.

10. AWP Classifieds Plugin

PLUGIN WordPress Classifieds Plugin Ad Directory & Listings by AWP Classifieds INSTALLATIONS 8,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 4.3 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.3.

11. Rock Convert

PLUGIN Rock Convert INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting; Reflected Cross-Site Scripting PATCHED IN VERSION 2.11.0 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.11.0.

12. Official Integration for Billingo

PLUGIN Official Integration for Billingo INSTALLATIONS 3,000+ VULNERABILITY ShopManager+ Stored XSS PATCHED IN VERSION 3.4.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.4.0.

13. Create Block Theme

PLUGIN Create Block Theme INSTALLATIONS 200+ VULNERABILITY Unauthenticated Arbitrary File Upload PATCHED IN VERSION 1.2.2 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 1.2.2.

14. Automatic User Roles Switcher

PLUGIN Automatic User Roles Switcher VULNERABILITY Subscriber+ Privilege Escalation PATCHED IN VERSION 1.1.2 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.1.2.

15. PublishPress Capabilities

PLUGIN PublishPress Capabilities Pro VULNERABILITY Admin+ PHP Objection Injection PATCHED IN VERSION 2.5.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.5.2.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

WP Total Hacks

PLUGIN WP Total Hacks VULNERABILITY Subscriber+ Arbitrary Options Update to Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Word Count

PLUGIN WP Word Count VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

1. Newspaper

THEME Newspaper VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 12 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 12.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!