NEWS
WordPress Vulnerabilities Digest - October 2022 Part 3
Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 6.0.3 was released on October 17, 2022. This security release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. Even if you have your sites set to auto-update, doublecheck that youre protected.
1. WP
VULNERABILITY Stored XSS via wp-mail.php PATCHED IN VERSION 6.0.3 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 6.0.3.
WordPress Plugin Vulnerabilities
1. Complianz Free
PLUGIN Complianz GDPR/CCPA Cookie Consent INSTALLATIONS 400,000+ VULNERABILITY Translator SQLi PATCHED IN VERSION 6.3.4 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 6.3.4.
2. Gutenberg
PLUGIN Gutenberg INSTALLATIONS 300,000+ VULNERABILITY Multiple Stored XSS PATCHED IN VERSION 14.3.1 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 14.3.1.
3. FluentForm
PLUGIN Contact Form Plugin Fastest Contact Form Builder Plugin for WordPress by Fluent Forms INSTALLATIONS 200,000+ VULNERABILITY CSV Injection PATCHED IN VERSION 4.3.13 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 4.3.13.
4. WP All Import
PLUGIN Import any XML or CSV File to WordPress INSTALLATIONS 100,000+ VULNERABILITY Admin+ Directory traversal via file upload; Admin+ Arbitrary File Upload to RCE PATCHED IN VERSION 3.6.9 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.6.9.
5. Import and export users and customers
PLUGIN Import and export users and customers INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ CSV Injection PATCHED IN VERSION 1.20.5 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 1.20.5.
6. Easy Digital Downloads
PLUGIN Easy Digital Downloads Simple eCommerce for Selling Digital Files INSTALLATIONS 50,000+ VULNERABILITY Arbitrary Post Deletion via CSRF PATCHED IN VERSION 3.0 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.0.
7. eCommerce Product Catalog Plugin for WordPress
PLUGIN eCommerce Product Catalog Plugin for WordPress INSTALLATIONS 10,000+ VULNERABILITY Reflected XSS; Reflected XSS via AJAX PATCHED IN VERSION 3.0.72 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 3.0.72.
8. WP Attachments
PLUGIN WP Attachments INSTALLATIONS 5,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 5.0.5 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 5.0.5.
9. Chat Bubble
PLUGIN Chat Bubble Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 2.3 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 2.3.
10. Role Based Pricing for WooCommerce
PLUGIN Role Based Pricing for WooCommerce VULNERABILITY Subscriber+ Arbitrary File Upload; Subscriber+ PHAR Deserialization PATCHED IN VERSION 1.6.2 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 1.6.2.
11. Product Stock Manager
PLUGIN Product Stock Manager VULNERABILITY Subscriber+ Unauthorised AJAX Calls PATCHED IN VERSION 1.0.5 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 1.0.5.
12. AliExpress Dropshipping and Fulfilment for WooCommerce
PLUGIN AliExpress Dropshipping and Fulfilment for WooCommerce VULNERABILITY Unauthenticated Sensitive Data Exposure PATCHED IN VERSION 1.1.1 EVERITY SCORE High
The vulnerability has been patched, so you should update to version 1.1.1.
13. Complianz Premium
PLUGIN Complianz VULNERABILITY Translator SQLi PATCHED IN VERSION 6.3.6 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 6.3.6.
14. WooCommerce Dropshipping
PLUGIN WooCommerce Dropshipping VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 4.4 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 4.4.
WordPress Plugin Vulnerabilities No Known Fix
Until a patch is available, immediately uninstall and delete the plugin.
AB Press Optimizer
PLUGIN AB Press Optimizer INSTALLATIONS 10+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched. You should deactivate the plugin.
Highlight Focus
PLUGIN Highlight Focus VULNERABILITY Admin+ Stored Cross Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WP Hide
PLUGIN Wp-Hide VULNERABILITY Unauthenticated Settings Update PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WPB Show Core
PLUGIN WPB Show Core VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Theme Vulnerabilities
Good news! No new WordPress theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!