WordPress Vulnerabilities Digest - October 2022 Part 4

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.3 was released on October 17, 2022. This security release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. Even if you have your sites set to auto-update, double-check that you’re protected.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. reSmush.it Image Optimizer

PLUGIN reSmush.it : the only free Image Optimizer & compress plugin INSTALLATIONS 200,000+ VULNERABILITY Subscriber+ AJAX Calls; Multiple CSRF PATCHED IN VERSION 0.4.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 0.4.4.

2. ImageMagick-Engine

PLUGIN ImageMagick Engine INSTALLATIONS 60,000+ VULNERABILITY Command Injection via CSRF PATCHED IN VERSION 1.7.6 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 1.7.6.

3. Contact Form Entries

PLUGIN Contact Form Entries – Contact Form 7, WPforms and more INSTALLATIONS 50,000+ VULNERABILITY CSV Injection PATCHED IN VERSION 1.3.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.0.

4. ProfileGrid

PLUGIN ProfileGrid – User Profiles, Memberships, Groups and Communities INSTALLATIONS 8,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.1.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.1.1.

5. Testimonials Free

PLUGIN Testimonials INSTALLATIONS 5,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.7 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.7.

6. WP Attachments

PLUGIN WP Attachments INSTALLATIONS 5,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 5.0.5 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 5.0.5.

7. Chat Bubble

PLUGIN Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated Stored Cross-Site Scripting PATCHED IN VERSION 2.3 SEVERITY SCORE High

The vulnerability has been patched, so you should update to version 2.3.

8. WPForms Pro

PLUGIN WPForms Pro VULNERABILITY CSV Injection PATCHED IN VERSION 1.7.7 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.7.7.

9. Testimonials Pro

PLUGIN Testimonials Pro VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.0.8 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.0.8.

10. tagDiv Composer

PLUGIN tagDiv Composer VULNERABILITY Unauthenticated Account Takeover PATCHED IN VERSION 3.5 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 3.5.

11. WPQA

PLUGIN WPQA Builder VULNERABILITY Follow/Unfollow via CSRF PATCHED IN VERSION 5.9 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.9.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Webmaster Tools Verification

PLUGIN Webmaster Tools Verification VULNERABILITY Unauthenticated Arbitrary Plugin Deactivation PATCHED IN VERSION No Fix SEVERITY SCORE High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Grid Kit Premium

PLUGIN Grid Kit Premium VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

OAuth Client by DigitialPixies

PLUGIN OAuth Client by DigitialPixies VULNERABILITY Admin+ Stored Cross-Site Scripting; CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

tagDiv Composer

THEME NewsMag DOWNLOADS 336,532 VULNERABILITY Unauthenticated Account Takeover PATCHED IN VERSION 5.2.2 SEVERITY SCORE Critical

The vulnerability has been patched, so you should update to version 5.2.2.

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!