WordPress Vulnerabilities Digest -September 2020 Part 2

The WordPress plugins and themes mentioned below have various types of vulnerabilities. Please review the list and remediation steps below.

WordPress Core Vulnerabilities

No WordPress core vulnerabilities were disclosed in the second of September. Just make sure you are running the latest version of WordPress, which is version 5.5.1.

WordPress Plugin Vulnerabilities

1. Asset CleanUp

Asset CleanUp versions below 1.3.6.7 have a Cross-Site Request Forgery and a Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 1.3.6.7.

2. Sticky Menu, Sticky Header

Sticky Menu, Sticky Header versions below 2.21 have a Cross-Site Request Forgery and a Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 2.21.

3. Cookiebot

Cookiebot versions below 3.6.1 have a Cross-Site Request Forgery and a Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 3.6.1.

4. All In One WP Security & Firewall

All In One WP Security & Firewall versions below 4.4.4 have a Cross-Site Request Forgery and a Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 4.4.4.

5. Absolutely Glamorous Custom Admin

Absolutely Glamorous Custom Admin versions below 6.5.5 have a Cross-Site Request Forgery and a Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 6.5.5.

6. Elementor Addon Elements

Elementor Addon Elements versions below 1.6.4 have a Cross-Site Request Forgery and a Cross-Site Scripting vulnerabilities. The vulnerability is patched, and you should update to version 1.6.4.

7. Email Subscribers & Newsletters

Email Subscribers & Newsletters versions below 4.5.6 have an Unauthenticated Email Forgery/Spoofing vulnerability. The vulnerability is patched, and you should update to version 4.5.6.

8. 10Web Social Post Feed

10Web Social Post Feed versions below 1.1.27 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 1.1.27.

9. Affiliate Manager

Affiliate Manager versions below 2.7.8 have an Unauthenticated Stored Cross-Site Scriptingvulnerability. The vulnerability is patched, and you should update to version 2.7.8.

10. WP Hotel Booking

WP Hotel Booking versions below 1.10.2 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.10.2.

11. WP Project Manager

WP Project Manager versions below 2.4.1 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.4.1.

12. 10WebAnalytics

10WebAnalytics versions below 1.2.9 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.2.9.

13. Top 10 Popular posts plugin for WordPress

Top 10 Popular posts plugin for WordPress versions below 2.9.5 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.9.5.

14. Lightweight Sidebar Manager

Lightweight Sidebar Manager versions below 1.1.4 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.1.4.

15. Radio Buttons for Taxonomies

Radio Buttons for Taxonomies versions below 2.0.6 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.0.6.

16. Product Catalog X

Product Catalog X versions below 1.5.13 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.5.13.

17. Paid Memberships Pro

Paid Memberships Pro versions below 2.4.3 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.4.3.

18. NotificationX

NotificationX versions below 1.8.3 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.8.3.

19. Coming Soon & Maintenance Mode Page

Coming Soon & Maintenance Mode Page versions below 1.58 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.58.

20. Menu Swapper

Menu Swapper versions below 1.1.1 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.1.1.

21. Woody ad snippets

Woody ad snippets versions below 2.3.10 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.3.10.

22. Forminator

Forminator versions below 1.13.5 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.13.5.

23. RSS Aggregator by Feedzy

RSS Aggregator by Feedzy versions below 3.4.3 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 3.4.3.

24. Feed Them Social

Feed Them Social versions below 2.8.7 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.8.7.

25. WP ERP

WP ERP versions below 1.6.4 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.6.4.

26. eCommerce Product Catalog

eCommerce Product Catalogversions below 2.9.44 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.9.44.

27. Easy Testimonials

Easy Testimonials versions below 3.7 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 3.7.

28 . Dokan

Dokan versions below 3.0.9 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 3.0.9.

29. Best WooCommerce Multivendor Marketplace Solution

Best WooCommerce Multivendor Marketplace Solution versions below 3.5.8 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 3.5.8.

30. Custom Field Template

Custom Field Template versions below 2.5.2 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.5.2.

31. Coupon Creator

Coupon Creator versions below 3.1.1 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 3.1.1.

32. Cool Timeline

Cool Timeline versions below 2.0.3 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 2.0.3.

33. Funnel Builder by CartFlows

Funnel Builder by CartFlows versions below 1.5.16 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.5.16.

34. Import / Export Customizer Settings

Import / Export Customizer Settings versions below 1.0.4 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.0.4.

35. Discount Rules for WooCommerce

Discount Rules for WooCommerce versions below 2.2.1 have multiple Authorization Bypass vulnerabilities. The vulnerability is patched, and you should update to version 2.2.1.

36. MetaSlider

MetaSlider versions below 3.17.2 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.17.2.

37. Drag and Drop Multiple File Upload

Drag and Drop Multiple File Upload versions below 1.3.5.5 have an Unauthenticated Remote Code Execution vulnerability. The vulnerability is patched, and you should update to version 1.3.5.5.

WordPress Themes Vulnerabilities

1. JobMonster

JobMonster versions below 4.6.6.1 have a Directory Listing in Upload Folder vulnerability. The vulnerability is patched, and you should update to version 4.6.6.1.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup.

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!