NEWS
WordPress Vulnerabilities Digest - September 2021 Part 1
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
No new WordPress core vulnerabilities have been disclosed this month.
WordPress Plugin Vulnerabilities
1. MicroCopy
Plugin: MicroCopy Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
2. Responsive 3D Slider
Plugin: Responsive 3D Slider Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
3. Create WooCommerce Product Feeds For 40+ Merchants
Plugin: Create WooCommerce Product Feeds For 40+ Merchants Vulnerability: Authenticated SQL Injection Patched in Version: 3.3.1.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.3.1.0.
4. The Sorter
Plugin: The Sorter Vulnerability: Authenticated SQL Injection Patched in Version: No known fixSeverity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
5. Display users
Plugin: Display users Vulnerability: Authenticated SQL Injection Patched in Version: No known fixSeverity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
6. WP Domain Redirect
Plugin: WP Domain Redirect Vulnerability: Authenticated SQL Injection Patched in Version: No known fixSeverity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
7. WP iCommerce
Plugin: WP iCommerce Vulnerability: Authenticated (contributor+) SQL Injection Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
8. WordPress Page Contact
Plugin: WordPress Page Contact Vulnerability: Authenticated (editor+) SQL Injection Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
9. WP-Board
Plugin: WP-Board Vulnerability: Unauthenticated SQL Injection Patched in Version: No known fixSeverity: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
10. Alojapro Widget
Plugin: Alojapro Widget Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.1.16 Severity Score: Low
The vulnerability is patched, so you should update to version 1.1.16.
11. Simple School Staff Directory
Plugin: Simple School Staff Directory Vulnerability: Admin+ Arbitrary File Upload Patched in Version: No known fixSeverity: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
12. Limit Login Attempts
Plugin: Limit Login Attempts Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 4.0.50 Severity Score: Critical
The vulnerability is patched, so you should update to version 4.0.50.
13. OMGF
Plugin: OMGF Vulnerability: Subscriber+ Arbitrary File/Folder Deletion Patched in Version: 4.5.4 Severity Score: Critical
The vulnerability is patched, so you should update to version 4.5.4.
Plugin: OMGF Vulnerability: Unauthenticated Path Traversal in REST API Patched in Version: 4.5.4 Severity Score: Critical
The vulnerability is patched, so you should update to version 4.5.4.
14. Fonts Plugin
Plugin: Fonts Plugin Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 3.0.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.0.3
15. GSEOR
Plugin: GSEOR Vulnerability: Authenticated SQL Injection Patched in Version: No known fixSeverity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
16. Shortcodes Ultimate
Plugin: Shortcodes Ultimate Vulnerability: Contributor+ Stored XSS Patched in Version: 5.10.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 5.10.2.
17. Post Views Counter
Plugin: Post Views Counter Vulnerability: Authenticated Stored XSS Patched in Version: 1.3.5 Severity Score: Low
The vulnerability is patched, so you should update to version 1.3.5.
18. MWB Point of Sale (POS) for WooCommerce
Plugin: MWB Point of Sale (POS) for WooCommerce Vulnerability: CSRF Bypass / Unauthorised AJAX Call Patched in Version: 1.0.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.0.1.
19. Timetable and Event Schedule by MotoPress
Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Unauthorised Event TimeSlot Deletion Patched in Version: 2.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.2.
Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Unauthorised Event TimeSlot Update Patched in Version: 2.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.2.
Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Arbitrary Users Hashed Password/Email/Username Disclosure Patched in Version: 2.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.2.
Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Author+ Stored Cross-Site Scripting Patched in Version: 2.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.2.
20. Comment Link Remove and Other Comment Tools
Plugin: Comment Link Remove and Other Comment Tools Vulnerability: Arbitrary Comment Deletion via CSRF Patched in Version: 2.1.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.1.6.
21. WP Video Lightbox
Plugin: WP Video Lightbox Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.9.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.9.3.
22. Gallery Blocks with Lightbox
Plugin: Gallery Blocks with Lightbox Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.2.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.2.1.
23. Recipe Card Blocks
Plugin: Recipe Card Blocks Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.8.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.8.3.
Plugin: Recipe Card Blocks Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.8.1 Severity Score: High
The vulnerability is patched, so you should update to version 2.8.1.
24. Podlove Podcast Publisher
Plugin: Podlove Podcast Publisher Vulnerability: Unauthenticated SQL Injection Patched in Version: 3.5.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.5.6.
25. Coupon Affiliates for WooCommerce
Plugin: Coupon Affiliates for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.11.0.2 Severity Score: High
The vulnerability is patched, so you should update to version 4.11.0.2.
26. Contact List
Plugin: Contact List Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.9.42 Severity Score: High
The vulnerability is patched, so you should update to version 2.9.42.
27. SMTP Mail
Plugin: SMTP MailVulnerability: Authenticated SQL Injections Patched in Version: 1.2.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.2.2.
Plugin: SMTP MailVulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.2.
28. Live Scores for SportsPress
Plugin: Live Scores for SportsPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.1 Severity Score: High
The vulnerability is patched, so you should update to version 1.9.1.
Plugin: Live Scores for SportsPressVulnerability: Authenticated Local File Inclusion Patched in Version: 1.9.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.9.1.
29. TextME SMS
Plugin: TextME SMS Vulnerability: Authenticated Stored XSS Patched in Version: 1.8.9 Severity Score: Low
The vulnerability is patched, so you should update to version 1.8.9.
30. Contact Form Entries
Plugin: Contact Form Entries Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.2.1 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.1.
Plugin: Contact Form Entries Contact Form 7, WPforms and more Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
31. Moova for WooCommerce
Plugin: Moova for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.8 Severity Score: High
The vulnerability is patched, so you should update to version 3.8.
32. Picture Gallery
Plugin: Picture Gallery Vulnerability: Authenticated Stored XSS Patched in Version: 1.4.4 Severity Score: Low
The vulnerability is patched, so you should update to version 1.4.4.
33. Station Pro Plugin
Plugin: Station Pro Plugin Titan Framework Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.2.2 Severity Score: High
The vulnerability is patched, so you should update to version 2.2.2.
34. Booster for WooCommerce
Plugin: Booster for WooCommerce Vulnerability: Authentication Bypass Patched in Version: 5.4.4 Severity Score: Critical
The vulnerability is patched, so you should update to version 5.4.4.
35. Responsive Poll
Plugin: Responsive Poll Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.5.9 Severity Score: High
The vulnerability is patched, so you should update to version 1.5.9
36. Contact Form 7 Zoho
Plugin: Contact Form 7 Zoho Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.1.8 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.8.
Plugin: Contact Form 7 Zoho Multiple Plugins from CRM Perks Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.1.9 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.9.
37. Block and Stop Bad Bots
Plugin: Block and Stop Bad BotsVulnerability: Reflected Cross-Site Scripting Patched in Version: 6.62 Severity Score: High
The vulnerability is patched, so you should update to version 6.62.
38. MX Time Zone Clocks
Plugin: MX Time Zone Clocks Vulnerability: Contributor+ Cross-Site Scripting Patched in Version: 3.4.1 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.4.1.
39. Mail Masta
Plugin: Mail Masta Vulnerability: Unauthenticated Local File Inclusion (LFI) Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
40. Nested Pages
Plugin: Nested Pages Vulnerability: CSRF to Arbitrary Post Deletion and Modification Patched in Version: 3.1.16 Severity Score: High
The vulnerability is patched, so you should update to version 3.1.16.
Plugin: Nested Pages Vulnerability: Open Redirect Patched in Version: 3.1.16 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.1.16.
41. WordPress Real Media Library
Plugin: WordPress Real Media Library Vulnerability: Author Stored Cross-Site Scripting Patched in Version: 4.14.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.14.2.
42. MPL-Publisher Self-publish your book & ebook
Plugin: MPL-Publisher Self-publish your book & ebook Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library Patched in Version: 1.29.2 Severity Score: High
The vulnerability is patched, so you should update to version 1.29.2.
43. WooCommerce PDF Invoice Bulk Download
Plugin: WooCommerce PDF Invoice Bulk Download Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
44. Read Offline
Plugin: Read Offline Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
45. Integration for Contact Form 7 and Mailchimp
Plugin: Integration for Contact Form 7 and Mailchimp Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.1.1 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.1.
46. Integration for Contact Form 7 HubSpot
Plugin: Integration for Contact Form 7 HubSpotVulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.2.0 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.0.
47. WooCommerce Zoho Integration CRM, Books, Invoice, Inventory
Plugin: WooCommerce Zoho Integration CRM, Books, Invoice, Inventory Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
48. Integration for Contact Form 7 and Salesforce
Plugin: Integration for Contact Form 7 and Salesforce Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.2.6 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.6.
49. Connector for Gravity Forms and Google Sheets
Plugin: Connector for Gravity Forms and Google Sheets Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.1.1 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.1.
50. Integration for Contact Form 7 and Constant Contact
Plugin: Integration for Contact Form 7 and Constant Contact Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.1.0 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.0.
51. Integration for WooCommerce and QuickBooks
Plugin: Integration for WooCommerce and QuickBooks Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
52. Gravity Forms Salesforce
Plugin: Gravity Forms Salesforce Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
53. Integration for Contact Form 7 and Infusionsoft
Plugin: Integration for Contact Form 7 and Infusionsoft Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.1.4 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.4.
54. Integration for Contact Form 7 and Pipedrive
Plugin: Integration for Contact Form 7 and Pipedrive Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.1.1 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.1.
55. Gravity Forms Infusionsoft
Plugin: Gravity Forms Infusionsoft Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.1.5 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.5.
56. Contact Form 7 Zendesk
Plugin: Contact Form 7 Zendesk Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.0.8 Severity Score: High
The vulnerability is patched, so you should update to version 1.0.8.
57. Gravity Forms Zoho CRM Add-on
Plugin: Gravity Forms Zoho CRM Add-on Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
58. Gravity Forms HubSpot
Plugin: Gravity Forms HubSpot Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
59. WooCommerce Salesforce Integration
Plugin: WooCommerce Salesforce Integration Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
60. WP Insightly for Contact Form 7 and Ninja Forms
Plugin: WP Insightly for Contact Form 7 and Ninja Forms Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: 1.0.9 Severity Score: High
The vulnerability is patched, so you should update to version 1.0.9.
61. Gravity Forms Zendesk
Plugin: Gravity Forms Zendesk Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
62. WP Infusionsoft WooCommerce Plugin
Plugin: WP Infusionsoft WooCommerce Plugin Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
63. Integration for Contact Form 7 and ActiveCampaign
Plugin: Integration for Contact Form 7 and ActiveCampaignVulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
64. Integration for HubSpot and WooCommerce
Plugin: Integration for HubSpot and WooCommerce Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
65. Gravity Forms FreshDesk Plugin
Plugin: Gravity Forms FreshDesk Plugin WordPress plugin | WordPress.org Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
66. Gravity Forms Dynamics CRM
Plugin: Gravity Forms Dynamics CRM Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
67. Gravity Forms Constant Contact Plugin
Plugin: Gravity Forms Constant Contact Plugin Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
68. Integration for Gravity Forms and Pipedrive
Plugin: Integration for Gravity Forms and Pipedrive Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
69. WP Gravity Forms Insightly
Plugin: WP Gravity Forms Insightly Vulnerability: Multiple Plugins from CRM Perks Reflected Cross-Site Scripting Patched in Version: No known fixSeverity: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
70. NewsPlugin
Plugin: NewsPlugin Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.1.0 Severity Score: High
The vulnerability is patched, so you should update to version 1.1.0.
71. Events Shortcodes & Templates For The Events Calendar
Plugin: Events Shortcodes & Templates For The Events Calendar Vulnerability: Titan Framework Reflected Cross-Site Scripting (XSS) Patched in Version: 1.7.2 Severity Score: High
The vulnerability is patched, so you should update to version 1.7.2.
72. Advanced Custom Fields
Plugin: Advanced Custom Fields Vulnerability: Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move Patched in Version: 5.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 5.10.
73. PostX Gutenberg Blocks Saved Templates Addon
Plugin: PostX Gutenberg Blocks Saved Templates Addon Vulnerability: Private Content Disclosure Patched in Version: 2.4.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.10.
Plugin: PostX Gutenberg Blocks Saved Templates Addon Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.4.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.10.
Plugin: PostX Gutenberg Blocks for Post Grid Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.4.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.10.
Plugin: PostX Gutenberg Blocks for Post Grid Vulnerability: Missing Access Controls Patched in Version: 2.4.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.4.10.
74. Skaut bazar
Plugin: Skaut bazar Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.3.3 Severity Score: High
The vulnerability is patched, so you should update to version 1.3.3.
75. Donate With QRCode
Plugin: Donate With QRCode Vulnerability: Stored Cross-Site Scripting Patched in Version: No known fixSeverity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
WordPress Themes Vulnerabilities
1. Woffice
Plugin: Woffice Vulnerability: Unauthenticated Disclosure of Notification Titles Patched in Version: 4.0.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.0.2.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!