Threat Alerts / Sep 01, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. MicroCopy

Plugin: MicroCopy Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

2. Responsive 3D Slider 

Plugin: Responsive 3D Slider Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

3. Create WooCommerce Product Feeds For 40+ Merchants

Plugin: Create WooCommerce Product Feeds For 40+ Merchants Vulnerability: Authenticated SQL Injection Patched in Version: 3.3.1.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.3.1.0.

4. The Sorter

Plugin: The Sorter Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

5. Display users 

Plugin: Display users Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

6. WP Domain Redirect

Plugin: WP Domain Redirect Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

7. WP iCommerce

Plugin: WP iCommerce Vulnerability: Authenticated (contributor+) SQL Injection Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

8. WordPress Page Contact

Plugin: WordPress Page Contact Vulnerability: Authenticated (editor+) SQL Injection Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

9. WP-Board

Plugin: WP-Board Vulnerability: Unauthenticated SQL Injection Patched in Version: No known fix Severity: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

10. Alojapro Widget 

Plugin: Alojapro Widget Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 1.1.16 Severity Score: Low

The vulnerability is patched, so you should update to version 1.1.16.

11. Simple School Staff Directory

Plugin: Simple School Staff Directory Vulnerability: Admin+ Arbitrary File Upload Patched in Version: No known fix Severity: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

12. Limit Login Attempts

Plugin: Limit Login Attempts Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 4.0.50 Severity Score: Critical

The vulnerability is patched, so you should update to version 4.0.50.

13. OMGF

Plugin: OMGF Vulnerability: Subscriber+ Arbitrary File/Folder Deletion Patched in Version: 4.5.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 4.5.4.

Plugin: OMGF Vulnerability: Unauthenticated Path Traversal in REST API Patched in Version: 4.5.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 4.5.4.

14. Fonts Plugin

Plugin: Fonts Plugin Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 3.0.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.3

15. GSEOR

Plugin: GSEOR Vulnerability: Authenticated SQL Injection Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

16. Shortcodes Ultimate

Plugin: Shortcodes Ultimate Vulnerability: Contributor+ Stored XSS Patched in Version: 5.10.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.10.2.

17. Post Views Counter

Plugin: Post Views Counter Vulnerability: Authenticated Stored XSS Patched in Version: 1.3.5 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.5.

18. MWB Point of Sale (POS) for WooCommerce

Plugin: MWB Point of Sale (POS) for WooCommerce Vulnerability: CSRF Bypass / Unauthorised AJAX Call Patched in Version: 1.0.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.1.

19. Timetable and Event Schedule by MotoPress

Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Unauthorised Event TimeSlot Deletion Patched in Version: 2.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.2.

Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Unauthorised Event TimeSlot Update Patched in Version: 2.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.2.

Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Arbitrary User’s Hashed Password/Email/Username Disclosure Patched in Version: 2.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.2.

Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Author+ Stored Cross-Site Scripting Patched in Version: 2.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.2.

20. Comment Link Remove and Other Comment Tools 

Plugin: Comment Link Remove and Other Comment Tools Vulnerability: Arbitrary Comment Deletion via CSRF Patched in Version: 2.1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.6.

21. WP Video Lightbox

Plugin: WP Video Lightbox Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.9.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.3.

22. Gallery Blocks with Lightbox

Plugin: Gallery Blocks with Lightbox Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.2.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.1.

23. Recipe Card Blocks

Plugin: Recipe Card Blocks Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.8.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.8.3.

Plugin: Recipe Card Blocks Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.8.1 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.1.

24. Podlove Podcast Publisher

Plugin: Podlove Podcast Publisher Vulnerability: Unauthenticated SQL Injection Patched in Version: 3.5.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.5.6.

25. Coupon Affiliates for WooCommerce

Plugin: Coupon Affiliates for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.11.0.2 Severity Score: High

The vulnerability is patched, so you should update to version 4.11.0.2.

26. Contact List

Plugin: Contact List Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.9.42 Severity Score: High

The vulnerability is patched, so you should update to version 2.9.42.

27. SMTP Mail 

Plugin: SMTP Mail Vulnerability: Authenticated SQL Injections Patched in Version: 1.2.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.2.

Plugin: SMTP Mail Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.

28. Live Scores for SportsPress  

Plugin: Live Scores for SportsPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.9.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.9.1.

Plugin: Live Scores for SportsPress Vulnerability: Authenticated Local File Inclusion Patched in Version: 1.9.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.1.

29. TextME SMS 

Plugin: TextME SMS Vulnerability: Authenticated Stored XSS Patched in Version: 1.8.9 Severity Score: Low

The vulnerability is patched, so you should update to version 1.8.9.

30. Contact Form Entries

Plugin: Contact Form Entries Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.2.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.1.

Plugin: Contact Form Entries – Contact Form 7, WPforms and more Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

31. Moova for WooCommerce

Plugin: Moova for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.8 Severity Score: High

The vulnerability is patched, so you should update to version 3.8.

32. Picture Gallery

Plugin: Picture Gallery Vulnerability: Authenticated Stored XSS Patched in Version: 1.4.4 Severity Score: Low

The vulnerability is patched, so you should update to version 1.4.4.

33. Station Pro Plugin

Plugin: Station Pro Plugin – Titan Framework Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 2.2.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.2.

34. Booster for WooCommerce 

Plugin: Booster for WooCommerce Vulnerability: Authentication Bypass Patched in Version: 5.4.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 5.4.4.

35. Responsive Poll  

Plugin: Responsive Poll Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.5.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.5.9

36. Contact Form 7 Zoho

Plugin: Contact Form 7 Zoho Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.1.8 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.8.

Plugin: Contact Form 7 Zoho – Multiple Plugins from CRM Perks Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.1.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.9.

37. Block and Stop Bad Bots

Plugin: Block and Stop Bad Bots Vulnerability: Reflected Cross-Site Scripting Patched in Version: 6.62 Severity Score: High

The vulnerability is patched, so you should update to version 6.62.

38. MX Time Zone Clocks

Plugin: MX Time Zone Clocks Vulnerability: Contributor+ Cross-Site Scripting Patched in Version: 3.4.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.4.1.

39. Mail Masta

Plugin: Mail Masta Vulnerability: Unauthenticated Local File Inclusion (LFI) Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

40. Nested Pages

Plugin: Nested Pages Vulnerability: CSRF to Arbitrary Post Deletion and Modification Patched in Version: 3.1.16 Severity Score: High

The vulnerability is patched, so you should update to version 3.1.16.

Plugin: Nested Pages Vulnerability: Open Redirect Patched in Version: 3.1.16 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.16.

41. WordPress Real Media Library

Plugin: WordPress Real Media Library Vulnerability: Author Stored Cross-Site Scripting Patched in Version: 4.14.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.14.2.

42. MPL-Publisher – Self-publish your book & ebook

Plugin: MPL-Publisher – Self-publish your book & ebook Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library Patched in Version: 1.29.2 Severity Score: High

The vulnerability is patched, so you should update to version 1.29.2.

43. WooCommerce PDF Invoice Bulk Download

Plugin: WooCommerce PDF Invoice Bulk Download Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

44. Read Offline

Plugin: Read Offline Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

45. Integration for Contact Form 7 and Mailchimp

Plugin: Integration for Contact Form 7 and Mailchimp Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.1.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.1.

46. Integration for Contact Form 7 HubSpot

Plugin: Integration for Contact Form 7 HubSpot Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.2.0 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.0.

47. WooCommerce Zoho Integration – CRM, Books, Invoice, Inventory 

Plugin: WooCommerce Zoho Integration – CRM, Books, Invoice, Inventory Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

48. Integration for Contact Form 7 and Salesforce 

Plugin: Integration for Contact Form 7 and Salesforce Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.2.6 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.6.

49. Connector for Gravity Forms and Google Sheets   

Plugin: Connector for Gravity Forms and Google Sheets Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.1.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.1.

50. Integration for Contact Form 7 and Constant Contact

Plugin: Integration for Contact Form 7 and Constant Contact Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.1.0 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.0.

51. Integration for WooCommerce and QuickBooks

Plugin: Integration for WooCommerce and QuickBooks Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

52. Gravity Forms Salesforce

Plugin: Gravity Forms Salesforce Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

53. Integration for Contact Form 7 and Infusionsoft

Plugin: Integration for Contact Form 7 and Infusionsoft Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.1.4 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.4.

54. Integration for Contact Form 7 and Pipedrive

Plugin: Integration for Contact Form 7 and Pipedrive Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.1.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.1.

55. Gravity Forms Infusionsoft

Plugin: Gravity Forms Infusionsoft Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.1.5 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.5.

56. Contact Form 7 Zendesk

Plugin: Contact Form 7 Zendesk Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.8 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.8.

57. Gravity Forms Zoho CRM Add-on

Plugin: Gravity Forms Zoho CRM Add-on Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

58. Gravity Forms HubSpot

Plugin: Gravity Forms HubSpot Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

59. WooCommerce Salesforce Integration

Plugin: WooCommerce Salesforce Integration Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

60. WP Insightly for Contact Form 7 and Ninja Forms

Plugin: WP Insightly for Contact Form 7 and Ninja Forms Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.0.9.

61. Gravity Forms Zendesk

Plugin: Gravity Forms Zendesk Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

62. WP Infusionsoft WooCommerce Plugin

Plugin: WP Infusionsoft WooCommerce Plugin Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

63. Integration for Contact Form 7 and ActiveCampaign

Plugin: Integration for Contact Form 7 and ActiveCampaignVulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

64. Integration for HubSpot and WooCommerce

Plugin: Integration for HubSpot and WooCommerce Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

65. Gravity Forms FreshDesk Plugin

Plugin: Gravity Forms FreshDesk Plugin – WordPress plugin | WordPress.org Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

66. Gravity Forms Dynamics CRM

Plugin: Gravity Forms Dynamics CRM Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

67. Gravity Forms Constant Contact Plugin

Plugin: Gravity Forms Constant Contact Plugin Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

68. Integration for Gravity Forms and Pipedrive

Plugin: Integration for Gravity Forms and Pipedrive Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

69. WP Gravity Forms Insightly

Plugin: WP Gravity Forms Insightly Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

70. NewsPlugin

Plugin: NewsPlugin Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.1.0 Severity Score: High

The vulnerability is patched, so you should update to version 1.1.0.

71. Events Shortcodes & Templates For The Events Calendar

Plugin: Events Shortcodes & Templates For The Events Calendar Vulnerability: Titan Framework – Reflected Cross-Site Scripting (XSS) Patched in Version: 1.7.2 Severity Score: High

The vulnerability is patched, so you should update to version 1.7.2.

72. Advanced Custom Fields

Plugin: Advanced Custom Fields Vulnerability: Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move Patched in Version: 5.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.10.

73. PostX Gutenberg Blocks Saved Templates Addon

Plugin: PostX Gutenberg Blocks Saved Templates Addon Vulnerability: Private Content Disclosure Patched in Version: 2.4.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.10.

Plugin: PostX Gutenberg Blocks Saved Templates Addon Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.4.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.10.

Plugin: PostX Gutenberg Blocks for Post Grid Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 2.4.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.10.

Plugin: PostX Gutenberg Blocks for Post Grid Vulnerability: Missing Access Controls Patched in Version: 2.4.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.10.

74. Skaut bazar

Plugin: Skaut bazar Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.3.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.3.

75. Donate With QRCode

Plugin: Donate With QRCode Vulnerability: Stored Cross-Site Scripting Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

WordPress Themes Vulnerabilities

1. Woffice

Plugin: Woffice Vulnerability: Unauthenticated Disclosure of Notification Titles Patched in Version: 4.0.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.0.2.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!