Threat Alerts / Sep 08, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

WordPress Plugin Vulnerabilities

1. Countdown Block

Plugin: Countdown Block Vulnerability: Missing Authorisation in AJAX action Patched in Version: 1.1.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.2.

2. User Activity Log

Plugin: User Activity Log Vulnerability: Reflected Cross-Site Scripting via Query String Patched in Version: 1.4.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.4.7.

Plugin: User Activity Log Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.4.7 Severity Score: High

The vulnerability is patched, so you should update to version 1.4.7.

3. Cookie Notice & Compliance for GDPR / CCPA

Plugin: Cookie Notice & Compliance for GDPR / CCPA Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.1.2 Severity Score: Low

The vulnerability is patched, so you should update to version 2.1.2.

4. TranslatePress

Plugin: TranslatePress Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.0.9 Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.9.

5. WP Statistic

Plugin: WP Statistic Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 13.1 Severity Score: High

The vulnerability is patched, so you should update to version 13.1.

6. CoolClock

Plugin: CoolClock Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 4.3.5 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.3.5.

7. Multiple Plugins from miniorange

Plugin: Multiple Plugins from miniorange Vulnerability: Reflected Cross-Site Scripting via appId Patched in Version: 6.20.3 Severity Score: High

The vulnerability is patched, so you should update to version 6.20.3.

8. Premium Addons for Elementor

Plugin: Premium Addons for Elementor Vulnerability: Subscriber+ Arbitrary Blog Option Update Patched in Version: 4.5.2 Severity Score: High

The vulnerability is patched, so you should update to version 4.5.2.

9. Docket Cache

Plugin: Docket Cache Vulnerability: Reflected Cross-Site Scripting Patched in Version: 21.08.02 Severity Score: High

The vulnerability is patched, so you should update to version 21.08.02.

10. WooCommerce Zoho Integration – CRM, Books, Invoice, Inventory 

Plugin: WooCommerce Zoho Integration – CRM, Books, Invoice, Inventory Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.2.4Severity: High

The vulnerability is patched, so you should update to version 1.2.4.

11. Integration for WooCommerce and QuickBooks

Plugin: Integration for WooCommerce and QuickBooks Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.1.9 Severity: High

The vulnerability is patched, so you should update to version 1.1.9.

12. Gravity Forms Salesforce

Plugin: Gravity Forms Salesforce Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.2.6 Severity: High

The vulnerability is patched, so you should update to version 1.2.6.

13. Gravity Forms Zoho CRM Add-on

Plugin: Gravity Forms Zoho CRM Add-on Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.1.6 Severity: High

The vulnerability is patched, so you should update to version 1.1.6.

14. Gravity Forms HubSpot

Plugin: Gravity Forms HubSpot Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.9 Severity: High

The vulnerability is patched, so you should update to version 1.0.9.

15. WooCommerce Salesforce Integration

Plugin: WooCommerce Salesforce Integration Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.5.9 Severity: High

The vulnerability is patched, so you should update to version 1.5.9.

16. Gravity Forms Zendesk

Plugin: Gravity Forms Zendesk Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.8 Severity: High

The vulnerability is patched, so you should update to version 1.0.8.

17. WP Infusionsoft WooCommerce Plugin

Plugin: WP Infusionsoft WooCommerce Plugin Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.9 Severity: High

The vulnerability is patched, so you should update to version 1.0.9.

18. Integration for Contact Form 7 and ActiveCampaign

Plugin: Integration for Contact Form 7 and ActiveCampaign Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.4 Severity: High

The vulnerability is patched, so you should update to version 1.0.4.

19. Integration for HubSpot and WooCommerce

Plugin: Integration for HubSpot and WooCommerce Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.5 Severity: High

The vulnerability is patched, so you should update to version 1.0.5.

20. Gravity Forms FreshDesk Plugin

Plugin: Gravity Forms FreshDesk Plugin – WordPress plugin | WordPress.org Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.2.9 Severity: High

The vulnerability is patched, so you should update to version 1.2.9.

21. Gravity Forms Dynamics CRM

Plugin: Gravity Forms Dynamics CRM Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.8 Severity: High

The vulnerability is patched, so you should update to version 1.0.8.

22. Gravity Forms Constant Contact Plugin

Plugin: Gravity Forms Constant Contact Plugin Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.6 Severity: High

The vulnerability is patched, so you should update to version 1.0.6.

23. Integration for Gravity Forms and Pipedrive

Plugin: Integration for Gravity Forms and Pipedrive Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.7 Severity: High

The vulnerability is patched, so you should update to version 1.0.7.

24. WP Gravity Forms Insightly

Plugin: WP Gravity Forms Insightly Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting Patched in Version: 1.0.7 Severity: High

The vulnerability is patched, so you should update to version 1.0.7.

25. WordPress Uninstall 

Plugin: WordPress Uninstall Vulnerability: WordPress Deletion via CSRF Patched in Version: No known fix Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

26. CF Geo Plugin 

Plugin: CF Geo Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.13.12 Severity: High

The vulnerability is patched, so you should update to version 7.13.12.

27. underConstruction 

Plugin: underConstruction Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.19 Severity: High

The vulnerability is patched, so you should update to version 1.19.

28. DZS Zoomsounds

Plugin: DZS Zoomsounds Vulnerability: Unauthenticated Arbitrary File Download Patched in Version: 6.50 Severity: High

The vulnerability is patched, so you should update to version 6.50.

29. WooCommerce Dynamic Pricing & Discounts 

Plugin: WooCommerce Dynamic Pricing & Discounts Vulnerability: Unauthenticated Settings Import to Stored XSS Patched in Version: 2.4.2 Severity: High

The vulnerability is patched, so you should update to version 2.4.2.

Plugin: WooCommerce Dynamic Pricing & Discounts Vulnerability: Unauthenticated Settings Export Patched in Version: 2.4.2 Severity: Medium

The vulnerability is patched, so you should update to version 2.4.2.

30. Software License Manager

Plugin: Software License Manager Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 4.5.0 Severity: Low

The vulnerability is patched, so you should update to version 14.5.0.

31. Timetable and Event Schedule by MotoPress

Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Author+ Stored Cross-Site Scripting Patched in Version: 2.3.19 Severity: Medium

The vulnerability is patched, so you should update to version 2.3.19.

32. Easy Social Icons

Plugin: Easy Social Icons Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.1.0 Severity: High

The vulnerability is patched, so you should update to version 3.1.0.

33. Donate With QRCode

Plugin: Donate With QRCode Vulnerability: Stored Cross-Site Scripting Patched in Version: 1.4.5 Severity: Medium

The vulnerability is patched, so you should update to version 1.4.5.

Plugin: Donate With QRCode Vulnerability: Plugin’s Setting Update via CSRF Patched in Version: No known fix Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

34. XO Event Calendar 

Plugin: XO Event Calendar Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.3.7 Severity: High

The vulnerability is patched, so you should update to version 2.3.7.

35. Watu Quizz  

Plugin: Watu Quizz Vulnerability: Reflected XSS via question-form.html.php Patched in Version: 3.1.2.6 Severity: High

The vulnerability is patched, so you should update to version 3.1.2.6.

36. Gutenberg Template Library & Redux Framework

Plugin: Gutenberg Template Library & Redux Framework Vulnerability: Contributor+ Arbitrary Plugin Installation and Post Deletion Patched in Version: 4.2.13 Severity: High

The vulnerability is patched, so you should update to version 1.2.13.

37. Meow Gallery

Plugin: Meow Gallery Vulnerability: Unauthorised Arbitrary Options Update via REST API Patched in Version: 4.2.0 Severity: High

The vulnerability is patched, so you should update to version 4.2.0.

Plugin: Meow Gallery Vulnerability: Contributor+ SQL Injection Patched in Version: 4.1.9 Severity: High

The vulnerability is patched, so you should update to version 4.1.9.

38. WP Mapa Politico Espana

Plugin: WP Mapa Politico Espana Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 3.7.0 Severity: Low

The vulnerability is patched, so you should update to version 3.7.0.

39. WP Upload Restriction

Plugin: WP Upload Restriction Vulnerability: Missing Access Control in getSelectedMimeTypesByRole Patched in Version: 2.2.5 Severity: Medium

The vulnerability is patched, so you should update to version 2.2.5.

Plugin: WP Upload Restriction Vulnerability: Missing Access Control in deleteCustomType Patched in Version: 2.2.5 Severity: Medium

The vulnerability is patched, so you should update to version 2.2.5.

Plugin: WP Upload Restriction Vulnerability: Authenticated Stored XSS Patched in Version: 2.2.5 Severity: Medium

The vulnerability is patched, so you should update to version 2.2.5.

WordPress Themes Vulnerabilities

No new WordPress theme vulnerabilities have been disclosed this month.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!