NEWS
WordPress Vulnerabilities Digest - September 2021 Part 3
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
Several WordPress core security issues were disclosed and fixed. WordPress 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!
1. WordPress 5.4 to 5.8
Vulnerability: Data Exposure via REST API Patched in Version: 5.8.1 Severity Score: Medium
The vulnerability has been patched, so you should update all your sites today to WordPress 5.8.1.
Vulnerability: Authenticated XSS in Block Editor Patched in Version: 5.8.1 Severity Score: Medium
The vulnerability has been patched, so you should update all your sites today to WordPress 5.8.1.
Vulnerability: Lodash Library Update Patched in Version: 5.8.1 Severity Score: Medium
The vulnerability has been patched, so you should update all your sites today to WordPress 5.8.1.
WordPress Plugin Vulnerabilities
1. Pinterest Automatic
Plugin: Pinterest Automatic Vulnerability: Unauthenticated Arbitrary Options Update Patched in Version: 4.14.4 Severity Score: Critical
The vulnerability is patched, so you should update to version 4.14.4.
2. WordPress Automatic
Plugin: WordPress Automatic Vulnerability: Unauthenticated Arbitrary Options Update Patched in Version: 3.53.3 Severity Score: Critical
The vulnerability is patched, so you should update to version 3.53.3.
3. ELEX WooCommerce Google Shopping
Plugin: ELEX WooCommerce Google Shopping Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.2.4 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.4.
4. User Registration
Plugin: User Registration Vulnerability: Low Privilege Stored Cross-Site Scripting Patched in Version: 2.0.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.2.
5. uListing
Plugin: uListing Vulnerability: Arbitrary Blog Option Update via CSRF Patched in Version: 2.0.9 Severity Score: High
The vulnerability is patched, so you should update to version 2.0.9.
6. Appointment Hour Booking
Plugin: Appointment Hour BookingVulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.3.16 Severity Score: Low
The vulnerability is patched, so you should update to version 1.3.16.
Plugin: Appointment Hour BookingVulnerability: Authenticated Stored XSS Patched in Version: 1.3.17 Severity Score: Low
The vulnerability is patched, so you should update to version 1.3.17.
7. UsersWP
Plugin: UsersWP Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.2.2.29 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.2.2.29.
8. PublishPress Editorial Calendar
Plugin: PublishPress Editorial Calendar Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.5.1 Severity Score: High
The vulnerability is patched, so you should update to version 3.5.1.
9. Better Find and Replace
Plugin: Better Find and Replace Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.2.9 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.9.
10. CM Tooltip Glossary
Plugin: CM Tooltip Glossary Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 3.9.21 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.9.21.
11. Bitcoin / AltCoin Payment Gateway for WooCommerce
Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.6.1 Severity Score: High
The vulnerability is patched, so you should update to version 1.6.1.
12. Modern Events Calendar Lite
Plugin: Modern Events Calendar Lite Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 5.22.2 Severity Score: Low
The vulnerability is patched, so you should update to version 5.22.2.
13. My Chatbot
Theme: My Chatbot Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
14. Duplicate Page
Plugin: Duplicate Page Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 4.4.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.4.3.
15. Weather Effect
Plugin: Weather Effect Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.3.6 Severity Score: Low
The vulnerability is patched, so you should update to version 1.3.6.
Plugin: Weather Effect Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.3.4 Severity Score: High
The vulnerability is patched, so you should update to version 1.3.6.
16. Chained Quiz
Plugin: Chained Quiz Vulnerability: Authenticated Stored Cross Site Scripting Patched in Version: 1.2.7.2 Severity Score: Low
The vulnerability is patched, so you should update to version 1.2.7.2.
17. WP Academic People List
Plugin: WP Academic People List Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
18. Konnichiwa! Membership
Plugin: Konnichiwa! Membership Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
19. 3D Cover Carousel
Plugin: 3D Cover Carousel Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
20. More From Google
Plugin: More From Google Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
21. simpleSAMLphp Authentication
Plugin: simpleSAMLphp Authentication Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
22. Custom Menu Plugin
Plugin: Custom Menu Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
23. Twitter Friends Widget
Plugin: Twitter Friends Widget Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
24. RentPress
Plugin: RentPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
25. SP Rental Manager
Plugin: SP Rental Manager Vulnerability: Unauthenticated SQL Injection Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
26. User Activation Email
Plugin: User Activation Email Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
27. WP Google Maps
Plugin: WP Google Maps Vulnerability: Multiple Admin+ Stored Cross-Site Scripting Patched in Version: 8.1.13 Severity Score: Low
The vulnerability is patched, so you should update to version 8.1.13.
28. GeoDirectory
Plugin: GeoDirectory Vulnerability: Authenticated (admin+) Stored Cross-Site Scripting (XSS) Patched in Version: 2.1.1.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.4.3.
29. TranslatePress
Plugin: TranslatePress Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.0.9 Severity Score: Low
The vulnerability is patched, so you should update to version 2.0.9.
30. Post Title Counter
Plugin: Post Title Counter Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
31. YouTube Video Inserter
Plugin: YouTube Video Inserter Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
32. Notices
Plugin: Notices Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
33. DJ EmailPublish
Plugin: DJ EmailPublish Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
34. Yet Another bol.com Plugin
Plugin: Yet Another bol.com Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
35. WP-T-Wap
Plugin: WP-T-Wap Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
36. On Page SEO + Whatsapp Chat Button
Plugin: On Page SEO + Whatsapp Chat Button Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
37. WP Scrippets
Plugin: WP Scrippets Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
38. WP Design Maps & Places
Plugin: WP Design Maps & Places Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
39. Wise Agent Capture Forms
Plugin: Wise Agent Capture Forms Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
40. Edit Comments XT
Plugin: Edit Comments XTVulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
41. RSVPMaker Excel
Plugin: RSVPMaker Excel Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
42. Border Loading Bar
Plugin: Border Loading Bar Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
43. Simple Matted Thumbnails
Plugin: Simple Matted Thumbnails Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
44. WordPress Simple Shop
Plugin: WordPress Simple Shop Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
45. WooCommerce Payment Gateway Per Category
Plugin: WooCommerce Payment Gateway Per Category Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
46. Custom Website Data
Plugin: Custom Website Data Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
47. Advance Search
Plugin: Advance Search Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
48. Integration of Moneybird for WooCommerce
Plugin: Integration of Moneybird for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
49. Spideranalyse
Plugin: Spideranalyse Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
50. OSD Subscribe
Plugin: OSD Subscribe Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
51. Feedify Web Push Notifications
Plugin: Feedify Web Push Notifications Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
52. Dropdown and scrollable Text
Plugin: Dropdown and scrollable Text Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
53. GNU-Mailman Integration
Plugin: GNU-Mailman Integration Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
54. Bug Library
Plugin: Bug Library Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
55. SMS OVH
Plugin: SMS OVH Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
56. MoolaMojo
Plugin: MoolaMojo Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
57. WordPress InviteBox Plugin
Plugin: WordPress InviteBox Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
58. wp-publications
Plugin: wp-publications Vulnerability: Local File Inclusion Patched in Version: No known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
59. Timetable and Event Schedule by MotoPress
Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Author+ Stored Cross-Site Scripting Patched in Version: 2.3.19 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.3.19.
60. Comment Link Remove and Other Comment Tools
Plugin: Comment Link Remove and Other Comment Tools Vulnerability: Arbitrary Comment Deletion via CSRF Patched in Version: 2.1.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.4.3.
61. WP Simple Booking Calendar
Plugin: WP Simple Booking Calendar Vulnerability: Authenticated SQL Injection Patched in Version: 2.0.6 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.6.
62. Block and Stop Bad Bots
Plugin: Block and Stop Bad Bots Vulnerability: Authenticated SQL Injections Patched in Version: 6.60 Severity Score: Medium
The vulnerability is patched, so you should update to version 6.60.
63. Paid Member Subscriptions
Plugin: Paid Member Subscriptions Vulnerability: Authenticated SQL Injection Patched in Version: 2.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.4.3.
64. Easy Accordion
Plugin: Easy Accordion Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.0.22 Severity Score: Low
The vulnerability is patched, so you should update to version 4.4.3.
WordPress Themes Vulnerabilities
1. Enfold
Theme: EnfoldVulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 4.8.4 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.8.4.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!