Threat Alerts / Sep 15, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

Several WordPress core security issues were disclosed and fixed. WordPress 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!

1. WordPress 5.4 to 5.8

Vulnerability: Data Exposure via REST API Patched in Version: 5.8.1 Severity Score: Medium

The vulnerability has been patched, so you should update all your sites today to WordPress 5.8.1.

Vulnerability: Authenticated XSS in Block Editor Patched in Version: 5.8.1 Severity Score: Medium

The vulnerability has been patched, so you should update all your sites today to WordPress 5.8.1.

Vulnerability: Lodash Library Update Patched in Version: 5.8.1 Severity Score: Medium

The vulnerability has been patched, so you should update all your sites today to WordPress 5.8.1.

WordPress Plugin Vulnerabilities

1. Pinterest Automatic

Plugin: Pinterest Automatic Vulnerability: Unauthenticated Arbitrary Options Update Patched in Version: 4.14.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 4.14.4.

2. WordPress Automatic

Plugin: WordPress Automatic Vulnerability: Unauthenticated Arbitrary Options Update Patched in Version: 3.53.3 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.53.3.

3. ELEX WooCommerce Google Shopping

Plugin: ELEX WooCommerce Google Shopping Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 1.2.4 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.4.

4. User Registration

Plugin: User Registration Vulnerability: Low Privilege Stored Cross-Site Scripting Patched in Version: 2.0.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.2.

5. uListing

Plugin: uListing Vulnerability: Arbitrary Blog Option Update via CSRF Patched in Version: 2.0.9 Severity Score: High

The vulnerability is patched, so you should update to version 2.0.9.

6. Appointment Hour Booking

Plugin: Appointment Hour Booking Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.3.16 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.16.

Plugin: Appointment Hour Booking Vulnerability: Authenticated Stored XSS Patched in Version: 1.3.17 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.17.

7. UsersWP

Plugin: UsersWP Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.2.2.29 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.2.29.

8. PublishPress Editorial Calendar

Plugin: PublishPress Editorial Calendar Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.5.1 Severity Score: High

The vulnerability is patched, so you should update to version 3.5.1.

9. Better Find and Replace

Plugin: Better Find and Replace Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.2.9 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.9.

10. CM Tooltip Glossary

Plugin: CM Tooltip Glossary Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 3.9.21 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.9.21.

11. Bitcoin / AltCoin Payment Gateway for WooCommerce

Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.6.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.6.1.

12. Modern Events Calendar Lite

Plugin: Modern Events Calendar Lite Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 5.22.2 Severity Score: Low

The vulnerability is patched, so you should update to version 5.22.2.

13. My Chatbot

Theme: My Chatbot Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

14. Duplicate Page

Plugin: Duplicate Page Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 4.4.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.4.3.

15. Weather Effect

Plugin: Weather Effect Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.3.6 Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.6.

Plugin: Weather Effect Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 1.3.4 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.6.

16. Chained Quiz

Plugin: Chained Quiz Vulnerability: Authenticated Stored Cross Site Scripting Patched in Version: 1.2.7.2 Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.7.2.

17. WP Academic People List

Plugin: WP Academic People List Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

18. Konnichiwa! Membership

Plugin: Konnichiwa! Membership Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

19. 3D Cover Carousel

Plugin: 3D Cover Carousel Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

20. More From Google 

Plugin: More From Google Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

21. simpleSAMLphp Authentication

Plugin: simpleSAMLphp Authentication Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

22. Custom Menu Plugin

Plugin: Custom Menu Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

23. Twitter Friends Widget

Plugin: Twitter Friends Widget Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

24. RentPress

Plugin: RentPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

25. SP Rental Manager

Plugin: SP Rental Manager Vulnerability: Unauthenticated SQL Injection Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

26. User Activation Email

Plugin: User Activation Email Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

27. WP Google Maps

Plugin: WP Google Maps Vulnerability: Multiple Admin+ Stored Cross-Site Scripting Patched in Version: 8.1.13 Severity Score: Low

The vulnerability is patched, so you should update to version 8.1.13.

28. GeoDirectory

Plugin: GeoDirectory Vulnerability: Authenticated (admin+) Stored Cross-Site Scripting (XSS) Patched in Version: 2.1.1.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.4.3.

29. TranslatePress

Plugin: TranslatePress Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 2.0.9 Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.9.

30. Post Title Counter

Plugin: Post Title Counter Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

31. YouTube Video Inserter

Plugin: YouTube Video Inserter Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

32. Notices

Plugin: Notices Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

33. DJ EmailPublish

Plugin: DJ EmailPublish Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

34. Yet Another bol.com Plugin

Plugin: Yet Another bol.com Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

35. WP-T-Wap 

Plugin: WP-T-Wap Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

36. On Page SEO + Whatsapp Chat Button

Plugin: On Page SEO + Whatsapp Chat Button Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

37. WP Scrippets

Plugin: WP Scrippets Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

38. WP Design Maps & Places

Plugin: WP Design Maps & Places Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

39. Wise Agent Capture Forms

Plugin: Wise Agent Capture Forms Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

40. Edit Comments XT 

Plugin: Edit Comments XT Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

41. RSVPMaker Excel

Plugin: RSVPMaker Excel Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

42. Border Loading Bar

Plugin: Border Loading Bar Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

43. Simple Matted Thumbnails

Plugin: Simple Matted Thumbnails Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

44. WordPress Simple Shop

Plugin: WordPress Simple Shop Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

45. WooCommerce Payment Gateway Per Category

Plugin: WooCommerce Payment Gateway Per Category Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

46. Custom Website Data

Plugin: Custom Website Data Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

47. Advance Search

Plugin: Advance Search Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

48. Integration of Moneybird for WooCommerce

Plugin: Integration of Moneybird for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

49. Spideranalyse

Plugin: Spideranalyse Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

50. OSD Subscribe

Plugin: OSD Subscribe Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

51. Feedify Web Push Notifications

Plugin: Feedify Web Push Notifications Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

52. Dropdown and scrollable Text

Plugin: Dropdown and scrollable Text Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

53. GNU-Mailman Integration

Plugin: GNU-Mailman Integration Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

54. Bug Library

Plugin: Bug Library Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

55. SMS OVH

Plugin: SMS OVH Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

56. MoolaMojo

Plugin: MoolaMojo Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

57. WordPress InviteBox Plugin

Plugin: WordPress InviteBox Plugin Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

58. wp-publications

Plugin: wp-publications Vulnerability: Local File Inclusion Patched in Version: No known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

59. Timetable and Event Schedule by MotoPress

Plugin: Timetable and Event Schedule by MotoPress Vulnerability: Author+ Stored Cross-Site Scripting Patched in Version: 2.3.19 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.3.19.

60. Comment Link Remove and Other Comment Tools

Plugin: Comment Link Remove and Other Comment Tools Vulnerability: Arbitrary Comment Deletion via CSRF Patched in Version: 2.1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.4.3.

61. WP Simple Booking Calendar

Plugin: WP Simple Booking Calendar Vulnerability: Authenticated SQL Injection Patched in Version: 2.0.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.6.

62. Block and Stop Bad Bots

Plugin: Block and Stop Bad Bots Vulnerability: Authenticated SQL Injections Patched in Version: 6.60 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.60.

63. Paid Member Subscriptions

Plugin: Paid Member Subscriptions Vulnerability: Authenticated SQL Injection Patched in Version: 2.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.4.3.

64. Easy Accordion

Plugin: Easy Accordion Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.0.22 Severity Score: Low

The vulnerability is patched, so you should update to version 4.4.3.

WordPress Themes Vulnerabilities

1. Enfold 

Theme: Enfold Vulnerability: Reflected Cross-Site Scripting (XSS) Patched in Version: 4.8.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.8.4.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!