Threat Alerts / Sep 22, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

Several WordPress core security issues were disclosed and fixed. WordPress 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. WooCommerce Multi Currency

Plugin: WooCommerce Multi Currency Vulnerability: Authenticated Product Price Change Patched in Version: 2.1.18 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.18.

2. GeoDirectory

Plugin: GeoDirectory Vulnerability: Authenticated (admin+) Stored Cross-Site Scripting (XSS) Patched in Version: 2.1.1.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.1.3.

3. Software License Manager 

Plugin: Software License Manager Vulnerability: Arbitrary Domain Deletion via CSRF Patched in Version: 4.5.1 Severity Score: High

The vulnerability is patched, so you should update to version 4.5.1.

4. Quiz And Survey Master

Plugin: Quiz And Survey Master Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 7.3.2 Severity Score: Low

The vulnerability is patched, so you should update to version 7.3.2.

5. Affiliate Power

Plugin: Affiliate Power Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.3.0 Severity Score: High

The vulnerability is patched, so you should update to version 2.3.0.

6. Poll Maker

Plugin: Poll Maker Vulnerability: Unauthenticated Time Based SQL Injection Patched in Version: 3.4.2 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.4.2.

7. Coming Soon and Maintenance Mode

Plugin: Coming Soon and Maintenance Mode Vulnerability: Authenticated Stored XSS Patched in Version: 3.5.3 Severity Score: Low

The vulnerability is patched, so you should update to version 3.5.3.

8. EditorsKit

Plugin: EditorsKit Vulnerability: Contributor+ Arbitrary PHP Code Execution Patched in Version: 1.31.6 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.31.6.

9. Pinterest AutomTravelpayouts

Plugin: Travelpayouts Vulnerability: CSRF Bypass due to Outdated Redux Framework Patched in Version: 1.0.17 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.17.

10. Availability Calendar

Plugin: Availability Calendar Vulnerability: Authenticated SQL Injection Patched in Version: 1.2.1 Severity Score: High

The vulnerability is patched, so you should update to version 1.2.1.

Plugin: Availability Calendar Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.2.1 Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.1.

11. SEO Redirection

Plugin: SEO Redirection Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 7.1 Severity Score: Low

The vulnerability is patched, so you should update to version 7.1.

Plugin: SEO Redirection Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.4 Severity Score: High

The vulnerability is patched, so you should update to version 7.4.

Plugin: SEO Redirection Vulnerability: Arbitrary Redirect Deletion via CSRF Patched in Version: 7.9 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.9.

12. Simple Social Media Share Buttons

Plugin: Simple Social Media Share Buttons Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 3.2.4 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.14.4.

13. Comments – wpDiscuz

Plugin: Comments – wpDiscuz Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 7.3.2 Severity Score: Low

The vulnerability is patched, so you should update to version 7.3.2.

14. Download from files 

Plugin: Download from files Vulnerability: Unauthenticated Arbitrary File Upload Patched in Version: No known fix Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

15. Support Board

Plugin: Support Board Vulnerability: Multiple Unauthenticated SQL Injections Patched in Version: 3.3.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 3.3.4.

16. Find My Blocks

Plugin: Find My Blocks Vulnerability: Private Post Titles Disclosure Patched in Version: 3.4.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.4.0.

17. Dflip Lite

Plugin: Dflip Lite Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.7.10 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.10.

18. Compact WP Audio Player

Plugin: Compact WP Audio Player Vulnerability: Setting Change via CSRF Patched in Version: 1.9.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.7.

Plugin: Compact WP Audio Player Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.9.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.7.

19. Shared Files

Plugin: Shared Files Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.6.57 Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.57.

20. 4k-icon-fonts-for-visual-composer

Plugin: 4k-icon-fonts-for-visual-composer Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

21. Ad Blocker Notify Lite

Plugin: Ad Blocker Notify Lite Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

22. affiliate-pro 

Plugin: affiliate-pro Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

23. AMP extensions 

Plugin: AMP extensions Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

24. Aoi Tori

Plugin: Aoi Tori Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

25. Awesome Support – WordPress HelpDesk & Support Plugin 

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

26. betteroptin

Plugin: betteroptin Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

27. Border Loading Bar

Plugin: Border Loading Bar Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

28. Catchers Helpdesk and Ticket system for Support 

Plugin: Catchers Helpdesk and Ticket system for Support Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

29. Bootstrap Categories Gallery 

Plugin: Bootstrap Categories Gallery Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

30. Woocommerce Categories in gallery format

Plugin: Woocommerce Categories in gallery format Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

31. WordPress Form Customizer | CF7 Customizer

Plugin: WordPress Form Customizer | CF7 Customizer Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

32. ClinicalWP Core

Plugin: ClinicalWP Core Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

33. Facebook Page Feed Timeline

Plugin: Facebook Page Feed Timeline Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

34. Custom Scrollbar Designer

Plugin: Custom Scrollbar Designer Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

35. Custom Text Selection Colors

Plugin: Custom Text Selection Colors Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

36. Disable Image Right Click 

Plugin: Disable Image Right Click Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

37. Easy Gallery Slideshow

Plugin: Easy Gallery Slideshow Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

38. Easy Google Map

Plugin: Easy Google Map Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

39. Easy Justified Gallery

Plugin: Easy Justified Gallery Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

40. Share Posts To Email

Plugin: Share Posts To Email Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

41. Exit Popup Show

Plugin: Exit Popup Show Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

42. Flight Search Widget and Blocks

Plugin: Flight Search Widget and Blocks Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

43. Icons with Links Widget 

Plugin: Icons with Links Widget Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

44. ICustomizer

Plugin: ICustomizer Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

45. Live Chat for Fanpage 

Plugin: Live Chat for Fanpage Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

46. Media Mirror

Plugin: Media Mirror Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

47. WP Mobile Menu – The Mobile-Friendly Responsive Menu

Plugin: WP Mobile Menu – The Mobile-Friendly Responsive Menu Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: 2.8.2.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.2.3.

48. Popup Modal For Youtube 

Plugin: Popup Modal For Youtube Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

49. Project2App – Turn Your WordPress Site into an Android App 

Plugin: Project2App – Turn Your WordPress Site into an Android App Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

50. Seatgeek Affiliate Tickets

Plugin: Seatgeek Affiliate Tickets Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

51. SEO-Dashboard by gutewebsites.de 

Plugin: SEO-Dashboard by gutewebsites.de Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

52. Share Woocommerce to Email

Plugin: Share Woocommerce to Email Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

53. Simple Behance Portfolio

Plugin: Simple Behance Portfolio Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

54. Stars Menu

Plugin: Stars Menu Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

55. Station Pro Plugin

Plugin: Station Pro Plugin Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: 2.2.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.2.

56. Sticky Related Posts

Plugin: Sticky Related Posts Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

57. tcS3

Plugin: tcS3 Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

58. Events Shortcodes For The Events Calendar

Plugin: Events Shortcodes For The Events Calendar Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: 1.7.2 Severity Score: High

The vulnerability is patched, so you should update to version 1.7.2.

59. Titan Framework

Plugin: Titan Framework Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

60. Total Sales For Woocommerce

Plugin: Total Sales For Woocommerce Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

61. tr-easy-google-analytics

Plugin: tr-easy-google-analytics Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

62. Venture Event Manager

Plugin: Venture Event Manager Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: 3.2.5 Severity Score: High

The vulnerability is patched, so you should update to version 3.2.5.

63. W3SCloud Contact Form 7 to Zoho CRM

Plugin: W3SCloud Contact Form 7 to Zoho CRM Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: 2.1.0 Severity Score: High

The vulnerability is patched, so you should update to version 2.1.0.

64. WebHotelier for WordPress

Plugin: WebHotelier for WordPress Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

65. Product Limited Time Availability Date for woocommerce

Plugin: Product Limited Time Availability Date for woocommerce Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

66. Request Quote via Whatsapp for Woocommerce

Plugin: Request Quote via Whatsapp for Woocommerce Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

67. Woosaleskit Bar

Plugin: Woosaleskit Bar Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

68. Yandex Money button

Plugin: Yandex Money button Vulnerability: Reflected Cross-Site Scripting (XSS) – Titan Framework Patched in Version: no known fix Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

69. PlanSo Forms

Plugin: PlanSo Forms Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: no known fix Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

70. Advanced Menu Manager

Plugin: Advanced Menu Manager Vulnerability: Unauthorised Menu Edition via CSRF Patched in Version: 3.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.

Plugin: Advanced Menu Manager Vulnerability: Unauthorised Menu Creation/Deletion Patched in Version: no known fix Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.

71. Shopping Cart & eCommerce Store

Plugin: Shopping Cart & eCommerce Store Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 5.1.1 Severity Score: High

The vulnerability is patched, so you should update to version 5.1.1.

72. PDF Light Viewer 

Plugin: PDF Light Viewer Vulnerability: Authenticated Command Injection Patched in Version: 1.4.12 Severity Score: Low

The vulnerability is patched, so you should update to version 1.4.12.

73. Podcast Subscribe Buttons 

Plugin: Podcast Subscribe Buttons Vulnerability: Contributor+ Stored XSS Patched in Version: 1.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.4.2.

74. On Page SEO + Whatsapp Chat Button

Plugin: On Page SEO + Whatsapp Chat Button Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.2.

75. eID Easy

Plugin: eID Easy Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.7.

76. BulletProof Security

Plugin: BulletProof Security Vulnerability: Sensitive Information Disclosure Patched in Version: 5.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.2.

WordPress Themes Vulnerabilities

1. Avada

Theme: Avada Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.4.2 Severity Score: Medium

The vulnerability is patched, so you should update to version 7.4.2.

Theme: Avada Vulnerability: Stored Cross-Site Scripting Patched in Version: 7.4.2 Severity Score:

The vulnerability is patched, so you should update to version 7.4.2.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!