NEWS
WordPress Vulnerabilities Digest - September 2021 Part 4
Each vulnerability will have a severity rating ofLow,Medium,High, orCritical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
Several WordPress core security issues were disclosed and fixed. WordPress 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
1. WooCommerce Multi Currency
Plugin: WooCommerce Multi Currency Vulnerability: Authenticated Product Price Change Patched in Version: 2.1.18 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.1.18.
2. GeoDirectory
Plugin: GeoDirectory Vulnerability: Authenticated (admin+) Stored Cross-Site Scripting (XSS) Patched in Version: 2.1.1.3 Severity Score: Medium
The vulnerability is patched, so you should update to version 2.1.1.3.
3. Software License Manager
Plugin: Software License ManagerVulnerability: Arbitrary Domain Deletion via CSRF Patched in Version: 4.5.1 Severity Score: High
The vulnerability is patched, so you should update to version 4.5.1.
4. Quiz And Survey Master
Plugin: Quiz And Survey Master Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 7.3.2 Severity Score: Low
The vulnerability is patched, so you should update to version 7.3.2.
5. Affiliate Power
Plugin: Affiliate Power Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.3.0 Severity Score: High
The vulnerability is patched, so you should update to version 2.3.0.
6. Poll Maker
Plugin: Poll Maker Vulnerability: Unauthenticated Time Based SQL Injection Patched in Version: 3.4.2 Severity Score: Critical
The vulnerability is patched, so you should update to version 3.4.2.
7. Coming Soon and Maintenance Mode
Plugin: Coming Soon and Maintenance Mode Vulnerability: Authenticated Stored XSS Patched in Version: 3.5.3 Severity Score: Low
The vulnerability is patched, so you should update to version 3.5.3.
8. EditorsKit
Plugin: EditorsKit Vulnerability: Contributor+ Arbitrary PHP Code Execution Patched in Version: 1.31.6 Severity Score: Critical
The vulnerability is patched, so you should update to version 1.31.6.
9. Pinterest AutomTravelpayouts
Plugin: Travelpayouts Vulnerability: CSRF Bypass due to Outdated Redux Framework Patched in Version: 1.0.17 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.0.17.
10. Availability Calendar
Plugin: Availability Calendar Vulnerability: Authenticated SQL Injection Patched in Version: 1.2.1 Severity Score: High
The vulnerability is patched, so you should update to version 1.2.1.
Plugin: Availability Calendar Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 1.2.1 Severity Score: Low
The vulnerability is patched, so you should update to version 1.2.1.
11. SEO Redirection
Plugin: SEO Redirection Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Patched in Version: 7.1 Severity Score: Low
The vulnerability is patched, so you should update to version 7.1.
Plugin: SEO Redirection Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.4 Severity Score: High
The vulnerability is patched, so you should update to version 7.4.
Plugin: SEO Redirection Vulnerability: Arbitrary Redirect Deletion via CSRF Patched in Version: 7.9 Severity Score: Medium
The vulnerability is patched, so you should update to version 7.9.
12. Simple Social Media Share Buttons
Plugin: Simple Social Media Share Buttons Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: 3.2.4 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.14.4.
13. Comments wpDiscuz
Plugin: Comments wpDiscuz Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 7.3.2 Severity Score: Low
The vulnerability is patched, so you should update to version 7.3.2.
14. Download from files
Plugin: Download from filesVulnerability: Unauthenticated Arbitrary File Upload Patched in Version: No known fix Severity Score: Critical
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
15. Support Board
Plugin: Support Board Vulnerability: Multiple Unauthenticated SQL Injections Patched in Version: 3.3.4 Severity Score: Critical
The vulnerability is patched, so you should update to version 3.3.4.
16. Find My Blocks
Plugin: Find My Blocks Vulnerability: Private Post Titles Disclosure Patched in Version: 3.4.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.4.0.
17. Dflip Lite
Plugin: Dflip Lite Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.7.10 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.7.10.
18. Compact WP Audio Player
Plugin: Compact WP Audio Player Vulnerability: Setting Change via CSRF Patched in Version: 1.9.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.9.7.
Plugin: Compact WP Audio Player Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: 1.9.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.9.7.
19. Shared Files
Plugin: Shared Files Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.6.57 Severity Score: Low
The vulnerability is patched, so you should update to version 1.6.57.
20. 4k-icon-fonts-for-visual-composer
Plugin: 4k-icon-fonts-for-visual-composer Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
21. Ad Blocker Notify Lite
Plugin: Ad Blocker Notify Lite Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
22. affiliate-pro
Plugin: affiliate-proVulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
23. AMP extensions
Plugin: AMP extensions Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
24. Aoi Tori
Plugin: Aoi Tori Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
25. Awesome Support WordPress HelpDesk & Support Plugin
Plugin: Awesome Support WordPress HelpDesk & Support Plugin Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
26. betteroptin
Plugin: betteroptin Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
27. Border Loading Bar
Plugin: Border Loading Bar Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
28. Catchers Helpdesk and Ticket system for Support
Plugin: Catchers Helpdesk and Ticket system for SupportVulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
29. Bootstrap Categories Gallery
Plugin: Bootstrap Categories GalleryVulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
30. Woocommerce Categories in gallery format
Plugin: Woocommerce Categories in gallery format Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
31. WordPress Form Customizer | CF7 Customizer
Plugin: WordPress Form Customizer | CF7 Customizer Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
32. ClinicalWP Core
Plugin: ClinicalWP Core Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
33. Facebook Page Feed Timeline
Plugin: Facebook Page Feed Timeline Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
34. Custom Scrollbar Designer
Plugin: Custom Scrollbar Designer Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
35. Custom Text Selection Colors
Plugin: Custom Text Selection Colors Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
36. Disable Image Right Click
Plugin: Disable Image Right ClickVulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
37. Easy Gallery Slideshow
Plugin: Easy Gallery Slideshow Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
38. Easy Google Map
Plugin: Easy Google Map Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
39. Easy Justified Gallery
Plugin: Easy Justified Gallery Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
40. Share Posts To Email
Plugin: Share Posts To Email Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
41. Exit Popup Show
Plugin: Exit Popup Show Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
42. Flight Search Widget and Blocks
Plugin: Flight Search Widget and Blocks Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
43. Icons with Links Widget
Plugin: Icons with Links Widget Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
44. ICustomizer
Plugin: ICustomizer Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
45. Live Chat for Fanpage
Plugin: Live Chat for Fanpage Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
46. Media Mirror
Plugin: Media Mirror Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
47. WP Mobile Menu The Mobile-Friendly Responsive Menu
Plugin: WP Mobile Menu The Mobile-Friendly Responsive Menu Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: 2.8.2.3 Severity Score: High
The vulnerability is patched, so you should update to version 2.8.2.3.
48. Popup Modal For Youtube
Plugin: Popup Modal For YoutubeVulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
49. Project2App Turn Your WordPress Site into an Android App
Plugin: Project2App Turn Your WordPress Site into an Android AppVulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
50. Seatgeek Affiliate Tickets
Plugin: Seatgeek Affiliate Tickets Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
51. SEO-Dashboard by gutewebsites.de
Plugin: SEO-Dashboard by gutewebsites.deVulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
52. Share Woocommerce to Email
Plugin: Share Woocommerce to Email Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
53. Simple Behance Portfolio
Plugin: Simple Behance Portfolio Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
54. Stars Menu
Plugin: Stars Menu Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
55. Station Pro Plugin
Plugin: Station Pro Plugin Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: 2.2.2 Severity Score: High
The vulnerability is patched, so you should update to version 2.2.2.
56. Sticky Related Posts
Plugin: Sticky Related Posts Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
57. tcS3
Plugin: tcS3 Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
58. Events Shortcodes For The Events Calendar
Plugin: Events Shortcodes For The Events Calendar Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: 1.7.2 Severity Score: High
The vulnerability is patched, so you should update to version 1.7.2.
59. Titan Framework
Plugin: Titan Framework Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
60. Total Sales For Woocommerce
Plugin: Total Sales For Woocommerce Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
61. tr-easy-google-analytics
Plugin: tr-easy-google-analytics Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
62. Venture Event Manager
Plugin: Venture Event Manager Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: 3.2.5 Severity Score: High
The vulnerability is patched, so you should update to version 3.2.5.
63. W3SCloud Contact Form 7 to Zoho CRM
Plugin: W3SCloud Contact Form 7 to Zoho CRM Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: 2.1.0 Severity Score: High
The vulnerability is patched, so you should update to version 2.1.0.
64. WebHotelier for WordPress
Plugin: WebHotelier for WordPress Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
65. Product Limited Time Availability Date for woocommerce
Plugin: Product Limited Time Availability Date for woocommerce Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
66. Request Quote via Whatsapp for Woocommerce
Plugin: Request Quote via Whatsapp for Woocommerce Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
67. Woosaleskit Bar
Plugin: Woosaleskit Bar Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
68. Yandex Money button
Plugin: Yandex Money button Vulnerability: Reflected Cross-Site Scripting (XSS) Titan Framework Patched in Version: no known fix Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
69. PlanSo Forms
Plugin: PlanSo Forms Vulnerability: Authenticated Stored Cross-Site Scripting Patched in Version: no known fix Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
70. Advanced Menu Manager
Plugin: Advanced Menu Manager Vulnerability: Unauthorised Menu Edition via CSRF Patched in Version: 3.0 Severity Score: Medium
The vulnerability is patched, so you should update to version 3.0.
Plugin: Advanced Menu Manager Vulnerability: Unauthorised Menu Creation/Deletion Patched in Version: no known fix Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the theme until a patch is released.
71. Shopping Cart & eCommerce Store
Plugin: Shopping Cart & eCommerce Store Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 5.1.1 Severity Score: High
The vulnerability is patched, so you should update to version 5.1.1.
72. PDF Light Viewer
Plugin: PDF Light Viewer Vulnerability: Authenticated Command Injection Patched in Version: 1.4.12 Severity Score: Low
The vulnerability is patched, so you should update to version 1.4.12.
73. Podcast Subscribe Buttons
Plugin: Podcast Subscribe ButtonsVulnerability: Contributor+ Stored XSS Patched in Version: 1.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.4.2.
74. On Page SEO + Whatsapp Chat Button
Plugin: On Page SEO + Whatsapp Chat Button Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.0.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 1.0.2.
75. eID Easy
Plugin: eID Easy Vulnerability: Reflected Cross-Site Scripting Patched in Version: 4.7 Severity Score: Medium
The vulnerability is patched, so you should update to version 4.7.
76. BulletProof Security
Plugin: BulletProof Security Vulnerability: Sensitive Information Disclosure Patched in Version: 5.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 5.2.
WordPress Themes Vulnerabilities
1. Avada
Theme: Avada Vulnerability: Reflected Cross-Site Scripting Patched in Version: 7.4.2 Severity Score: Medium
The vulnerability is patched, so you should update to version 7.4.2.
Theme: Avada Vulnerability: Stored Cross-Site Scripting Patched in Version: 7.4.2 Severity Score:
The vulnerability is patched, so you should update to version 7.4.2.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!