NEWS
WordPress Vulnerabilities Digest - September 2022 Part 2
Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 6.0.2 was released on August 30, 2022. This security and maintenance release features 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately.
No new WordPress core vulnerabilities were disclosed this week.
WordPress Core Dropping Support for WordPress Versions 3.7. 4.0
In more WordPress core security news, the WordPress Security Team will no longer provide security updates for WordPress core versions 3.7 4.0. Please make sure all your WordPress sites are running the latest version.
WordPress Plugin Vulnerabilities
1. Wordfence
PLUGIN Wordfence Security Firewall & Malware Scan INSTALLATIONS 4,000,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 7.6.1 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 7.6.1.
2. BackupBuddy
PLUGIN BackupBuddy VULNERABILITY Unauthenticated Arbitrary File Access PATCHED IN VERSION 8.7.5 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 8.7.5.
3. Booking Calendar
PLUGIN Booking Calendar INSTALLATIONS 60,000+ VULNERABILITY Arbitrary Translation Update via CSRF PATCHED IN VERSION 9.2.2 SEVERITY SCORE Medium
The vulnerability has been patched, so you should update to version 9.2.2.
4. DSGVO All in one for WP
PLUGIN DSGVO All in one for WP INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 4.2 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 4.2.
5. WP Socializer
PLUGIN WP Socializer Simple & Easy Social Media Share Icons INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 7.3 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 7.3.
6. Goolytics Simple Google Analytics
PLUGIN Goolytics Simple Google Analytics INSTALLATIONS 7,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.1.2 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 1.1.2.
7. Donation Thermometer
PLUGIN Donation Thermometer INSTALLATIONS 3,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.1.3 SEVERITY SCORE Low
The vulnerability has been patched, so you should update to version 2.1.3.
8. Frontend File Manager
PLUGIN Frontend File Manager Plugin INSTALLATIONS 2,000+ VULNERABILITY Unauthenticated File Renaming; Subscriber+ Arbitrary File Upload PATCHED IN VERSION 21.3 SEVERITY SCORE Critical
The vulnerability has been patched, so you should update to version 21.3.
9. Zephyr Project Manager
PLUGIN Zephyr Project Manager INSTALLATIONS 1,000+ VULNERABILITY Unauthorised AJAX Calls To Stored XSS PATCHED IN VERSION 3.2.55 SEVERITY SCORE High
The vulnerability has been patched, so you should update to version 3.2.55.
WordPress Plugin Vulnerabilities No Known Fix
Until a patch is available, immediately uninstall and delete the plugin.
Ketchup Restaurant Reservations
PLUGIN Ketchup Restaurant Reservations VULNERABILITY Unauthenticated Stored XSS; Unauthenticated Blind SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
Good news! No new WordPress theme vulnerabilities were disclosed this week.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!