NEWS

WordPress Vulnerabilities Digest - September 2022 Part 4

Threat Alerts / October 06, 2022

In more WordPress core security news, the WordPress Security Team will no longer provide security updates for WordPress core versions 3.7 4.0. Please make sure all your WordPress sites are running the latest version.

Each vulnerability will have a severity rating oflow, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.0.2 was released on August 30, 2022. This security and maintenance release features 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Core Dropping Support for WordPress Versions 3.7. 4.0

WordPress Plugin Vulnerabilities

1. Drag and Drop Multiple File Upload

PLUGIN Drag and Drop Multiple File Upload Contact Form 7 INSTALLATIONS 50,000+ VULNERABILITY File Upload Size Limit Bypass PATCHED IN VERSION 1.3.6.5 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.3.6.5.

2. Customer Reviews for WooCommerce

PLUGIN Customer Reviews for WooCommerce INSTALLATIONS 50,000+ VULNERABILITY Broken Access Control; Unauthenticated Sensitive Information Disclosure;Cross-Site Request Forgery PATCHED IN VERSION 5.3.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 5.3.6.

3. Tutor LMS

PLUGIN Tutor LMS eLearning and online course solution INSTALLATIONS 50,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 2.0.10 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 2.0.10.

4. MailOptin

PLUGIN Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber MailOptin INSTALLATIONS 30,000+ VULNERABILITY Unauthenticated Campaign Cache Deletion PATCHED IN VERSION 1.2.50.0 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.50.0.

5. Seriously Simple Podcasting

PLUGIN Seriously Simple Podcasting INSTALLATIONS 30,000+ VULNERABILITY Arbitrary Settings Update via CSRF PATCHED IN VERSION 2.16.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.16.1.

6. SEO Redirection

PLUGIN SEO Redirection Plugin 301 Redirect Manager INSTALLATIONS 30,000+ VULNERABILITY 404 Error & History Deletion via CSRF PATCHED IN VERSION 9.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 9.1.

7. Meks Easy Social Share

PLUGIN Meks Easy Social Share INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.2.8 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.2.8.

8. Import all XML, CSV & TXT into WordPress

PLUGIN Import all XML, CSV & TXT into WordPress INSTALLATIONS 20,000+ VULNERABILITY Admin+ SQLi; Missing Authorisation PATCHED IN VERSION 6.5.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 6.5.8.

9. Passster

PLUGIN Passster Password Protection INSTALLATIONS 10,000+ VULNERABILITY Insecure Storage of Password PATCHED IN VERSION 3.5.5.5.2 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 3.5.5.5.2.

10. Tabs

PLUGIN Tabs Responsive Tabs with WooCommerce Product Tab Extension INSTALLATIONS 9,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 3.7.2 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 3.7.2.

11. Were Open!

PLUGIN Were Open! INSTALLATIONS 2,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 1.42 SEVERITY SCORE Low

The vulnerability has been patched, so you should update to version 1.42.

12. Frontend File Manager

PLUGIN Frontend File Manager Plugin INSTALLATIONS 2,000+ VULNERABILITY File Upload via CSRF; Arbitrary Settings Update via CSRF PATCHED IN VERSION 21.4 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 21.4.

13. Export Post Info

PLUGIN Export Post Info INSTALLATIONS 1,000+ VULNERABILITY Author+ CSV Injection PATCHED IN VERSION 1.2.1 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 1.2.1.

14. miniOrange Discord Integration

PLUGIN miniOrange Discord Integration INSTALLATIONS 70+ VULNERABILITY Subscriber+ App Disabling PATCHED IN VERSION 2.1.6 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 2.1.6.

15. Demon Image Annotation

PLUGIN demon image annotation INSTALLATIONS 10+ VULNERABILITY Arbitrary Settings Update to Stored XSS via CSRF PATCHED IN VERSION 4.8 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.8.

16. Helpful

PLUGIN Helpful VULNERABILITY Information Disclosure PATCHED IN VERSION 4.5.26 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 4.5.26.

WordPress Plugin Vulnerabilities No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Kraken.io Image Optimizer

PLUGIN Kraken.io Image Optimizer INSTALLATIONS 30,000+ VULNERABILITY Cross-Site Request Forgery PATCHED IN VERSION No Fix SEVERITY SCORE Medium

The vulnerability has not been patched. You should deactivate the plugin.

Backup Scheduler

PLUGIN Backup Scheduler VULNERABILITY Cross-Site Request Forgery PATCHED IN VERSION No Fix SEVERITY SCORE Medium