Threat Alerts / Aug 12, 2020

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins and WordPress themes.

WordPress Core Vulnerabilities

No WordPress core vulnerabilities were disclosed in the first half of August, however, a new major version of WordPress was released on August 11, 2020.

See What’s New in WordPress 5.5

WordPress 5.5 “Eckstine” is the latest major version release of WordPress, focusing on “speed, search & security.” This new version includes 1500+ changes to the block editor interface, 150+ enhancements and feature requests, 300+ bug fixes, and more. In this post, we cover what’s new in WordPress 5.5 so you can be prepared for this latest version of WordPress.

WordPress Plugin Vulnerabilities

1. TC Custom JavaScript

TC Custom JavaScript versions below 1.2.2 have an Unauthenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.2.2.

2. Social Rocket

Social Rocket versions below 1.2.10 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 1.2.10 .

3. wpDiscuz

wpDiscuz versions below 7.0.4 are vulnerable to an Unauthenticated Arbitrary File Upload vulnerability that could lead to a Remote Code Execution attack on vulnerable servers. The vulnerability is patched, and you should update to version 7.0.4.

4. Quiz And Survey Master

Quiz And Survey Master versions below 7.0.0 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 7.0.0.

5. Gallery PhotoBlocks

Gallery PhotoBlocks versions below 1.2.0 have an Authenticated Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.2.0.

6. Product Input Fields for WooCommerce

Product Input Fields for WooCommerce versions below 1.2.7 have an Unauthenticated File Download vulnerability. The vulnerability is patched, and you should update to version 1.2.7.

7. Newsletter

Newsletter versions below 6.8.2 have an Authenticated Cross-Site Scripting and an Authenticated PHP Object Injection vulnerabilities. The vulnerability is patched, and you should update to version 6.8.2.

8. Elegant Themes Plugins

Elegant Theme plugins Divi Extra, and Divi Builder versions below 4.5.3 are vulnerable to an Authenticated Arbitrary File Upload vulnerability. The vulnerability is patched, and you should update to version 4.5.3.

9. CMP – Coming Soon & Maintenance Plugin

CMP – Coming Soon & Maintenance Plugin versions below 3.8.2 have an Improper Access Controls on AJAX Calls vulnerability. The vulnerability is patched, and you should update to version 3.8.2.

WordPress Themes Vulnerabilities

There have been no WordPress theme vulnerabilities disclosed in the first half of August.

The information for this blog post was taken from iThemes Vulnerability Roundup.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!