Threat Alerts / Oct 14, 2020

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

WordPress Core Vulnerabilities

There have not been any WordPress core vulnerabilities disclosed.

WordPress Plugin Vulnerabilities

1. XCloner

XCloner versions below 4.2.15 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 4.2.15 .

2. Ninja Forms Contact Form

Ninja Forms Contact Form versions below 3.4.27.1 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 3.4.27.1.

3. Coditor

All versions of Coditor have a Cross-Site Request Forgery vulnerability. Remove the plugin until a security fix is released.

4. Simple:Press

Simple:Press versions below 6.6.1 have a Broken Access Control vulnerability, which could lead to a Remote Code Execution attack. The vulnerability is patched, and you should update to version 6.6.1.

5. WP Courses LMS

WP Courses LMS versions below 2.0.29 have a Broken Access Control vulnerability. The vulnerability is patched, and you should update to version 2.0.29.

6. Slider by 10Web

Slider by 10Web versions below 1.2.36 have Multiple Authenticated SQL Injection vulnerabilities. The vulnerability is patched, and you should update to version 1.2.36.

7. WordPress + Microsoft Office 365 / Azure AD

WordPress + Microsoft Office 365 / Azure AD versions below 11.7 have an Authentication Bypass vulnerability. The vulnerability is patched, and you should update to version 11.7.

8. Team Showcase

Team Showcase versions below 1.22.16 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.22.16.

9. Post Grid

Post Grid versions below 2.0.73 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.0.73.

10. WPBakery Page Builder

WPBakery Page Builder versions below 6.4.1 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 6.4.1.

11. Hypercomments

All versions of Hypercomments Unauthenticated Arbitrary File Deletion vulnerability. Remove the plugin until a security fix is released.

12. Dynamic Content for Elementor

Dynamic Content for Elementor versions below 1.9.6 have an Authenticated Remote Code Execution vulnerability. The vulnerability is patched, and you should update to version 1.9.6.

13. PowerPress Podcasting

PowerPress Podcasting versions below 8.3.8 have Authenticated Arbitrary File Upload leading issues leading to a Remote Code Execution vulnerability. The vulnerability is patched, and you should update to version 8.3.8.

WordPress Themes Vulnerabilities

1. Shapely

Shapely versions below v1.2.9 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version v1.2.9.

2. NewsMag

NewsMag versions below 2.4.2 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 2.4.2.

3. Activello

Activello versions below 1.4.2 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.4.2.

4. Illdy

Illdy versions below 2.1.7 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 2.1.7.

5. Allegiant

Allegiant versions below 1.2.6 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.2.6.

6. Newspaper X

Newspaper X versions below 1.3.2 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.3.2..36.

7. Pixova Lite

Pixova Lite  versions below 2.0.7 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 2.0.7.

8. Brilliance

Brilliance versions below 1.3.0 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.3.0.

9. MedZone Lite

MedZone Lite versions below 1.2.6 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.2.6.

10. Regina Lite

Regina Lite versions below 2.0.6 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 2.0.6.

11. Transcend

Transcend versions below 1.2.0 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.2.0.

12. Affluent

Affluent versions below 1.1.2 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.1.2.rsion 1.9.6.

13. Bonkers

Bonkers versions below 1.0.6 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.0.6.

14. Antreas

Antreas versions below 1.0.7 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.0.7.

15. NatureMag Lite

All versions of NatureMag Lite have an Unauthenticated Function Injection vulnerability.  Remove the plugin until a security fix is released.

The information for this blog post was taken from iThemes Vulnerability Roundup.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!