NEWS
WordPress Vulnerability Roundup: October 2020
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
There have not been any WordPress core vulnerabilities disclosed.
WordPress Plugin Vulnerabilities
1. XCloner
XCloner versions below 4.2.15 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 4.2.15 .
2. Ninja Forms Contact Form
Ninja Forms Contact Form versions below 3.4.27.1 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 3.4.27.1.
3. Coditor
All versions of Coditor have a Cross-Site Request Forgery vulnerability. Remove the plugin until a security fix is released.
4. Simple:Press
Simple:Press versions below 6.6.1 have a Broken Access Control vulnerability, which could lead to a Remote Code Execution attack. The vulnerability is patched, and you should update to version 6.6.1.
5. WP Courses LMS
WP Courses LMS versions below 2.0.29 have a Broken Access Control vulnerability. The vulnerability is patched, and you should update to version 2.0.29.
6. Slider by 10Web
Slider by 10Web versions below 1.2.36 have Multiple Authenticated SQL Injection vulnerabilities. The vulnerability is patched, and you should update to version 1.2.36.
7. WordPress + Microsoft Office 365 / Azure AD
WordPress + Microsoft Office 365 / Azure AD versions below 11.7 have an Authentication Bypass vulnerability. The vulnerability is patched, and you should update to version 11.7.
8. Team Showcase
Team Showcase versions below 1.22.16 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.22.16.
9. Post Grid
Post Grid versions below 2.0.73 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.0.73.
10. WPBakery Page Builder
WPBakery Page Builder versions below 6.4.1 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 6.4.1.
11. Hypercomments
All versions of Hypercomments Unauthenticated Arbitrary File Deletion vulnerability. Remove the plugin until a security fix is released.
12. Dynamic Content for Elementor
Dynamic Content for Elementor versions below 1.9.6 have an Authenticated Remote Code Execution vulnerability. The vulnerability is patched, and you should update to version 1.9.6.
13. PowerPress Podcasting
PowerPress Podcasting versions below 8.3.8 have Authenticated Arbitrary File Upload leading issues leading to a Remote Code Execution vulnerability. The vulnerability is patched, and you should update to version 8.3.8.
WordPress Themes Vulnerabilities
1. Shapely
Shapely versions below v1.2.9 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version v1.2.9.
2. NewsMag
NewsMag versions below 2.4.2 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 2.4.2.
3. Activello
Activello versions below 1.4.2 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.4.2.
4. Illdy
Illdy versions below 2.1.7 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 2.1.7.
5. Allegiant
Allegiant versions below 1.2.6 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.2.6.
6. Newspaper X
Newspaper X versions below 1.3.2 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.3.2..36.
7. Pixova Lite
Pixova Lite versions below 2.0.7 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 2.0.7.
8. Brilliance
Brilliance versions below 1.3.0 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.3.0.
9. MedZone Lite
MedZone Lite versions below 1.2.6 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.2.6.
10. Regina Lite
Regina Lite versions below 2.0.6 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 2.0.6.
11. Transcend
Transcend versions below 1.2.0 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.2.0.
12. Affluent
Affluent versions below 1.1.2 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.1.2.rsion 1.9.6.
13. Bonkers
Bonkers versions below 1.0.6 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.0.6.
14. Antreas
Antreas versions below 1.0.7 have an Unauthenticated Function Injection vulnerability. The vulnerability is patched, and you should update to version 1.0.7.
15. NatureMag Lite
All versions of NatureMag Lite have an Unauthenticated Function Injection vulnerability. Remove the plugin until a security fix is released.
The information for this blog post was taken from iThemes Vulnerability Roundup.
What you should do
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!