Threat Alerts / Sep 09, 2020

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins and WordPress themes.

WordPress Core Vulnerabilities

No WordPress core vulnerabilities were disclosed in the first half of September. However, a new minor version of WordPress was released on September 1, 2020. The WordPress 5.5.1 maintenance release features 34 bug fixes, 5 enhancements, and 5 bug fixes for the block editor. These bugs affect WordPress version 5.5, so you’ll want to upgrade.

WordPress Plugin Vulnerabilities

1. FooGallery Image Gallery

FooGallery Image Gallery versions below 1.9.25 have an Authenticated Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.9.25.

2. Quiz and Survey Master

Quiz and Survey Master versions below 7.0.2 have an Unauthenticated Arbitrary File Upload vulnerability. The vulnerability is patched, and you should update to version 7.0.2.

3. WP smart CRM & Invoices FREE

All version of WP smart CRM & Invoices FREE have an Authenticated Stored Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.

4. QuiWP Floating Menu

WP Floating Menu versions below 1.4.1 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.4.1.

5. Subscribe Sidebar

All versions of Subscribe Sidebar plugin by Blubrry have an Authenticated Reflected Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.

6. Recall Products

All versions of Recall Products have an Authenticated SQL Injection vulnerability. Remove the plugin until a security fix is released.

7. File Manager

File Manager versions below 6.9 have an Arbitrary File Upload vulnerability leading to a Remote Code Execution vulnerability. The vulnerability is patched, and you should update to version 6.9.

8. Ceceppa Multilingua

All versions of Ceceppa Multilingua have an Authenticated Reflected Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.

9. Bulk Change

All versions of Bulk Change have an Authenticated Reflected Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.

10. NextScripts: Social Networks Auto-Poster

NextScripts: Social Networks Auto-Poster versions below 4.3.18 have Insufficient Privilege Validation. The vulnerability is patched, and you should update to version 4.3.18.

11. Constant Contact Forms

Constant Contact Forms versions below 1.8.8 have Multiple Authenticated Stored XSS vulnerabilities. The vulnerabilities are patched, and you should update to version 1.8.8.

12. Advanced Database Cleaner

Advanced Database Cleaner versions below 3.0.2 have Authenticated SQL injection vulnerability. The vulnerability is patched, and you should update to version 3.0.2.

13. ActiveCampaign

ActiveCampaign versions below 8.0.2 have a Cross-Site Request Forgery vulnerability. The vulnerability is patched, and you should update to version 8.0.2.

WordPress Themes Vulnerabilities

There have not been any Theme vulnerabilities disclosed in the first half of September.

The information for this blog post was taken from iThemes Vulnerability Roundup.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!