Threat Alerts / Dec 15, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. Elementor

Plugin: Elementor Vulnerability: DOM Cross-Site-Scripting Active Installation: 5+ million Patched in Version: 3.4.8 Severity Score: High

The vulnerability is patched, so you should update to version 3.4.8.

2. UpdraftPlus

Plugin: UpdraftPlus Vulnerability: Reflected Cross-Site Scripting Active Installation: 3+ million Patched in Version: 1.16.66 Severity Score: High

The vulnerability is patched, so you should update to version 1.16.66.

3. WooCommerce PDF Invoices & Packing Slips

Plugin: WooCommerce PDF Invoices & Packing Slips Vulnerability: Reflected Cross-Site Scripting Active Installation: 300,000+ Patched in Version: 2.10.5 Severity Score: High

The vulnerability is patched, so you should update to version 2.10.5.

4. PublishPress Capabilities

Plugin: PublishPress Capabilities Vulnerability: Unauthenticated Arbitrary Options Update to Blog Compromise Active Installation: 100,000+ Patched in Version: 2.3.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.3.1.

Plugin: PublishPress Capabilities Pro Vulnerability: Unauthenticated Arbitrary Options Update to Blog Compromise Patched in Version: 2.3.1 Severity Score: Critical

The vulnerability is patched, so you should update to version 2.3.1.

5. Chaty Free

Plugin: Chaty Free Vulnerability: Reflected Cross-Site Scripting Active Installation: 100,000+ Patched in Version: 2.8.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.3.

Plugin: Chaty Pro Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.8.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.8.2.

6. PowerPack Addons for Elementor

Plugin: PowerPack Addons for Elementor Vulnerability: Reflected Cross-Site Scripting Active Installation: 60,000+ Patched in Version: 2.6.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.6.2.

7. Booking Calendar

Plugin: Booking Calendar Vulnerability: Reflected Cross-Site Scripting Active Installation: 60,000+ Patched in Version: 8.9.2 Severity Score: High

The vulnerability is patched, so you should update to version 8.9.2.

8. 10Web Social Photo Feed

Plugin: 10Web Social Photo Feed Vulnerability: Reflected Cross-Site Scripting (XSS) Active Installation: 60,000+
Patched in Version: 1.4.29 Severity Score: High

The vulnerability is patched, so you should update to version 1.4.29.

9. Site Reviews 

Plugin: Site Reviews Vulnerability: Unauthenticated Stored Cross-Site Scripting Active Installation: 40,000+ Patched in Version: 5.17.3 Severity Score: High

The vulnerability is patched, so you should update to version 5.17.3.

10. Speed Booster Pack 

Plugin: Speed Booster Pack Vulnerability: Admin+ SQL Injection Active Installation: 30,000+ Patched in Version: 4.3.3.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.3.3.1.

11. Multivendor Marketplace Solution for WooCommerce

Plugin: Multivendor Marketplace Solution for WooCommerce Vulnerability: Unauthenticated AJAX Calls Active Installation: 10,000+ Patched in Version: 3.8.4 Severity Score: High

The vulnerability is patched, so you should update to version 3.8.4.

12. Modal Window

Plugin: Modal Window Vulnerability: RFI leading to RCE via CSRF Active Installation: 10,000+ Patched in Version: 5.2.2 Severity Score: High

The vulnerability is patched, so you should update to version 5.2.2.

13. WP Coder

Plugin: WP Coder Vulnerability: RFI leading to RCE via CSRF Active Installation: 10,000+ Patched in Version: 2.5.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.5.2.

14. RegistrationMagic

Plugin: RegistrationMagic Vulnerability: Admin+ SQL Injection Active Installation: 10,000+ Patched in Version: 5.0.1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.0.1.6.

Plugin: RegistrationMagic Vulnerability: Authentication Bypass Active Installation: 10,000+ Patched in Version: 5.0.1.8 Severity Score: Critical

The vulnerability is patched, so you should update to version 5.0.1.8.

15. Events Made Easy

Plugin: Events Made Easy Vulnerability: Subscriber+ SQL Injection Active Installation: 6,000+ Patched in Version: 2.2.36 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.36.

16. Button Generator

Plugin: Button Generator Vulnerability: RFI leading to RCE via CSRF Active Installation: 5,000+ Patched in Version: 2.3.3 Severity Score: High

The vulnerability is patched, so you should update to version 2.3.3.

17. Tab – Accordion, FAQ

Plugin: Tab – Accordion, FAQ Vulnerability: Unauthenticated AJAX Calls Active Installation: 2000+ Patched in Version: 1.3.2 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.3.2.

18. Stars Rating

Plugin: Stars Rating Vulnerability: Comments Denial of Service Active Installation: 800+ Patched in Version: 3.5.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.2.

19. WPcalc 

Plugin: WPcalc Vulnerability: Authenticated SQL Injection Patched in Version: No known fix – plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of December 9, 2021. Uninstall and delete.

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!