Threat Alerts / Dec 22, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. All In One SEO

Plugin: All In One SEO Vulnerability: Authenticated SQL Injection Active Installation: 3+ million Patched in Version: 4.1.5.3 Severity Score: High

The vulnerability is patched, so you should update to version 4.1.5.3.

Plugin: All In One SEO Vulnerability: Authenticated Privilege Escalation Active Installation: 3+ million Patched in Version: 4.1.5.3 Severity Score: Critical

The vulnerability is patched, so you should update to version 4.1.5.3.

2. Smash Balloon Social Post Feed

Plugin: Smash Balloon Social Post Feed Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS) Active Installation: 200,000+ Patched in Version: 4.1.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.1.

3. Modern Events Calendar Lite

Plugin: Modern Events Calendar Lite Vulnerability: Subscriber+ Category Add Leading to Stored XSS Active Installation: 100,000+ Patched in Version: 6.2.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.2.0.

4. WOOCS 

Plugin: WOOCS Vulnerability: Reflected Cross-Site Scripting Active Installation: 60,000+ Patched in Version: 1.3.7.3 Severity Score: High

The vulnerability is patched, so you should update to version 1.3.7.3.

5. Crisp Live Chat

Plugin: Crisp Live Chat Vulnerability: CSRF to Stored Cross-Site Scripting Active Installation: 60,000+ Patched in Version: 0.32 Severity Score: High

The vulnerability is patched, so you should update to version 0.32.

6. Image Hover Effects Ultimate

Plugin: Image Hover Effects Ultimate Vulnerability: Unauthenticated Arbitrary Option Update Active Installation: 20,000+ Patched in Version: 9.7.0 Severity Score: Critical

The vulnerability is patched, so you should update to version 9.7.0.

7. WP Booking System – Booking Calendar

Plugin: WP Booking System – Booking Calendar Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS) Active Installation: 10,000+ Patched in Version: 2.0.15 Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.15.

8. Landing Page Builder

Plugin: Landing Page Builder Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS) Active Installation: 10,000+ Patched in Version: 1.4.9.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.4.9.6.

9. Fathom Analytics  

Plugin: Fathom Analytics Vulnerability: Admin+ Stored Cross-Site Scripting Active Installation: 2000+
Patched in Version: 3.0.5 Severity Score: Low

The vulnerability is patched, so you should update to version 3.0.5.

10. True Ranker

Plugin: True Ranker Vulnerability: Unauthenticated Arbitrary File Access via Path Traversal Active Installation: 200+ Patched in Version: 2.2.4 Severity Score: Low

The vulnerability is patched, so you should update to version 2.2.4.

11. Comment Engine Pro

Plugin: Comment Engine Pro Vulnerability: Editor+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 7, 2021. Uninstall and delete.

12. .htaccess Redirect

Plugin: .htaccess Redirect Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

13. Parsian Bank Gateway for Woocommerce

Plugin: Parsian Bank Gateway for Woocommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

14. Real WYSIWYG

Plugin: Real WYSIWYG Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

15. Link List Manager

Plugin: Link List Manager Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

16. Simple Image Gallery

Plugin: Simple Image Gallery Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

17. WooCommerce EnvioPack

Plugin: WooCommerce EnvioPack Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of November 15, 2021. Uninstall and delete.

18. Magic Post Voice

Plugin: Magic Post Voice Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

19. H5P CSS Editor

Plugin: H5P CSS Editor Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

20. duoFAQ

Plugin: duoFAQ Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

21. Magic Post Voice

Plugin: Magic Post Voice Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.

22. WooCommerce myghpay Payment Gateway

Plugin: WooCommerce myghpay Payment Gateway Vulnerability: Reflected Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 13, 2021. Uninstall and delete.

23. The Plus Addons for Elementor Pro

Plugin: The Plus Addons for Elementor – Pro Vulnerability: Sensitive Data Disclosure Patched in Version: 5.0.7 Severity Score: Medium

The vulnerability is patched, so you should update to version 5.0.7.

24. Lets Box 

Plugin: Lets Box Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.13.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.13.3.

25. Share One Drive

Plugin: Share One Drive Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.15.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.15.3.

26. Out of the Box 

Plugin: Out of the Box Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.20.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.20.3.

27. Use Your Drive

Plugin: Use Your Drive Vulnerability: Reflected Cross-Site Scripting Patched in Version: 1.18.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.18.3.

 

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!