Threat Alerts / Nov 24, 2021

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

 

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

1. Pixel Cat Lite

Plugin: Pixel Cat Lite Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 2.6.3 Severity Score: Low

The vulnerability is patched, so you should update to version 2.6.3.

Plugin: Pixel Cat Lite Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: 2.6.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.6.2.

2. All-In-One-Gallery

Plugin: All-In-One-Gallery Vulnerability: Admin+ Local File Inclusion Patched in Version: 2.5.0 Severity Score: Low

The vulnerability is patched, so you should update to version 2.5.0.

3. StopBadBots 

Plugin: StopBadBots Vulnerability: Reflected Cross-Site Scripting Patched in Version: 6.67 Severity Score: Critical

The vulnerability is patched, so you should update to version 6.67.

4. Temporary Login Without Password

Plugin: Temporary Login Without Password Vulnerability: Subscriber+ Plugin’s Settings Update Patched in Version: 1.7.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.1.

5. ProfilePress

Plugin: ProfilePress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.2.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.2.3.

Plugin: ProfilePress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.2.3 Severity Score: High

The vulnerability is patched, so you should update to version 3.2.3.

6. Modern Events Calendar

Plugin: Modern Events Calendar Vulnerability: Unauthenticated Blind SQL Injection Patched in Version: 6.1.5 Severity Score: High

The vulnerability is patched, so you should update to version 6.1.5.

Plugin: Modern Events Calendar Vulnerability: Reflected Cross-Site Scripting Patched in Version: 6.1.5 Severity Score: High

The vulnerability is patched, so you should update to version 6.1.5.

7. Auto Featured Image

Plugin: Auto Featured Image Vulnerability: Reflected Cross-Site Scripting Patched in Version: 3.9.3 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.9.3.

8. Ultimate NoFollow

Plugin: Ultimate NoFollow Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of September 28, 2021. Uninstall and delete.

9. NEX-Forms

Plugin: NEX-Forms Vulnerability: Multiple Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 4, 2021. Uninstall and delete.

10. SEO Booster

Plugin: SEO Booster Vulnerability: Admin+ SQL Injection Patched in Version: No known fix – plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

11. WP System Log

Plugin: WP System Log Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 1.0.21 Severity Score: Critical

The vulnerability is patched, so you should update to version 1.0.21.

12. Inspirational Quote Rotator

Plugin: Inspirational Quote Rotator Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

13. Single Post Exporter

Plugin: Single Post Exporter Vulnerability: Plugin’s Settings Update via CSRF Patched in Version: No known fix – plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

14. Flex Local Fonts

Plugin: Flex Local Fonts Vulnerability: Admin+ Stored Cross-Site-Scripting Patched in Version: No known fix – plugin closed Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

15. WP Admin Logo Changer

Plugin: WP Admin Logo Changer Vulnerability: Plugin’s Settings Update via CSRF Patched in Version: No known fix – plugin closed Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of October 4, 2021. Uninstall and delete.

16. Contact Form Advanced Database

Plugin: Contact Form Advanced Database Vulnerability: Unauthorised AJAX Calls Patched in Version: No known fix Severity Score: Medium

This plugin has been closed as of September 27, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

17. Shiny Buttons

Plugin: Shiny Buttons Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This plugin has been closed as of September 27, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

18. Filter Portfolio Gallery

Plugin: Filter Portfolio Gallery Vulnerability: Arbitrary Gallery Deletion via CSRF Patched in Version: No known fix Severity Score: Medium

This plugin has been closed as of September 27, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

19. WP Limits

Plugin: WP Limits Vulnerability: Plugin’s Settings Update via CSRF Patched in Version: No known fix Severity Score: Medium

This plugin has been closed as of October 4, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

20. Page/Post Content Shortcode

Plugin: Page/Post Content Shortcode Vulnerability: Contributor+ Arbitrary Posts/Pages Access Patched in Version: No known fix Severity Score: Medium

This plugin has been closed as of October 4, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

21. Improved Include Page

Plugin: Improved Include Page Vulnerability: Contributor+ Arbitrary Posts/Pages Access Patched in Version: No known fix Severity Score: Medium

This plugin has been closed as of October 8, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

22. Mediamatic

Plugin: Mediamatic Vulnerability: Subscriber+ SQL Injection Patched in Version: No known fix Severity Score: High

This plugin has been closed as of October 11, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

23. Display Post Metadata

Plugin: Display Post Metadata Vulnerability: Contributor+ Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: Medium

This plugin has been closed as of October 21, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

24. ToTop Link

Plugin: ToTop Link Vulnerability: Unauthenticated PHP Object Injection Patched in Version: No known fix Severity Score: Medium

This plugin has been closed as of October 21, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

25. User Meta Shortcodes

Plugin: User Meta Shortcodes Vulnerability: Contributor+ Unauthorized Arbitrary User Metadata Access Patched in Version: No known fix Severity Score: High

This plugin has been closed as of October 12, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

26. Quotes Collection

Plugin: Quotes Collection Vulnerability: Admin+ SQL Injection Patched in Version: No known fix Severity Score: Medium

This plugin has been closed as of October 13, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

27. Push Notifications for WordPress (Lite)

Plugin: Push Notifications for WordPress (Lite) Vulnerability: Settings Update via CSRF Patched in Version: 6.0.1 Severity Score: Medium

The vulnerability is patched, so you should update to version 6.0.1.

28. SportsPress

Plugin: SportsPress Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.7.9 Severity Score: High

The vulnerability is patched, so you should update to version 2.7.9.

29. Login/Signup Popup

Plugin: Login/Signup Popup Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.2 Severity Score: High

The vulnerability is patched, so you should update to version 2.2.

30. Preview E-mails for WooCommerce

Plugin: Preview E-mails for WooCommerce Vulnerability: Reflected Cross-Site Scripting Patched in Version: 2.0.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.0.5.

31. WP User Frontend

Plugin: WP User Frontend Vulnerability: Membership, Profile, Registration & Post Submission Plugin for WordPress  Patched in Version: 3.5.25 Severity Score: Medium

The vulnerability is patched, so you should update to version 3.5.25.

32. Directorist – Business Directory Plugin

Plugin: Directorist – Business Directory Plugin Vulnerability: CSRF to Remote File Upload Patched in Version: 7.0.6.2 Severity Score: Critical

The vulnerability is patched, so you should update to version 7.0.6.2.

33. Easy Registration Forms

Plugin: Easy Registration Forms Vulnerability: CSRF to Stored Cross-Site Scripting Patched in Version: No known fix Severity Score: High

This plugin has been closed as of November 12, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

34. WP Reset Pro  

Plugin: WP Reset Pro Vulnerability: Subscriber+ Database Reset Patched in Version: 5.99 Severity Score: Critical

The vulnerability is patched, so you should update to version 5.99.

Plugin: WP Reset Pro Vulnerability: Database Reset via CSRF Patched in Version: 5.99 Severity Score: Critical

The vulnerability is patched, so you should update to version 5.99.

35. WordPress + Microsoft Office 365

Plugin: WordPress + Microsoft Office 365 Vulnerability: Unauthenticated Stored Cross-Site Scripting Patched in Version: 15.4 Severity Score: Critical

The vulnerability is patched, so you should update to version 15.4.

36. Duplicate Post

Plugin: Duplicate Post Vulnerability: Authenticated SQL Injection Patched in Version: 1.2.0 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.0.

37. Backup Migration

Plugin: Backup Migration Vulnerability: Admin+ Stored Cross-Site Scripting Patched in Version: 1.1.6 Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.6.

 

 

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay! 

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!