WordPress Vulnerability Report: April 2021, Part 3

>>> Shared from Original Post iThemes

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. This post covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the April, Part 3 Report

    WordPress Core Vulnerabilities

    WordPress 5.7.1 is was released on April 15, 2021. This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release of WordPress core, it is recommended that you update your sites immediately!

    1. WordPress 5.6 – 5.7

    Vulnerability: Authenticated XXE Within the Media Library Affecting PHP 8
    Patched in Version: 5.7
    Severity: HighCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

    The vulnerability is patched, so you should update WordPress core to 5.7.1+.

    2. WordPress 4.7-5.7

    Vulnerability: Authenticated Password Protected Pages Exposure
    Patched in Version: 5.7
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    The vulnerability is patched, so you should update WordPress core to 5.7.1+.

    WordPress Plugin Vulnerabilities

    1. Livemesh Addons for Elementor

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 6.8
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 6.8+.

    2. HT Mega – Absolute Addons for Elementor

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 1.5.7
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 1.5.7+.

    3. WooLentor – WooCommerce Elementor Addons 

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 1.8.6
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 1.8.6+.

    4. BuddyPress

    Vulnerability: Multiple Authenticated REST API Vulnerabilities
    Patched in Version: 7.3.0
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 7.3.0+.

    5. PowerPack Addons for Elementor

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 2.3.2
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 2.3.2+.

    6. Image Hover Effects – Elementor Addon 

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 1.3.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 1.3.4+.

    7. Rife Elementor Extensions & Templates

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 1.1.6
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 1.1.6+.

    8. The Plus Addons for Elementor 

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 2.0.6
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 2.0.6+.

    9. All-in-One Addons for Elementor

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 2.3.10
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 2.3.10.

    10. JetWidgets For Elementor

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version:
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 6.8+.

    11. Sina Extension for Elementor

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 3.3.12
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 3.3.12+.

    12. Ultimate Addons for Elementor

    Ultimate Addon Elementor Logo

    Vulnerability: Stored Cross-Site Scripting (XSS)
    Patched in Version: 1.30.0
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 1.30.0+.

    13. Fitness Calculators

    Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
    Patched in Version: 1.9.6
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.9.6+.

    14. User Rights Access Manager

    Vulnerability: Improper Access Controls
    Patched in Version: 1.0.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.0.4+.

    15. Clever Addons for Elementor

    Vulnerability: Stored Cross-Site Scripting XSS
    Patched in Version: 2.1.0
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 2.1.0+.

    16. Easy Digital Downloads

    Easy Digital Downloads logo

    Vulnerability: Unauthorized Stripe Disconnect via CSRF
    Patched in Version: 2.10.3
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

    The vulnerability is patched, so you should update to version 2.10.3+.

    17. Edwiser Bridge

    Vulnerability: CSRF Nonce Bypass
    Patched in Version: 2.0.7
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    The vulnerability is patched, so you should update to version 2.0.7+.

    18. WordPress Download Manager

    WordPress Download Manager logo

    Vulnerability: Unauthorized Download Duplication
    Patched in Version: 3.1.18
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    The vulnerability is patched, so you should update to version 3.1.18+.

    19. Ultimate Maps by Supsystic

    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.2.5
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.2.5+.

    20. Popup by Supsystic

    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.10.5
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.10.5+.

    21. Photo Gallery by 10Web

    Photo Gallery by 10Web Logo

    Vulnerability: Multiple Reflected Cross-Site Scripting
    Patched in Version: 1.5.69
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.5.69+.

    22. Redirection for Contact Form 7 

    Vulnerability: Unauthenticated Arbitrary Nonce Generation
    Patched in Version: 2.3.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    Vulnerability: Authenticated Arbitrary Plugin Installation
    Patched in Version: 2.3.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

    Vulnerability: Authenticated PHP Object Injection
    Patched in Version: 2.3.4
    Severity: HighCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

    Vulnerability: Authenticated Arbitrary Post Deletion
    Patched in Version: 2.3.4
    Severity: MediumCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

    Vulnerability: Unprotected AJAX Actions
    Patched in Version: 2.3.4
    Severity: MediumCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

    The vulnerabilities are patched, so you should update to version 2.3.4+.

    WordPress Theme Vulnerabilities

    No new theme vulnerabilities have been disclosed this week.

    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

    WordPress Vulnerability Report

    The post WordPress Vulnerability Report: April 2021, Part 3 appeared first on iThemes.

    >>> Read the Full Story at iThemes