WordPress Vulnerability Report: September 2021, Part 1

>>> Shared from Original Post iThemes

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

As one of the largest WordPress Vulnerability Reports to date, please share this post with your friends to help get the word out and make WordPress safer for everyone.

Contents of the September 1, 2021 Report
    Want this report delivered to your inbox each week?

    WordPress Core Vulnerabilities

    No new WordPress core vulnerabilities have been disclosed this month.

    WordPress Plugin Vulnerabilities

    In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

    1. MicroCopy 

    Plugin: MicroCopy
    Vulnerability: Authenticated SQL Injection
    Patched in Version: No known fix 
    Severity: Medium

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    2. Responsive 3D Slider 

    Plugin: Responsive 3D Slider
    Vulnerability: Authenticated SQL Injection
    Patched in Version: No known fix 
    Severity: Medium

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    3. Create WooCommerce Product Feeds For 40+ Merchants

    Plugin: Create WooCommerce Product Feeds For 40+ Merchants
    Vulnerability: Authenticated SQL Injection
    Patched in Version: 3.3.1.0
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 3.3.1.0.

    4. The Sorter

    Plugin: The Sorter
    Vulnerability: Authenticated SQL Injection
    Patched in Version: No known fix 
    Severity: Medium

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    5. Display users

    Plugin: Display users
    Vulnerability: Authenticated SQL Injection
    Patched in Version: No known fix 
    Severity: Medium

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    6. WP Domain Redirect

    Plugin: WP Domain Redirect
    Vulnerability: Authenticated SQL Injection
    Patched in Version: No known fix 
    Severity: Medium

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    7. WP iCommerce

    Plugin: WP iCommerce
    Vulnerability: Authenticated (contributor+) SQL Injection
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    8. WordPress Page Contact

    Plugin: WordPress Page Contact
    Vulnerability: Authenticated (editor+) SQL Injection
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    9. WP-Board

    Plugin: WP-Board
    Vulnerability: Unauthenticated SQL Injection
    Patched in Version: No known fix 
    Severity: Critical

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    10. Alojapro Widget 

    Plugin: Alojapro Widget 
    Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
    Patched in Version: 1.1.16
    Severity Score: Low

    The vulnerability is patched, so you should update to version 1.1.16.

    11. Simple School Staff Directory

    Plugin: Simple School Staff Directory
    Vulnerability: Admin+ Arbitrary File Upload
    Patched in Version: No known fix 
    Severity: Critical

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    12. Limit Login Attempts

    Plugin: Limit Login Attempts
    Vulnerability: Unauthenticated Stored Cross-Site Scripting
    Patched in Version: 4.0.50
    Severity Score: Critical

    The vulnerability is patched, so you should update to version 4.0.50.

    13. OMGF

    Plugin: OMGF
    Vulnerability: Subscriber+ Arbitrary File/Folder Deletion
    Patched in Version: 4.5.4
    Severity Score: Critical

    The vulnerability is patched, so you should update to version 4.5.4.

    Plugin: OMGF
    Vulnerability: Unauthenticated Path Traversal in REST API
    Patched in Version: 4.5.4
    Severity Score: Critical

    The vulnerability is patched, so you should update to version 4.5.4.

    14. Fonts Plugin

    Plugin: Fonts Plugin
    Vulnerability: Contributor+ Stored Cross-Site Scripting
    Patched in Version: 3.0.3
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 3.0.3.

    15. GSEOR

    Plugin: GSEOR
    Vulnerability: Authenticated SQL Injection
    Patched in Version: No known fix 
    Severity: Medium

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    16. Shortcodes Ultimate

    Plugin: Shortcodes Ultimate
    Vulnerability: Contributor+ Stored XSS
    Patched in Version: 5.10.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 5.10.2.

    17. Post Views Counter

    Plugin: Post Views Counter
    Vulnerability: Authenticated Stored XSS
    Patched in Version: 1.3.5
    Severity Score: Low

    The vulnerability is patched, so you should update to version 1.3.5.

    18. MWB Point of Sale (POS) for WooCommerce

    Plugin: MWB Point of Sale (POS) for WooCommerce
    Vulnerability: CSRF Bypass / Unauthorised AJAX Call
    Patched in Version: 1.0.1
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 1.0.1.

    19. Timetable and Event Schedule by MotoPress

    Plugin: Timetable and Event Schedule by MotoPress
    Vulnerability: Unauthorised Event TimeSlot Deletion
    Patched in Version: 2.4.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.4.2.

    Plugin: Timetable and Event Schedule by MotoPress
    Vulnerability: Unauthorised Event TimeSlot Update
    Patched in Version: 2.4.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.4.2.

    Plugin: Timetable and Event Schedule by MotoPress
    Vulnerability: Arbitrary User’s Hashed Password/Email/Username Disclosure
    Patched in Version: 2.4.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.4.2.

    Plugin: Timetable and Event Schedule by MotoPress
    Vulnerability: Author+ Stored Cross-Site Scripting
    Patched in Version: 2.4.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.4.2.

    Plugin: Comment Link Remove and Other Comment Tools
    Vulnerability: Arbitrary Comment Deletion via CSRF
    Patched in Version: 2.1.6
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.1.6.

    21. WP Video Lightbox

    Plugin: WP Video Lightbox
    Vulnerability: Contributor+ Stored Cross-Site Scripting
    Patched in Version: 1.9.3
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 1.9.3.

    Plugin: Gallery Blocks with Lightbox
    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: 2.2.1
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.2.1.

    23. Recipe Card Blocks

    Plugin: Recipe Card Blocks
    Vulnerability: Contributor+ Stored Cross-Site Scripting
    Patched in Version: 2.8.3
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.8.3.

    Plugin: Recipe Card Blocks
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 2.8.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.8.1.

    24. Podlove Podcast Publisher 

    Plugin: Podlove Podcast Publisher 
    Vulnerability: Unauthenticated SQL Injection
    Patched in Version: 3.5.6
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 3.5.6.

    25. Coupon Affiliates for WooCommerce

    Plugin: Coupon Affiliates for WooCommerce
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 4.11.0.2
    Severity Score: High

    The vulnerability is patched, so you should update to version 4.11.0.2.

    26. Contact List

    Plugin: Contact List
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 2.9.42
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.9.42.

    27. SMTP Mail 

    Plugin: SMTP Mail 
    Vulnerability: Authenticated SQL Injections
    Patched in Version: 1.2.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 1.2.2.

    Plugin: SMTP Mail 
    Vulnerability: Reflected Cross-Site Scripting (XSS)
    Patched in Version: 1.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 1.2.

    28. Live Scores for SportsPress  

    Plugin: Live Scores for SportsPress 
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.9.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.9.1.

    Plugin: Live Scores for SportsPress 
    Vulnerability: Authenticated Local File Inclusion
    Patched in Version: 1.9.1
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 1.9.1.

    29. TextME SMS 

    Plugin: TextME SMS
    Vulnerability: Authenticated Stored XSS
    Patched in Version: 1.8.9
    Severity Score: Low

    The vulnerability is patched, so you should update to version 1.8.9.

    30. Contact Form Entries 

    Plugin: Contact Form Entries
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.2.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.2.1.

    Plugin: Contact Form Entries – Contact Form 7, WPforms and more
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    31. Moova for WooCommerce

    Plugin: Moova for WooCommerce
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 3.8
    Severity Score: High

    The vulnerability is patched, so you should update to version 3.8.

    Plugin: Picture Gallery
    Vulnerability: Authenticated Stored XSS
    Patched in Version: 1.4.4
    Severity Score: Low

    The vulnerability is patched, so you should update to version 1.4.4.

    33. Station Pro Plugin

    Plugin: Station Pro Plugin – Titan Framework
    Vulnerability: Reflected Cross-Site Scripting (XSS)
    Patched in Version: 2.2.2
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.2.2.

    34. Booster for WooCommerce

    Plugin: Booster for WooCommerce
    Vulnerability: Authentication Bypass
    Patched in Version: 5.4.4
    Severity Score: Critical

    The vulnerability is patched, so you should update to version 5.4.4.

    35. Responsive Poll 

    Plugin: Responsive Poll 
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.5.9
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.5.9.

    36. Contact Form 7 Zoho

    Plugin: Contact Form 7 Zoho 
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.1.8
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.8.

    Plugin: Contact Form 7 Zoho – Multiple Plugins from CRM Perks
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.1.9
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.9.

    37. Block and Stop Bad Bots

    Plugin: Block and Stop Bad Bots 
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 6.62
    Severity Score: High

    The vulnerability is patched, so you should update to version 6.62.

    38. MX Time Zone Clocks

    Plugin: MX Time Zone Clocks
    Vulnerability: Contributor+ Cross-Site Scripting
    Patched in Version: 3.4.1
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 3.4.1.

    39. Mail Masta

    Plugin: Mail Masta
    Vulnerability: Unauthenticated Local File Inclusion (LFI)
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    40. Nested Pages

    Plugin: Nested Pages
    Vulnerability: CSRF to Arbitrary Post Deletion and Modification
    Patched in Version: 3.1.16
    Severity Score: High

    The vulnerability is patched, so you should update to version 3.1.16.

    Plugin: Nested Pages
    Vulnerability: Open Redirect
    Patched in Version: 3.1.16
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 3.1.16.

    41. WordPress Real Media Library

    Plugin: WordPress Real Media Library
    Vulnerability: Author Stored Cross-Site Scripting
    Patched in Version: 4.14.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 4.14.2.

    42. MPL-Publisher – Self-publish your book & ebook

    Plugin: MPL-Publisher – Self-publish your book & ebook
    Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library
    Patched in Version: 1.29.2
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.29.2.

    43. WooCommerce PDF Invoice Bulk Download

    Plugin: WooCommerce PDF Invoice Bulk Download
    Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    44. Read Offline

    Plugin: Read Offline
    Vulnerability: Reflected Cross-Site Scripting via PHPRelativePath Library
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    45. Integration for Contact Form 7 and Mailchimp

    Plugin: Integration for Contact Form 7 and Mailchimp
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.1.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.1.

    46. Integration for Contact Form 7 HubSpot 

    Plugin: Integration for Contact Form 7 HubSpot 
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.2.0
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.2.0.

    47. WooCommerce Zoho Integration – CRM, Books, Invoice, Inventory 

    Plugin: WooCommerce Zoho Integration – CRM, Books, Invoice, Inventory
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    48. Integration for Contact Form 7 and Salesforce 

    Plugin: Integration for Contact Form 7 and Salesforce
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.2.6
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.2.6.

    49. Connector for Gravity Forms and Google Sheets  

    Plugin: Connector for Gravity Forms and Google Sheets
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.1.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.1.

    50. Integration for Contact Form 7 and Constant Contact

    Plugin: Integration for Contact Form 7 and Constant Contact
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.1.0
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.0.

    51. Integration for WooCommerce and QuickBooks

    Plugin: Integration for WooCommerce and QuickBooks
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    52. Gravity Forms Salesforce

    Plugin: Gravity Forms Salesforce
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    53. Integration for Contact Form 7 and Infusionsoft

    Plugin: Integration for Contact Form 7 and Infusionsoft
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.1.4
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.4.

    54. Integration for Contact Form 7 and Pipedrive

    Plugin: Integration for Contact Form 7 and Pipedrive
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.1.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.1.

    55. Gravity Forms Infusionsoft

    Plugin: Gravity Forms Infusionsoft
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.1.5
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.5.

    56. Contact Form 7 Zendesk

    Plugin: Contact Form 7 Zendesk
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.0.8
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.0.8.

    57. Gravity Forms Zoho CRM Add-on

    Plugin: Gravity Forms Zoho CRM Add-on
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    58. Gravity Forms HubSpot

    Plugin: Gravity Forms HubSpot
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    59. WooCommerce Salesforce Integration

    Plugin: WooCommerce Salesforce Integration
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    60. WP Insightly for Contact Form 7 and Ninja Forms

    Plugin: WP Insightly for Contact Form 7 and Ninja Forms
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: 1.0.9
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.0.9.

    61. Gravity Forms Zendesk

    Plugin: Gravity Forms Zendesk
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    62. WP Infusionsoft WooCommerce Plugin

    Plugin: WP Infusionsoft WooCommerce Plugin
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    63. Integration for Contact Form 7 and ActiveCampaign

    Plugin: Integration for Contact Form 7 and ActiveCampaign
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    64. Integration for HubSpot and WooCommerce

    Plugin: Integration for HubSpot and WooCommerce
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    65. Gravity Forms FreshDesk Plugin

    Plugin: Gravity Forms FreshDesk Plugin – WordPress plugin | WordPress.org
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    66. Gravity Forms Dynamics CRM

    Plugin: Gravity Forms Dynamics CRM
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    67. Gravity Forms Constant Contact Plugin

    Plugin: Gravity Forms Constant Contact Plugin
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    68. Integration for Gravity Forms and Pipedrive

    Plugin: Integration for Gravity Forms and Pipedrive
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    69. WP Gravity Forms Insightly

    Plugin: WP Gravity Forms Insightly
    Vulnerability: Multiple Plugins from CRM Perks – Reflected Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    70. NewsPlugin

    Plugin: NewsPlugin
    Vulnerability: CSRF to Stored Cross-Site Scripting
    Patched in Version: 1.1.0
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.1.0.

    71. Events Shortcodes & Templates For The Events Calendar

    Plugin: Events Shortcodes & Templates For The Events Calendar
    Vulnerability: Titan Framework – Reflected Cross-Site Scripting (XSS)
    Patched in Version: 1.7.2
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.7.2.

    72. Advanced Custom Fields

    Plugin: Advanced Custom Fields
    Vulnerability: Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move
    Patched in Version: 5.10
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 5.10.

    73. PostX Gutenberg Blocks Saved Templates Addon

    Plugin: PostX Gutenberg Blocks Saved Templates Addon
    Vulnerability: Private Content Disclosure
    Patched in Version: 2.4.10
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.4.10.

    Plugin: PostX Gutenberg Blocks Saved Templates Addon
    Vulnerability: Contributor+ Stored Cross-Site Scripting
    Patched in Version: 2.4.10
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.4.10.

    Plugin: PostX Gutenberg Blocks for Post Grid
    Vulnerability: Contributor+ Stored Cross-Site Scripting
    Patched in Version: 2.4.10
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.4.10.

    Plugin: PostX Gutenberg Blocks for Post Grid
    Vulnerability: Missing Access Controls
    Patched in Version: 2.4.10
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.4.10.

    74. Skaut bazar

    Plugin: Skaut bazar
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.3.3
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.3.3.

    75. Donate With QRCode

    Plugin: Donate With QRCode
    Vulnerability: Stored Cross-Site Scripting
    Patched in Version: No known fix 
    Severity: Medium

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    WordPress Theme Vulnerabilities

    1. Woffice

    Plugin: Woffice
    Vulnerability: Unauthenticated Disclosure of Notification Titles
    Patched in Version: 4.0.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 4.0.2.

    A Note on Responsible Disclosure

    You might be wondering why a vulnerability would be disclosed if it gives hackers an exploit to attack. Well, it is very common for a security researcher to find and privately report the vulnerability to the software developer.

    With responsible disclosure, the researcher’s initial report is made privately to the developers of the company that owns the software, but with an agreement that the full details will be published once a patch has been made available. For significant security vulnerabilities, there may be a slight delay in disclosing the vulnerability to give more people time to patch.

    The security researcher may provide a deadline for the software developer to respond to the report or to provide a patch. If this deadline is not met, then the researcher may publicly disclose the vulnerability to put pressure on the developer to issue a patch.

    Publicly disclosing a vulnerability and seemingly introducing a Zero-Day vulnerability–a type of vulnerability that has no patch and is being exploited in the wild– may seem counterproductive. But, it is the only leverage that a researcher has to pressure the developer to patch the vulnerability.

    If a hacker were to discover the vulnerability, they could quietly use the Exploit and cause damage to the end-user(this is you), while the software developer remains content on leaving the vulnerability unpatched. Google’s Project Zero has similar guidelines when it comes to disclosing vulnerabilities. They publish the full details of the vulnerability after 90 days whether or not the vulnerability has been patched.

    How to Protect Your WordPress Website From Vulnerable Plugins and Themes

    As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.

    1. Turn on the iThemes Security Pro Site Scanner

    The iThemes Security Pro plugin’s Site Scanner scans for the #1 reason WordPress sites get hacked: outdated plugins and themes with known vulnerabilities. The Site Scanner checks your site for known vulnerabilities and automatically applies a patch if one is available.

    To enable the Site Scan on new installs, navigate to the Site Check tab on the Features menu inside the plugin and click the toggle to enable the Site Scan.

    This image has an empty alt attribute; its file name is enable-site-scan-1-1024x519.png

    To trigger a manual Site Scan, click the Scan Now button on the Site Scan Security Dashboard card.

    This image has an empty alt attribute; its file name is Site-Scans-Security-Card.png

    If the Site Scan detects a vulnerability, click the vulnerability link to view the details page.

    This image has an empty alt attribute; its file name is vulnerabilities-details-page-1024x580.png

    On the Site Scan vulnerability page, you will see if there is a fix available for the vulnerability. If there is a patch available, you can click the Update Plugin button to apply the fix on your website.

    2. Turn on Version Management to Auto Update if Fixes Vulnerability

    The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site when outdated software is not updated quickly enough. Even the strongest security measures will fail if you are running vulnerable software on your website. These settings help protect your site with options to update to new versions automatically if a known vulnerability exists and a patch is available.

    From the Settings page in iThemes Security Pro, navigate to the Features screen. Click the Site Check tab. From here, use the toggle to enable Version Management. Using the settings gear, you can configure even more settings, including how you want iThemes Security Pro to handle updates to WordPress, plugins, themes, and additional protection.

    Make sure to select Auto Update if it Fixes a Vulnerability box so that iThemes Security Pro will automatically update a plugin or theme if it fixes a vulnerability that was found by the Site Scanner.

    iThemes Security Pro version management

    3. Get an Email Alert When iThemes Security Pro Finds a Known Vulnerability On Your Site

    Once you’ve enabled Site Scan Scheduling, head to the Notification Center settings of the plugin. On this screen, scroll to the Site Scan Results section.

    This image has an empty alt attribute; its file name is site-scan-results-1024x550.jpg

    Click the box to enable the notification email and then click the Save Settings button.

    Now, during any scheduled site scans, you’ll get an email if iThemes Security Pro discovers any known vulnerabilities. The email will look something like this.

    site-scan-results

    Get iThemes Security Pro and Rest a Little Easier Tonight

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

    Get iThemes Security Pro

    WordPress vulnerability report

    The post WordPress Vulnerability Report: September 2021, Part 1 appeared first on iThemes.

    >>> Read the Full Story at iThemes