Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: April 2021, Part 1

Written by Michael Moore on April 7, 2021

Last Updated on April 15, 2021

New WordPress plugin and vulnerabilities were disclosed during the first week of April. This post provides a report of recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability includes information on which version you should be running, so be sure to update!

Each vulnerability will also have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on a Common Vulnerability Scoring System designed to help you know how to measure the severity of a vulnerability.

In the April, Part 1 Report

    WordPress Core Vulnerabilities

    Great news! No new WordPress core vulnerabilities have been disclosed this month.

    The latest version of WordPress is currently 5.7. Make sure all your websites are running the latest version of WordPress core.

    WordPress Plugin Vulnerabilities

    This section covers vulnerabilities in WordPress plugins with instructions on whether to update or remove the vulnerable plugin.

    1. Controlled Admin Access

    Vulnerability: Improper Access Control to Privilege Escalation
    Patched in Version: 1.5.6
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    The vulnerability is patched, so you should update to version 1.5.6+.

    2. Advanced Booking Calendar

    Vulnerability: Authenticated Reflected Cross-Site Scripting
    Patched in Version: 1.6.8
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.6.8+.

    3. Cooked Pro

    Vulnerability: Unauthenticated Reflected Cross-Site Scripting
    Patched in Version: 1.7.5.6
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 1.7.5.6+.

    4. SecuPress Free & Pro

    Vulnerability: Unauthenticated Arbitrary IP Ban
    Patched in Version: 2.0
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

    The vulnerability is patched, so you should update to version 2.0+.

    5. Ivory Search

    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 4.6.1
    Severity: Medium – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 4.6.1+.

    6. Goto – Tour & Travel

    Vulnerability: Unauthenticated Reflected Cross-Site Scripting
    Patched in Version: 2.0
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 2.0+.

    7. Virtual Robots.txt

    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: 1.10
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.10+.

    8. Realteo

    Vulnerability: Unauthenticated Reflected Cross-Site Scripting
    Patched in Version: 1.2.4
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    Vulnerability: Arbitrary Property Deletion via IDOR
    Patched in Version: 1.2.4
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

    The vulnerability is patched, so you should update to version 1.2.4+.

    9. Business Hours Pro

    Vulnerability: Unauthenticated Arbitrary File Upload to RCE
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    The vulnerability HAS NOT been patched, so you should remove this plugin immediately.

    10. Erident Custom Login and Dashboard

    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: 3.5.9
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 3.5.9+.

    11. Pie Register

    Pie Register Logo

    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 3.7.0.1
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 3.7.0.1+.

    12. Tutor LMS

    Vulnerability: Authenticated Local File Inclusion
    Patched in Version: 1.8.8
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

    The vulnerability is patched, so you should update to version 1.8.8+.

    WordPress Theme Vulnerabilities

    No new theme vulnerabilities have been disclosed this month.

    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website to help protect you from the most common types of website vulnerabilities.

    Get iThemes Security Pro

    Share via:

    • Facebook
    • Twitter
    • LinkedIn
    • More
    Other related posts
    Website security matters to your business
    Why Website Security Matters to Your Business
    wordpress vulnerability report
    WordPress Vulnerability Report – May 18, 2022
    wordpress-website-hacked
    How Do Websites Get Hacked?
    wordpress-vulnerability-report
    WordPress Vulnerability Report – May 11, 2022

    Respond

    Click here to cancel reply.

    Get updates on new themes & plugins plus special discounts

    About iThemes

    • The Team
    • Contact Us
    • Website Accessibility Statement
    • Sitemap

    Resources

    • Blog
    • Documentation
    • WordPress Tutorials
    • Free WordPress Ebooks
    • Free Webinar Library
    • Free Upcoming Webinars
    • iThemes Training
    • Affiliates

    Customers

    • Member Panel Login
    • Support
    • FAQs
    • Upgrade Policy
    • Licensing
    • Terms and Conditions
    • Refund Policy

    Top Products

    • BackupBuddy
    • iThemes Security Pro
    • iThemes Sync
    • Restrict Content Pro
    • WPComplete
    • WordPress Hosting
    • WordPress Plugins
    • Content Upgrades
    • WordPress Landing Page Plugin
    • BackupBuddy Stash

    iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

    © 2022 All Rights Reserved.

    Share via
    Facebook
    Twitter
    LinkedIn
    Mix
    Email
    Print
    Copy Link
    Powered by Social Snap
    Copy link
    CopyCopied
    Powered by Social Snap