Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: April 2021, Part 4

Written by Michael Moore on April 28, 2021

Last Updated on April 28, 2021

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. This report covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the April, Part 4 Report
    Get the iThemes Security WordPress Vulnerability Report delivered to your inbox
    Sign up for the report

    WordPress Core Vulnerabilities

    WordPress 5.7.1 was released on April 15, 2021. This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release of WordPress core, it is recommended that you update your sites immediately!

    WordPress Plugin Vulnerabilities

    1. Accordion

    Vulnerability: Authenticated Reflected Cross-Site Scripting
    Patched in Version: 2.2.30
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 2.2.30+.

    2. RSS for Yandex Turbo

    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: 1.30
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.30+.

    3. Kaswara Modern VC Addons

    Vulnerability: Unauthenticated Arbitrary File Upload
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    4. WP Content Copy Protection & No Right Click

    Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
    Patched in Version: 3.4
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
    Patched in Version: 3.5.1
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    The vulnerability is patched, so you should update to version 3.5.1+.

    5. Conditional Marketing Mailer for WooCommerce

    Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
    Patched in Version: 1.6
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
    Patched in Version: 1.5.2
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    The vulnerability is patched, so you should update to version 1.6+.

    6. Captchinoo, Google recaptcha for admin login page

    Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    7. WP Maintenance Mode & Site Under Construction

    Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    8. Tree Sitemap

    Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    9. Login Protection – Limit Failed Login Attempts

    Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    10. Visitor Traffic Real Time Statistics

    Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
    Patched in Version: 2.13
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
    Patched in Version: 2.12
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    The vulnerability is patched, so you should update to version 2.13+.

    11. Login as User or Customer

    Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
    Patched in Version: 2.1
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
    Patched in Version: 1.8
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    The vulnerability is patched, so you should update to version 2.1+.

    12. Redirect 404 to Parent

    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.3.1
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.3.1+.

    13. Select All Categories and Taxonomies

    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.3.2
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 1.3.2+.

    14. Software License Manager

    Vulnerability:  CSRF to Stored XSS
    Patched in Version: 4.4.6
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    The vulnerability is patched, so you should update to version 4.4.6+.

    15. Car Seller – Auto Classifieds Script

    Vulnerability: Unauthenticated SQL Injection
    Patched in Version: No known fix
    Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    16. Store Locator Plus

    Vulnerability: Unauthenticated Stored Cross-Site Scripting
    Patched in Version: No known fix
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    17. Happy Addons for Elementor Free & Pro

    Vulnerability: Stored Cross-Site Scripting
    Free Patched in Version: 2.24.0
    Pro Patched in Version: 1.17.0
    Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 2.24.0+ (Free) / 1.17.0+ (Pro).

    18. WP Fastest Cache

    WP Fastest Cache Logo

    Vulnerability: Authenticated Arbitrary File Deletion via Path Traversal
    Patched in Version: 0.9.1.7
    Severity: Low – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

    The vulnerability is patched, so you should update to version 0.9.1.7+.

    19. WPGraphQL

    Vulnerability: Denial of Service
    Patched in Version: No known fix
    Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    20. WooCommerce

    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: 5.2.0
    Severity: Medium – CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

    The vulnerability is patched, so you should update to version 5.2.0+.

    WordPress Theme Vulnerabilities

    No new theme vulnerabilities have been disclosed this week.

    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

    Get iThemes Security Pro

    Share via:

    • Facebook
    • Twitter
    • LinkedIn
    • More
    Other related posts
    WordPress Vulnerability Report
    WordPress Vulnerability Report – May 25, 2022
    Website security matters to your business
    Why Website Security Matters to Your Business
    wordpress vulnerability report
    WordPress Vulnerability Report – May 18, 2022
    wordpress-website-hacked
    How Do Websites Get Hacked?

    Respond

    Click here to cancel reply.

    Get updates on new themes & plugins plus special discounts

    About iThemes

    • The Team
    • Contact Us
    • Website Accessibility Statement
    • Sitemap

    Resources

    • Blog
    • Documentation
    • WordPress Tutorials
    • Free WordPress Ebooks
    • Free Webinar Library
    • Free Upcoming Webinars
    • iThemes Training
    • Affiliates

    Customers

    • Member Panel Login
    • Support
    • FAQs
    • Upgrade Policy
    • Licensing
    • Terms and Conditions
    • Refund Policy

    Top Products

    • BackupBuddy
    • iThemes Security Pro
    • iThemes Sync
    • Restrict Content Pro
    • WPComplete
    • WordPress Hosting
    • WordPress Plugins
    • Content Upgrades
    • WordPress Landing Page Plugin
    • BackupBuddy Stash

    iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

    © 2022 All Rights Reserved.

    Share via
    Facebook
    Twitter
    LinkedIn
    Mix
    Email
    Print
    Copy Link
    Powered by Social Snap
    Copy link
    CopyCopied
    Powered by Social Snap

    Get the Weekly WordPress Vulnerability Report

    Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
    No spam. Unsubscribe anytime.