WordPress Vulnerability Roundup: August 2020, Part 2
New WordPress plugin and theme vulnerabilities were disclosed during the second half of August, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website. The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
New WordPress plugin and theme vulnerabilities were disclosed during the second half of August, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
No WordPress core vulnerabilities were disclosed in August. However, August did bring a new major WordPress version. Just note that we have received numerous reports of the 5.5 update breaking websites, so here’s a guide on WordPress 5.5 Breaking Websites: How to Fix.
See What’s New in WordPress 5.5
WordPress 5.5 “Eckstine” is out! This major version release of WordPress focuses on “speed, search & security,” including 1500+ changes to the block editor interface, 150+ enhancements and feature requests, 300+ bug fixes, and more. See what’s new in WordPress 5.5.
WordPress Plugin Vulnerabilities
1. Ultimate Member
Ultimate Member versions below 2.1.7 have an Unauthenticated Open Redirect vulnerability.
2. Quiz and Survey Master
Quiz and Survey Master versions below 7.0.1 have an Unauthenticated Arbitrary File Deletion and Arbitrary File Upload vulnerabilities.
3. Sell Media
Sell Media versions below 2.4.2 have Unauthenticated Reflected Cross-Site Scripting vulnerability.
4. WordPress fancyBox Lightbox
WordPress fancyBox Lightbox versions below 1.0.2 have an Authenticated Stored Cross-Site Scripting vulnerability.
5. WordPress Colorbox Lightbox
WordPress Colorbox Lightbox versions below 1.1.3 have an Authenticated Stored Cross-Site Scripting vulnerability.
6. Sell Photo
All versions of Sell Photo Authenticated Stored Cross-Site Scripting vulnerability.
7. Responsive Lightbox2
Responsive Lightbox2 versions below 1.0.3 have an Authenticated Stored Cross-Site Scripting vulnerability.
8. NextGEN Gallery Sell Photo
All versions of NextGEN Gallery Sell Photo have an Authenticated Stored Cross-Site Scripting vulnerability.
9. Easy Media Download
Easy Media Download versions below 1.1.5 have an Authenticated Stored Cross-Site Scripting vulnerability.
10. Internal Links Manager
All versions of Internal Links Manager have Multiple Authenticated Stored Cross-Site Scripting vulnerabilities.
11. Elegant Testimonial
All versions of Elegant Testimonial have Multiple Authenticated Stored Cross-Site Scripting vulnerabilities.
12. Click to top
Click to top versions below 1.2.7 have an Authenticated Stored Cross-Site Scripting vulnerability.
13. WP Customer Reviews
WP Customer Reviews versions below 3.4.3 have Multiple Unauthenticated and Low Privilege Authenticated Stored XSS vulnerabilities.
14. Discount Rules for WooCommerce
Discount Rules for WooCommerce versions below 2.1.0 have Multiple vulnerabilities.
15. Advanced Access Manager
Advanced Access Manager versions below 6.6.2 have an Authenticated Authorization Bypass and a Privilege Escalation vulnerabilities.
16. WooCommerce – NAB Transact
WooCommerce – NAB Transact versions below 2.1.2 have a Payment Bypass vulnerability.
17. Kali Forms
Kali Forms versions below 2.1.2 have multiple vulnerabilities.
18. RSVPMaker
RSVPMaker versions below 7.8.2 have an Unauthenticated SQL Injection vulnerability.
19. Autoptimize
Autoptimize versions below 2.7.7 have an Authenticated Arbitrary File Upload vulnerability.
WordPress Theme Vulnerabilities
1. FoodBakery
FoodBakery versions 1.9 and below have an Unauthenticated Reflected XSS vulnerability.
2. Konzept
Konzept versions below 2.5 have an Unauthenticated Reflected XSS vulnerability.
3. Nova Lite
Nova Lite versions below 1.3.9 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
4. Home Villas
All versions of Home Villas have Multiple Cross-Site Scripting vulnerabilities.
5. Geo Magazine
All versions of Geo Magazine have an Unauthenticated Reflected XSS vulnerability.
Protect WordPress with the iThemes Security Site Scan
Did you know that 60% of website breaches involve vulnerabilities for which a patch was available but not applied? This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.
Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.
To solve this problem, today we’re excited to announce that the iThemes Security Pro plugin is rolling out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.
The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will now automatically apply the fix for you… so you don’t have to. Whew. that’s some peace of mind.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed