WordPress Vulnerability Report

WordPress Vulnerability Roundup: February 2021, Part 1

New WordPress plugin and theme vulnerabilities were disclosed during the first half of February. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Avatar photo
SolidWP Editorial Team

New WordPress plugin and theme vulnerabilities were disclosed during the first half of February. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the February, Part 1 Report

    WordPress Core Vulnerabilities

    No new WordPress core vulnerabilities have been disclosed this month.

    WordPress Plugin Vulnerabilities

    1. uListing – Critical

    uListing versions below 1.7 have multiple vulnerabilities, including Unauthenticated SQL Injections, Unauthenticated Arbitrary Account Creation, and Unauthenticated WordPress Options Change.

    The vulnerability is patched, and you should update to version 1.7.

    2. Super Forms – Critical

    Super Forms versions below 4.9.703 have an Unauthenticated PHP File Upload to RCE vulnerability.

    The vulnerability is patched, and you should update to version 4.9.703.

    3. Modern Events Calendar Lite – Critical

    Modern Events Calendar Lite versions below 5.16.5 have multiple issues, including an Authenticated Arbitrary File Upload leading to Remote Code Execution vulnerability.

    The vulnerability is patched, and you should update to version 5.16.5.

    4. Ivory Search – Medium

    Ivory Search versions below 4.5.11 have an Authenticated Reflected Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 4.5.11.

    5. WP Editor – Critical

    WP Editor versions below 1.2.7 have an Authenticated SQL Injection vulnerability.

    The vulnerability is patched, and you should update to version 1.2.7.

    6. MStore API – High

    MStore API versions below 3.2.0 have an Authentication Bypass With Sign In With Apple vulnerability.

    The vulnerability is patched, and you should update to version 3.2.0.

    7. Popup Builder â€“ Medium

    Popup Builder versions below 3.74 have an Authenticated Reflected Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 3.74.

    8. Gift Voucher â€“ Critical

    All versions of Gift Voucher have an Unauthenticated Blind SQL Injection vulnerability.

    Remove the plugin until a security fix is released.

    9. Name Directory – Medium

    Name Directory versions below 1.18 have a Cross-Site Request Forgery vulnerability.

    The vulnerability is patched, and you should update to version 1.18.

    10. Contact Form 7 Style – High

    Remove the plugin until a security fix is released.

    11. Ultimate GDPR & CCPA Compliance Toolkit – Critical

    Ultimate GDPR & CCPA Compliance Toolkit versions below 2.5 Unauthenticated Plugin Settings Export and Import leading to a Malicious Redirect vulnerability.

    The vulnerability is patched, and you should update to version 2.5.

    12. Like Button Rating ? LikeBtn – High

    Like Button Rating ? LikeBtn versions below 2.6.32 have an Unauthenticated Arbitrary Blog Settings Change and an Unauthenticated Full-Read SSRF vulnerabilities.

    The vulnerability is patched, and you should update to version 2.6.32.

    13. Paid Membership Pro – Medium

    Paid Membership Pro versions below 2.5.3 have an Authentication Bypass vulnerability leading to Unauthorized Order Information Disclosure.

    The vulnerability is patched, and you should update to version 2.5.3.

    14. Backup by Supsystic – Critical

    All versions of Backup by Supsystic have a Local File Inclusion vulnerability.

    Remove the plugin until a security fix is released.

    15. Contact Form by Supsystic – Critical

    All versions of Contact Form by Supsystic have an Authenticated SQL Injection vulnerability.

    Remove the plugin until a security fix is released.

    16. Data Tables Generator by Supsystic – Critical

    All versions of Data Tables Generator by Supsystic by Supsystic have an Authenticated SQL Injection vulnerability.

    Remove the plugin until a security fix is released.

    17. Digital Publications by Supsystic – Medium

    All versions of Digital Publications by Supsystic have an Authenticated Stored Cross-Site Scripting vulnerability.

    Remove the plugin until a security fix is released.

    18. Membership by Supsystic – Critical

    All versions of Membership by Supsystic have an Authenticated SQL Injection vulnerability.

    Remove the plugin until a security fix is released.

    19. Newsletter by Supsystic – Critical

    All versions of Newsletter by Supsystic have an Authenticated SQL Injection vulnerability.

    Remove the plugin until a security fix is released.

    20. Pricing Table by Supsystic – Critical

    All versions of Pricing Table by Supsystic have an Authenticated SQL Injection vulnerability.

    Remove the plugin until a security fix is released.

    21. Ultimate Maps by Supsystic – Critical

    All versions of have an Ultimate Maps by Supsystic Authenticated SQL Injection vulnerability.

    Remove the plugin until a security fix is released.

    22. NextGen Gallery – Critical

    NextGen Gallery versions below 3.5.0 have CSRF, File Upload, Stored XSS, and RCE vulnerabilities.

    The vulnerability is patched, and you should update to version 3.5.0.

    23. Map Block for Google Maps – Medium

    Map Block for Google Maps versions below 1.32 have a Broken Access Control vulnerability leading to an Unauthorized Google API Key change.

    The vulnerability is patched, and you should update to version 1.32.

    WordPress Theme Vulnerabilities

    1. Wyzi – Medium

    Wyzi versions below 2.4.3 have Reflected Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 2.4.3.

    2. Multiple Parallelus Themes – Medium

    Multiple Parallelus Themes versions below 2.0 have a Reflected Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 2.0.

    February Security Tip: Why You Should Be Logging Website Security Activity

    Security logging should be an essential part of your WordPress security strategy. Why?

    Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days!

    That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. For this reason, “insufficient logging” landed on the OWASP top 10 of web application security risks.

    WordPress security logs have several benefits in your overall security strategy, helping you:

    1. Identity and stop malicious behavior.
    2. Spot activity that can alert you of a breach.
    3. Assess how much damage was done.
    4. Aid in the repair of a hacked site.

    If your site does get hacked, you will want to have the best information to aid in a quick investigation and recovery.

    The good news is that iThemes Security Pro can help you implement website logging. iThemes Security Pro’s WordPress security logs tracks all these website activities for you:

    Stats from your logs are then displayed in a real-time WordPress security dashboard that you can view from your WordPress admin dashboard.

    Check out this feature spotlight post where we unpack all the steps of adding WordPress security logs to your website using iThemes Security Pro.

    See how it works

    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

    Get iThemes Security Pro

    Did you like this article? Spread the word: