New WordPress plugin and theme vulnerabilities were disclosed during the first half of August, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins and WordPress themes.
WordPress Core Vulnerabilities
No WordPress core vulnerabilities were disclosed in the first half of August, however, a new major version of WordPress was released on August 11, 2020.
See What’s New in WordPress 5.5
WordPress 5.5 “Eckstine” is the latest major version release of WordPress, focusing on “speed, search & security.” This new version includes 1500+ changes to the block editor interface, 150+ enhancements and feature requests, 300+ bug fixes, and more. In this post, we cover what’s new in WordPress 5.5 so you can be prepared for this latest version of WordPress.
WordPress Plugin Vulnerabilities
1. TC Custom JavaScript
TC Custom JavaScript versions below 1.2.2 have an Unauthenticated Stored Cross-Site Scripting vulnerability.
2. Social Rocket
Social Rocket versions below 1.2.10 have a Cross-Site Request Forgery vulnerability.
3. wpDiscuz
wpDiscuz versions below 7.0.4 are vulnerable to an Unauthenticated Arbitrary File Upload vulnerability that could lead to a Remote Code Execution attack on vulnerable servers.
4. Quiz And Survey Master
Quiz And Survey Master versions below 7.0.0 have an Authenticated Stored Cross-Site Scripting vulnerability.
5. Gallery PhotoBlocks
Gallery PhotoBlocks versions below 1.2.0 have an Authenticated Cross-Site Scripting vulnerability.
6. Product Input Fields for WooCommerce
Product Input Fields for WooCommerce versions below 1.2.7 have an Unauthenticated File Download vulnerability.
7. Newsletter
Newsletter versions below 6.8.2 have an Authenticated Cross-Site Scripting and an Authenticated PHP Object Injection vulnerabilities.
8. Elegant Themes Plugins
Elegant Theme plugins Divi Extra, and Divi Builder versions below 4.5.3 are vulnerable to an Authenticated Arbitrary File Upload vulnerability.
9. CMP – Coming Soon & Maintenance Plugin
CMP – Coming Soon & Maintenance Plugin versions below 3.8.2 have an Improper Access Controls on AJAX Calls vulnerability.
WordPress Theme Vulnerabilities
There have been no WordPress theme vulnerabilities disclosed in the first half of August.
How to Protect Your WordPress Website with the iThemes Security Site Scan
Did you know that 60% of website breaches involve vulnerabilities for which a patch was available but not applied? This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.
Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.
To solve this problem, today we’re excited to announce that the iThemes Security Pro plugin is rolling out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.
The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will now automatically apply the fix for you… so you don’t have to. Whew. that’s some peace of mind.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Great information Michael