New WordPress plugin and theme vulnerabilities were disclosed during the first half of July, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories:
WordPress Core Vulnerabilities
There have not been any WordPress core vulnerabilities disclosed in July.
WordPress Plugin Vulnerabilities
1. Coming Soon Page, Under Construction & Maintenance Mode by SeedProd
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd versions below 5.1.2 have a Cross-Site Scripting vulnerability.
2. ACF to REST API
ACF to REST API versions below 3.3.0 have an Unauthenticated Arbitrary wp_options Disclosure vulnerability.
3. WPForms
WPForms versions below 1.6.0.2 have an Authenticated Stored Cross-Site Scripting vulnerability.
4. Payment Form for PayPal Pro
Payment Form for PayPal Pro versions below 1.1.65 have an Unauthenticated SQL Injection vulnerability.
5. Testimonials Widget
Testimonials Widget versions 3.5.1 and below have multiple Cross-Site Scripting vulnerabilities.
6. JobSearch WP Job Board
JobSearch WP Job Board versions below 1.5.3 have multiple Cross-Site Scripting vulnerabilities.
7. Security & Malware scan by CleanTalk
Security & Malware scan by CleanTalk versions below 2.51 have a Security Nonce Leak leading to Unauthorized AJAX call vulnerability.
8. Adning Advertising
Adning Advertising versions below 1.5.6 have an Unauthenticated Arbitrary File Upload/Deletion vulnerability.
WordPress Theme Vulnerabilities
1. Nexos – Real Estate
Nexos – Real Estate versions below 1.8 have an Unauthenticated Reflected XSS & SQL Injection vulnerabilities.
2. CareerUp
CareerUp versions below 2.3.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
3. Careerfy
Careerfy versions below 4.1.0 have Multiple Cross-Site Scripting vulnerabilities.
Protect Your WordPress Website with the iThemes Security Site Scan.
Did you know that 60% of website breaches involve vulnerabilities for which a patch was available but not applied? This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.
Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.
To solve this problem, today we’re excited to announce that the iThemes Security Pro plugin is rolling out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.
The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will now automatically apply the fix for you… so you don’t have to. Whew. that’s some peace of mind.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Thanks for the timely info. Spot on as always, and much appreciated.
Steve
Hi,
I really appreciate the effort.
Thanks so much.