New WordPress plugin and theme vulnerabilities were disclosed during the first half of June, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories:
Each vulnerability will have a threat rating of Low, Medium, High, or Critical.
WordPress Core Vulnerabilities
1. Update to WordPress 5.4.2 – Critical
WordPress versions 5.4.2 is now available. This is an important security and maintenance release. Earlier versions are affected by multiple security bugs, which are fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.
You can download WordPress 5.4.2 from WordPress.org, or visit your WP Admin Dashboard > Updates and click Update Now. If you have sites that support automatic background updates, they should have already updated.
WordPress Plugin Vulnerabilities
Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.
1. Drag and Drop Multiple File Upload for Contact Form 7 – Critical
Drag and Drop Multiple File Upload for Contact Form 7 versions below 1.3.3.3 have an Unauthenticated File Upload Bypass vulnerability.
2. Page Builder: PageLayer – Drag and Drop website builder – High
Page Builder: PageLayer – Drag and Drop website builder versions below 1.1.2 have an Unprotected AJAX’s leading to XSS and a CSRF leading to XSS vulnerabilities.
3. MapPress Maps – Critical
MapPress Maps versions below 2.54.6 have an Improper Capability Checks in AJAX Calls vulnerability.
4. Image Photo Gallery Final Tiles Grid – Critical
Image Photo Gallery Final Tiles Grid versions below 3.4.19 have an Authenticated Stored Cross-Site Scripting vulnerability.
5. bbPress – Critical
bbPress versions below 2.6.5 have an Unauthenticated Privilege Escalation vulnerability when New User Registration enabled.
6. Multi Scheduler – High
All versions of Multi Scheduler have an Arbitrary Record Deletion via CSRF vulnerability.
7. JobSearch – High
JobSearch versions below 1.5.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
8. AdRotate – Medium
AdRotate versions below 5.8.4 have an Authenticated SQL Injection vulnerability.
9. Elementor Page Builder – High
Elementor Page Builder versions below 2.9.10 have an Authenticated Stored XSS vulnerability.
10. SportsPress – High
SportsPress versions below 2.7.2 have an Authenticated Stored Cross-Site Scripting vulnerability.
WordPress Themes
1. Careerfy – High
Careerfy versions below 3.9.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
2. Newspaper – High
Newspaper versions below 10.3.4 have an Authenticated Reflected Cross-Site Scripting vulnerability.
New! Protect Your WordPress Website with the iThemes Security Site Scan.
Did you know that 60% of website breaches involve vulnerabilities for which a patch was available but not applied? This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.
Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.
To solve this problem, today we’re excited to announce that the iThemes Security Pro plugin is rolling out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.
The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will now automatically apply the fix for you… so you don’t have to. Whew. that’s some peace of mind.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
I wonder if you also would include your own plug-ins in this periodic review of WordPress security issues. I hope you would — it would be transparent, fair, professional and consistent with the matter. (I am a “PRO” user of your Security plug-in, BTW, not a competitor! 😉
Hey Christian,
We 100% believe in responsible disclosure. We included an iThemes Sync Pro vulnerability in the February Roundup.
All software is bound to have a security vulnerability, and there is no shame in that. However, we believe it is critical to patch the vulnerability and let our customers know to update quickly.
Also, thank you for being a Pro user! 🙂
Michael