New WordPress plugin and theme vulnerabilities were disclosed during the second half of June, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories:
WordPress Core Vulnerabilities
There have not been any WordPress core vulnerabilities disclosed in the second half of June. (But be sure to check out the info on the WordPress 5.4.2 security update in the WordPress Vulnerability Roundup: June 2020, Part 1.)
WordPress Plugin Vulnerabilities
1. Brizy – Page Builder
Brizy – Page Builder versions below 1.0.126 have an Improper Access Controls on AJAX Calls vulnerability.
2. wpDiscuz
wpDiscuz versions below 5.3.6 have an Unauthenticated SQL Injection vulnerability.
3. Page Builder: KingComposer
Page Builder: KingComposer versions below 2.9.4 have multiple security issues including Arbitrary File Deletion and Remote Code Execution vulnerabilities.
4. Delete All Comments Easily
All versions of Delete All Comments Easily have Cross-Site Scripting vulnerability.
5. Testimonial Rotator
Testimonial Rotator versions below 3.0.3 have an Authenticated Stored Cross-Site Scripting vulnerability
6. All in One Support Button
All in One Support Button versions below 1.8.8 have an Authenticated Stored Cross-Site Scripting vulnerability.
7. YITH WooCommerce Ajax Product Filter
YITH WooCommerce Ajax Product Filter versions below 3.11.1 have an Authenticated Reflected Cross-Site Scripting vulnerability.
8. WP Pro Quiz
All versions of WP Pro Quiz have a Cross-Site Request Forgery vulnerability.
9. WooCommerce
WooCommerce versions below 4.2.1 have a Potential Cross-Site Scripting vulnerability via SelectWoo.
WordPress Theme Vulnerabilities
1. Travel Booking
Travel Booking versions below 2.8.2 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
2. TownHub
TownHub versions below 1.3.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
3. CityBook
CityBook versions below 2.4.4 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
New! Protect Your WordPress Website with the iThemes Security Site Scan.
Did you know that 60% of website breaches involve vulnerabilities for which a patch was available but not applied? This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.
Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.
To solve this problem, today we’re excited to announce that the iThemes Security Pro plugin is rolling out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.
The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will now automatically apply the fix for you… so you don’t have to. Whew. that’s some peace of mind.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
