Menu
iThemes
WordPress Backup, Security & Maintenance
  • WordPress Hosting
  • BackupBuddy
  • Security
  • Sync
  • Agency Bundle
  • Plugin Suite
  • Training
    • Page Builder Developer Course
    • Theme Building with the WordPress Block Editor
    • WordPress Gutenberg Help
    • WordPress Tutorials
    • Free Upcoming Webinars
  • Blog
  • Contact
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WProsper

WordPress Vulnerability Roundup: September 2020, Part 1

Written by Michael Moore on September 9, 2020

Last Updated on September 22, 2020

New WordPress plugin and theme vulnerabilities were disclosed during the first half of September, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

In the August, Part 2 Report

    WordPress Core Vulnerabilities

    No WordPress core vulnerabilities were disclosed in the first half of September. However, a new minor version of WordPress was released on September 1, 2020. The WordPress 5.5.1 maintenance release features 34 bug fixes, 5 enhancements, and 5 bug fixes for the block editor. These bugs affect WordPress version 5.5, so you’ll want to upgrade.

    WordPress Plugin Vulnerabilities

    1. FooGallery Image Gallery

    FooGallery Image Gallery versions below 1.9.25 have an Authenticated Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 1.9.25.

    2. Quiz and Survey Master

    Quiz and Survey Master versions below 7.0.2 have an Unauthenticated Arbitrary File Upload vulnerability.

    The vulnerability is patched, and you should update to version 7.0.2.

    3. WP smart CRM & Invoices FREE

    All version of WP smart CRM & Invoices FREE have an Authenticated Stored Cross-Site Scripting vulnerability.

    Remove the plugin until a security fix is released.

    4. WP Floating Menu

    WP Floating Menu versions below 1.4.1 have an Authenticated Reflected Cross-Site Scripting vulnerability.

    The vulnerability is patched, and you should update to version 1.4.1.

    5. Subscribe Sidebar

    All versions of Subscribe Sidebar plugin by Blubrry have an Authenticated Reflected Cross-Site Scripting vulnerability.

    Remove the plugin until a security fix is released.

    6. Recall Products

    All versions of Recall Products have an Authenticated SQL Injection vulnerability.

    Remove the plugin until a security fix is released.

    7. File Manager

    File Manager versions below 6.9 have an Arbitrary File Upload vulnerability leading to a Remote Code Execution vulnerability.

    The vulnerability is patched, and you should update to version 6.9.

    8. Ceceppa Multilingua

    All versions of Ceceppa Multilingua have an Authenticated Reflected Cross-Site Scripting vulnerability.

    Remove the plugin until a security fix is released.

    9. Bulk Change

    All versions of Bulk Change have an Authenticated Reflected Cross-Site Scripting vulnerability.

    Remove the plugin until a security fix is released.

    10. NextScripts: Social Networks Auto-Poster

    NextScripts: Social Networks Auto-Poster versions below 4.3.18 have Insufficient Privilege Validation.

    The vulnerability is patched, and you should update to version 4.3.18.

    11. Constant Contact Forms

    Constant Contact Forms versions below 1.8.8 have Multiple Authenticated Stored XSS vulnerabilities.

    The vulnerabilities are patched, and you should update to version 1.8.8.

    12. Advanced Database Cleaner

    Advanced Database Cleaner versions below 3.0.2 have Authenticated SQL injection vulnerability.

    The vulnerability is patched, and you should update to version 3.0.2.

    13. ActiveCampaign

    ActiveCampaign versions below 8.0.2 have a Cross-Site Request Forgery vulnerability.

    The vulnerability is patched, and you should update to version 8.0.2.

    WordPress Theme Vulnerabilities

    There have not been any Theme vulnerabilities disclosed in the first half of September.

    How to Protect Your WordPress Website with the iThemes Security Site Scan

    60% of website breaches involve vulnerabilities for which a patch was available but not applied. This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.

    Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.

    To solve this problem, the iThemes Security Pro plugin just rolled out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.

    The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will automatically apply the fix for you … so you don’t have to. Whew. that’s some peace of mind. 

    Site Scan Vulnerability Details

    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

    Share via:

    • Facebook
    • Twitter
    • LinkedIn
    • More

    Get iThemes Security For Free

    • Enter the URL of your website to get iThemes Security for free!
    Other related posts
    vulnerability roundup
    WordPress Vulnerability Roundup: January 2021, Part 1

    WordPress Vulnerability Roundup: December 2020, Part 2
    vulnerability roundup
    WordPress Vulnerability Roundup: December 2020, Part 1
    wordpress security check
    iThemes Security Pro Feature Spotlight – iThemes Security Check

    Respond

    Click here to cancel reply.

    Get updates on new themes & plugins plus special discounts

    About iThemes

    • #WProsper
    • Friends of iThemes
    • Contact Us
    • Website Accessibility Statement
    • Sitemap

    Resources

    • Blog
    • Documentation
    • WordPress Tutorials
    • Free WordPress Ebooks
    • Free Webinar Library
    • Free Upcoming Webinars
    • iThemes Training
    • Affiliates

    Customers

    • Member Panel Login
    • Support
    • FAQs
    • Upgrade Policy
    • Licensing
    • Terms and Conditions
    • Refund Policy

    Top Products

    • BackupBuddy
    • iThemes Security Pro
    • iThemes Sync
    • Restrict Content Pro
    • WPComplete
    • Agency Bundle
    • WordPress Hosting
    • WordPress Plugins
    • Content Upgrades
    • WordPress Landing Page Plugin
    • BackupBuddy Stash

    iThemes Media LLC Copyright © 2021 All rights reserved | Privacy Policy

    • Liquid Web Family of Brands
    • Facebook
    • Twitter
    • LinkedIn
    • More Networks
    Share via
    Facebook
    Twitter
    LinkedIn
    Mix
    Pinterest
    Tumblr
    Skype
    Buffer
    Pocket
    VKontakte
    Xing
    Reddit
    Flipboard
    MySpace
    Delicious
    Amazon
    Digg
    Evernote
    Blogger
    LiveJournal
    Baidu
    NewsVine
    Yummly
    Yahoo
    WhatsApp
    Viber
    SMS
    Telegram
    Facebook Messenger
    Like
    Email
    Print
    Copy Link
    Copy link
    CopyCopied