New WordPress plugin and theme vulnerabilities were disclosed during the first half of September, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
No WordPress core vulnerabilities were disclosed in the first half of September. However, a new minor version of WordPress was released on September 1, 2020. The WordPress 5.5.1 maintenance release features 34 bug fixes, 5 enhancements, and 5 bug fixes for the block editor. These bugs affect WordPress version 5.5, so you’ll want to upgrade.
WordPress Plugin Vulnerabilities
1. FooGallery Image Gallery
FooGallery Image Gallery versions below 1.9.25 have an Authenticated Cross-Site Scripting vulnerability.
2. Quiz and Survey Master
Quiz and Survey Master versions below 7.0.2 have an Unauthenticated Arbitrary File Upload vulnerability.
3. WP smart CRM & Invoices FREE
All version of WP smart CRM & Invoices FREE have an Authenticated Stored Cross-Site Scripting vulnerability.
4. WP Floating Menu
WP Floating Menu versions below 1.4.1 have an Authenticated Reflected Cross-Site Scripting vulnerability.
5. Subscribe Sidebar
All versions of Subscribe Sidebar plugin by Blubrry have an Authenticated Reflected Cross-Site Scripting vulnerability.
6. Recall Products
All versions of Recall Products have an Authenticated SQL Injection vulnerability.
7. File Manager
File Manager versions below 6.9 have an Arbitrary File Upload vulnerability leading to a Remote Code Execution vulnerability.
8. Ceceppa Multilingua
All versions of Ceceppa Multilingua have an Authenticated Reflected Cross-Site Scripting vulnerability.
9. Bulk Change
All versions of Bulk Change have an Authenticated Reflected Cross-Site Scripting vulnerability.
10. NextScripts: Social Networks Auto-Poster
NextScripts: Social Networks Auto-Poster versions below 4.3.18 have Insufficient Privilege Validation.
11. Constant Contact Forms
Constant Contact Forms versions below 1.8.8 have Multiple Authenticated Stored XSS vulnerabilities.
12. Advanced Database Cleaner
Advanced Database Cleaner versions below 3.0.2 have Authenticated SQL injection vulnerability.
13. ActiveCampaign
ActiveCampaign versions below 8.0.2 have a Cross-Site Request Forgery vulnerability.
WordPress Theme Vulnerabilities
There have not been any Theme vulnerabilities disclosed in the first half of September.
How to Protect Your WordPress Website with the iThemes Security Site Scan
60% of website breaches involve vulnerabilities for which a patch was available but not applied. This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.
Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.
To solve this problem, the iThemes Security Pro plugin just rolled out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.
The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will automatically apply the fix for you … so you don’t have to. Whew. that’s some peace of mind.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
