The WordPress Vulnerability report is as follows.
WordPress Themes Vulnerabilities
1. Careerfy
- Rating : High
- Careerfy versions below 3.9.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 3.9.0.
2. Newspaper
- Rating : High
- Newspaper versions below 10.3.4 have an Authenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 10.3.4.
3. Travel Booking
- Travel Booking versions below 2.8.2 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 2.8.2.
4. TownHub
- TownHub versions below 1.3.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 1.3.0.
5. CityBook
- CityBook versions below 2.4.4 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 2.4.4.
WordPress Plugin Vulnerabilities
Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.
WordPress Plugin Vulnerabilities
1. Drag and Drop Multiple File Upload for Contact Form 7
- Rating : Critical
- Drag and Drop Multiple File Upload for Contact Form 7 versions below 1.3.3.3 have an Unauthenticated File Upload Bypass vulnerability.
- The vulnerability is patched, and you should update to version 1.3.3.3.
2. Page Builder: PageLayer – Drag and Drop website builder
- Rating : High
- Page Builder: PageLayer – Drag and Drop website builder versions below 1.1.2 have an Unprotected AJAX’s leading to XSS and a CSRF leading to XSS vulnerabilities.
- The vulnerability is patched, and you should update to version 1.1.2.
3. MapPress Maps
- Rating : Critical
- MapPress Maps versions below 2.54.6 have an Improper Capability Checks in AJAX Calls vulnerability.
- The vulnerability is patched, and you should update to version 2.54.6.
4. Image Photo Gallery Final Tiles Grid
- Rating : Critical
- Image Photo Gallery Final Tiles Grid versions below 3.4.19 have an Authenticated Stored Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 3.4.19.
5. bbPress
- Rating : Critical
- bbPress versions below 2.6.5 have an Unauthenticated Privilege Escalation vulnerability when New User Registration enabled.
- The vulnerability is patched, and you should update to version 2.6.5.
6. Multi Scheduler
- Rating : High
- All versions of Multi Scheduler have an Arbitrary Record Deletion via CSRF vulnerability.
- Remove the plugin until a security fix is released.
7. JobSearch
- Rating : High
- JobSearch versions below 1.5.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 1.5.1.
8. AdRotate
- Rating : Medium
- AdRotate versions below 5.8.4 have an Authenticated SQL Injection vulnerability.
- The vulnerability is patched, and you should update to version 5.8.4.
9. Elementor Page Builder
- Rating : High
- Elementor Page Builder versions below 2.9.10 have an Authenticated Stored XSS vulnerability.
- The vulnerability is patched, and you should update to version 2.9.10.
10. SportsPress
- Rating : High
- SportsPress versions below 2.7.2 have an Authenticated Stored Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 2.7.2.
11. Brizy – Page Builder
- Brizy – Page Builder versions below 1.0.126 have an Improper Access Controls on AJAX Calls vulnerability.
- The vulnerability is patched, and you should update to version 1.0.126.
12. wpDiscuz
- wpDiscuz versions below 5.3.6 have an Unauthenticated SQL Injection vulnerability.
- The vulnerability is patched, and you should update to version 5.3.6v.
13. Page Builder: KingComposer
- Page Builder: KingComposer versions below 2.9.4 have multiple security issues including Arbitrary File Deletion and Remote Code Execution vulnerabilities.
- The vulnerability is patched, and you should update to version 2.9.4.
14. Delete All Comments Easily
- All versions of Delete All Comments Easily have Cross-Site Scripting vulnerability.
- Remove the plugin until a security fix is released.
15. Testimonial Rotator
- Testimonial Rotator versions below 3.0.3 have an Authenticated Stored Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 3.0.3.
16. All in One Support Button
- All in One Support Button versions below 1.8.8 have an Authenticated Stored Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 1.8.8.
17. YITH WooCommerce Ajax Product Filter
- YITH WooCommerce Ajax Product Filter versions below 3.11.1 have an Authenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 3.11.1.
18. WP Pro Quiz
- All versions of WP Pro Quiz have a Cross-Site Request Forgery vulnerability.
- Remove the plugin until a security fix is released.
19. WooCommerce
- WooCommerce versions below 4.2.1 have a Potential Cross-Site Scripting vulnerability via SelectWoo.
- The vulnerability is patched, and you should update to version 4.2.1.
It is crucial to the security of your WordPress site that you have an update routine.
You should be logging into your sites at least once a week to perform updates.