The WordPress Vulnerability report is as follows.
WordPress Plugin Vulnerabilities
Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.
WordPress Plugin Vulnerabilities
1. Vulnerability in WordPress email marketing plugin patched
- Security researchers have discovered a serious security flaw in a popular WordPress plugin geared towards handling email lists that creates a means for unauthenticated attackers to send spoofed messages.
- The recently resolved flaw affects WordPress Email Subscribers & Newsletters by Icegram, an email marketing plugin with more than 100,000 active installations. Users of the plugin should upgrade to version 4.5.6 or higher.
2. FooGallery Image Gallery
- FooGallery Image Gallery versions below 1.9.25 have an Authenticated Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 1.9.25.
3. Quiz and Survey Master
- Quiz and Survey Master versions below 7.0.2 have an Unauthenticated Arbitrary File Upload vulnerability.
- The vulnerability is patched, and you should update to version 7.0.2.
4. WP smart CRM & Invoices FREE
- All version of WP smart CRM & Invoices FREE have an Authenticated Stored Cross-Site Scripting vulnerability.
- Remove the plugin until a security fix is released.
5. WP Floating Menu
- WP Floating Menu versions below 1.4.1 have an Authenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerability is patched, and you should update to version 1.4.1.
6. Subscribe Sidebar
- All versions of Subscribe Sidebar plugin by Blubrry have an Authenticated Reflected Cross-Site Scripting vulnerability.
- Remove the plugin until a security fix is released.
7. Recall Products
- All versions of Recall Products have an Authenticated SQL Injection vulnerability.
- Remove the plugin until a security fix is released.
8. File Manager
- File Manager versions below 6.9 have an Arbitrary File Upload vulnerability leading to a Remote Code Execution vulnerability.
- The vulnerability is patched, and you should update to version 6.9.
9. Ceceppa Multilingua
- All versions of Ceceppa Multilingua have an Authenticated Reflected Cross-Site Scripting vulnerability.
- Remove the plugin until a security fix is released.
10. Bulk Change
- All versions of Bulk Change have an Authenticated Reflected Cross-Site Scripting vulnerability.
- Remove the plugin until a security fix is released.
11. NextScripts: Social Networks Auto-Poster
- NextScripts: Social Networks Auto-Poster versions below 4.3.18 have Insufficient Privilege Validation.
- The vulnerability is patched, and you should update to version 4.3.18.
12. Constant Contact Forms
- Constant Contact Forms versions below 1.8.8 have Multiple Authenticated Stored XSS vulnerabilities.
- The vulnerabilities are patched, and you should update to version 1.8.8.
13. Advanced Database Cleaner
- Advanced Database Cleaner versions below 3.0.2 have Authenticated SQL injection vulnerability.
- The vulnerability is patched, and you should update to version 3.0.2.
14. ActiveCampaign
- ActiveCampaign versions below 8.0.2 have a Cross-Site Request Forgery vulnerability.
- The vulnerability is patched, and you should update to version 8.0.2.
WordPress News :
1. Security expert re: 600,000 WordPress sites attacked due to critical vulnerability (RCE flaw)
- More than 600,000 WordPress sites running vulnerable File Manager plugin versions are being attacked due to a critical remote code execution flaw, and the attackers have also been seen protecting the sites they compromised from other bad actors’ attacks.
It is crucial to the security of your WordPress site that you have an update routine.
You should be logging into your sites at least once a week to perform updates.