The WordPress Vulnerability report is as follows.
Following WordPress Vulnerability were found in WordPress Versions below 5.4.1
WordPress Plugin Vulnerabilities
Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.
WordPress Plugin Vulnerabilities
1. Multiple Plugins
- Buddypress Component Stats, abstract-submission, WP e-Commerce Shop Styling, web-portal-lite-client, post-pdf-export, blogtopdf, and gboutique all have an Unauthenticated Dompdf Local File Inclusion vulnerability.
- Remove the plugins, they have been closed on the WordPress.org plugin repository.
2. WordPress File Upload
- WordPress File Upload versions below 4.13.0 have a Remote Code Execution vulnerability.
- The vulnerabilities have been patched, and you should update to version 4.13.0.
3. Newsletter
- Newsletter versions below 6.5.4 have a CSV Injection vulnerability.
- The vulnerabilities have been patched, and you should update to version 6.5.4.
4.LearnPress
- LearnPress versions below 3.2.6.7 have a Privilege Escalation vulnerability.
- The vulnerabilities have been patched, and you should update to version 3.2.6.7.
5.Custom Post Type UI
- Custom Post Type UI versions below 1.7.4 have a Cross-Site Request Forgery and Stored Cross-Site Scripting vulnerability.
- The vulnerabilities have been patched, and you should update to version 1.7.4.
6. Gutenberg & Elementor Templates Importer For Responsive
- Gutenberg & Elementor Templates Importer For Responsive versions below 2.2.6 have an Unprotected AJAX Endpoints vulnerability.
- The vulnerabilities have been patched, and you should update to version 2.2.6.
7. Advanced Ads – Ad Manager & AdSense
- Advanced Ads – Ad Manager & AdSense versions below 1.17.4 have an Authenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerabilities have been patched, and you should update to version 1.17.4.
8.Migrate & Backup WordPress – WPvivid Backup Plugin
- Migrate & Backup WordPress – WPvivid Backup Plugin versions below 0.9.36 have Missing Authorization Leading to a Database Leak vulnerability.
- The vulnerabilities have been patched, and you should update to version 0.9.36.
9.Cookiebot
- Cookiebot versions below 3.6.1 have an Authenticated Reflected Cross-Site Scripting vulnerability.
- The vulnerabilities have been patched, and you should update to version 3.6.1.
10.Data Tables Generator by Supsystic
- Data Tables Generator by Supsystic versions below 1.9.92 have multiple vulnerabilities.
- The vulnerabilities have been patched, and you should update to version 1.9.92.
11.product-lister-walmart
- product-lister-walmart has an Unauthenticated Remote Code Execution vulnerability.
- Remove the plugin, it has been closed on the WordPress.org plugin repository pending review.
12.All-in-One WP Migration
- All-in-One WP Migration versions below 7.15 have an Arbitrary Backup Download vulnerability.
- The vulnerabilities have been patched, and you should update to version 7.15.
Running outdated extensions is the number one reason WordPress sites are hacked.
It is crucial to the security of your WordPress site that you have an update routine.
You should be logging into your sites at least once a week to perform updates.