In blog, CMS, News, SEO, WordPress

The WordPress Vulnerability report is as follows.

WordPress Themes Vulnerabilities

1. Avada 

  • Rating : High
  • Avada versions below 6.2.3 have Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS vulnerability.
  • The vulnerability is patched, and you should update to version 6.2.3.

WordPress Plugin Vulnerabilities

Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.

WordPress Plugin Vulnerabilities

1. WP-Advanced-Search

  • Rating : High
  • WP-Advanced-Search versions below 3.3.7 have an Authenticated SQL Injection vulnerability.
  • The vulnerability is patched, and you should update to version 3.3.7.

2. LearnPress

  • Rating : High
  • LearnPress versions below 3.2.6.9 have multiple critical vulnerabilities.
  • The vulnerability is patched, and you should update to version 3.2.6.9.

3. Gmedia Photo Gallery

  • Rating : Medium
  • Gmedia Photo Gallery versions below 1.18.5 have Multiple Cross-Site Scripting vulnerabilities.
  • The vulnerability is patched, and you should update to version 1.18.5.

4. Ninja Forms

  • Rating : High
  • Ninja Forms versions below 3.4.24.2 have a CSRF to Stored XSS vulnerability.
  • The vulnerability is patched, and you should update to version 3.4.24.2.

5. WTI Like Post

  • Rating : Low
  • All versions of WTI Like Post have an Authenticated Stored Cross-Site Scripting vulnerability.
  • Remove the plugin. It is closed on WordPress.org pending review.

6. Advanced Order Export For WooCommerce

  • Rating : Low
  • Advanced Order Export For WooCommerce versions below 3.1.4 have an Authenticated Cross-Site Scripting vulnerability.
  • The vulnerability is patched, and you should update to version 3.1.4.

7. Elementor

  • Rating : Medium
  • Elementor versions below 2.9.8 have a SVG Sanitizer Bypass leading to Authenticated Stored XSS vulnerability.
  • The vulnerability is patched, and you should update to version 2.9.8.

8. Ultimate Addons for Elementor

  • Rating : High
  • Ultimate Addons for Elementor versions below 1.24.2 have Registration Bypass vulnerability.
  • The vulnerability is patched, and you should update to version 2.2.9.

9. Elementor Pro 

  • Rating : High
  • Elementor Pro versions below 2.9.4 have an Authenticated Arbitrary File Upload vulnerability.
  • The vulnerability is patched, and you should update to version 2.9.4.

10. Chopslider

  • Rating : High
  • All versions of Chopslider have an Unauthenticated Blind SQL Injection vulnerability.
  • There is not a patch available and you should remove the plugin..

11. Page Builder by SiteOrigin

  • Rating : High
  • Page Builder by SiteOrigin versions below 2.10.16 have an CSRF to Reflected Cross-Site Scripting vulnerability.
  • The vulnerability is patched, and you should update to version 2.10.16.

12. WooCommerce

  • Rating : Low
  • WooCommerce versions below 4.1.0 have an Unescaped Metadata when Duplicating Products vulnerability.
  • The vulnerability is patched, and you should update to version 4.1.0.

13. Site Kit by Google 

  • Rating : Critical
  • Site Kit by Google versions below 1.8.0 have a Privilege Escalation vulnerability that will allow an an attacker to become a Search Console owner.
  • The vulnerability is patched, and you should update to version 1.8.0.

14. Easy Testimonials 

  • Rating : Critical
  • Easy Testimonials versions below 3.6 have an Authenticated Stored Cross-Site Scripting vulnerability.
  • The vulnerability is patched, and you should update to version 3.6.

15. WP Product Review

  • Rating : High
  • WP Product Review versions below 3.7.6 have an Unauthenticated Stored Cross-Site Scripting vulnerability.
  • The vulnerability is patched, and you should update to version 3.7.6.

16. Login/Signup Popup

  • Rating : Critical
  • Login/Signup Popup versions below 1.5 have an Authenticated Stored Cross-Site Scripting vulnerability.
  • The vulnerability is patched, and you should update to version 1.5.

17. Photo Gallery by 10Web

  • Rating : Critical
  • Photo Gallery by 10Web versions below 1.5.55 have an Unauthenticated SQL Injection vulnerability.
  • The vulnerability is patched, and you should update to version 1.5.55.

18. Team Members

  • Rating : Critical
  • Team Members versions below 5.0.4 have an Authenticated Stored Cross-Site Scripting vulnerability.
  • The vulnerability is patched, and you should update to version 5.0.4.

19. Visual Composer Website Builder

  • Rating : High
  • Visual Composer Website Builder versions below 27.0 have multiple Authenticated Cross-Site Scripting vulnerabilities.
  • The vulnerability is patched, and you should update to version 27.0.

20. WordPress Infinite Scroll

  • Rating : Critical
  • WordPress Infinite Scroll versions below 5.3.2 have an Authenticated SQL Injection vulnerability.
  • The vulnerability is patched, and you should update to version 5.3.2.

21. WP Frontend Profile

  • Rating : Low
  • WP Frontend Profile versions below 1.2.2 have a Cross Site Request Forgery vulnerability.
  • The vulnerability is patched, and you should update to version 1.2.2.

22. Paid Memberships Pro

  • Rating : Medium
  • Paid Memberships Pro versions below 2.3.3 have an Authenticated SQL Injection vulnerability.
  • The vulnerability is patched, and you should update to version 2.3.3.

23. ThirstyAffiliates Affiliate Link Manager

  • Rating : Medium
  • ThirstyAffiliates Affiliate Link Manager versions below 3.9.3 have an Authenticated Stored Criss-Site Scripting vulnerability.
  • The vulnerability is patched, and you should update to version 3.9.3.

24. Official MailerLite Sign Up Forms

  • Rating : Critical
  • Official MailerLite Sign Up Forms versions below 1.4.5 have Multiple CSRF vulnerabilities.
  • The vulnerability is patched, and you should update to version 1.4.5.

25. Add-on SweetAlert Contact Form 7

  • Rating : Low
  • Add-on SweetAlert Contact Form 7 versions below 1.0.8 have an Authenticated Stored Cross-Site Scripting vulnerability.
  • The vulnerability is patched, and you should update to version 1.0.8.

26. Form Maker by 10Web

  • Rating : High
  • Form Maker by 10Web versions below have 1.13.36 an Authenticated SQL Injection vulnerability.
  • The vulnerability is patched, and you should update to version 1.13.36.

It is crucial to the security of your WordPress site that you have an update routine.
You should be logging into your sites at least once a week to perform updates.

 

, , , , , ,
Contact Us

Contact Us

Not readable? Change text. captcha txt
Google phase-out support for data-vocabulary
Google phase-out support for data-vocabulary and focusing on schema markupCMS, News, SEO
WordPress Vulnerability Report: January 2020
WordPress Vulnerability Report: June 2020blog, CMS, News, SEO, WordPress

Facing WordPress Issues?

Get Free Analysis Report Today!