April 7, 2021
Last Updated on April 7, 2021
New WordPress plugin and vulnerabilities were disclosed during the first week of April. This post provides a report of recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability includes information on which version you should be running, so be sure to update!
Each vulnerability will also have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on a Common Vulnerability Scoring System designed to help you know how to measure the severity of a vulnerability.
In the April, Part 1 Report
WordPress Core Vulnerabilities
Great news! No new WordPress core vulnerabilities have been disclosed this month.
The latest version of WordPress is currently 5.7. Make sure all your websites are running the latest version of WordPress core.
WordPress Plugin Vulnerabilities
This section covers vulnerabilities in WordPress plugins with instructions on whether to update or remove the vulnerable plugin.
1. Controlled Admin Access
Vulnerability: Improper Access Control to Privilege Escalation
Patched in Version: 1.5.6
Severity: High – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The vulnerability is patched, so you should update to version 1.5.6+.
2. Advanced Booking Calendar
Vulnerability: Authenticated Reflected Cross-Site Scripting
Patched in Version: 1.6.8
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
The vulnerability is patched, so you should update to version 1.6.8+.
3. Cooked Pro
Vulnerability: Unauthenticated Reflected Cross-Site Scripting
Patched in Version: 184.108.40.206
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
The vulnerability is patched, so you should update to version 220.127.116.11+.