WordPress Vulnerability Roundup: February 2020, Part 2

WordPress Vulnerability Roundup: February 2020, Part 2

New WordPress plugin and theme vulnerabilities were disclosed during the second half of February, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into four different categories:

  1. WordPress core
  2. WordPress plugins
  3. WordPress themes

WordPress Core Vulnerabilities

There haven’t been any disclosed WordPress vulnerabilities in 2020.

WordPress Plugin Vulnerabilities

Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.

1. Ninja Forms

The vulnerabilities have been patched, and you should update to version 3.4.23.

2. ThemeGrill Demo Importer

WordPress Vulnerability Roundup: February 2020, Part 2 1

The vulnerability has been patched, and you should update to version 1.6.2.

3. SAML SP Single Sign On

WordPress Vulnerability Roundup: February 2020, Part 2 2

The vulnerability has been patched, and you should update to version 4.8.84.

4. wpCentral

WordPress Vulnerability Roundup: February 2020, Part 2 3

[…]

 



This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

You have to agree to the comment policy.

WordPress Vulnerability Roundup: January 2020, Part 2

WordPress Vulnerability Roundup: January 2020, Part 2

New WordPress plugin and theme vulnerabilities were disclosed during the second half of January, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into four different categories:

WordPress Core Vulnerabilities

There haven’t been any disclosed WordPress vulnerabilities in January of 2020.

WordPress Plugin Vulnerabilities

Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.

1. Code Snippets

Code Snippets versions 2.13.3 and below have a Cross-Site Request Forgery vulnerability that can lead to a Remote Code Execution attack.

What You Should Do

The vulnerabilities have been patched, so you should update to version 2.14.0.

2. WP Database Reset

WP Database Reset Logo

WP Database Reset versions 3.1 and below have two vulnerabilities. The first vulnerability would all an unauthenticated user to reset any database table to the initial WordPress set-up state. The second vulnerability would allow any user to grant their account administrative privileges and drop other users from the table.

What You Should Do

The vulnerabilities have been patched, so you should update to version 3.15.

3. Chained Quiz

Chained Quiz Logo

Chained Quiz versions 1.1.8 and

[…]

 



This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

You have to agree to the comment policy.

WordPress Vulnerability Roundup: January 2020, Part 1

WordPress Vulnerability Roundup: January 2020, Part 1

TownHub versions 1.0.5 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

The vulnerability has been patched, and you should update it to version 1.0.6.

6. CityBook

CityBook versions 2.9.4 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.9.5.

7. Real Estate 7

Real Estate 7 Logo

Real Estate 7 versions 2.3.3 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.3.4.

How to Be Proactive About WordPress Theme & Plugin Vulnerabilities

Running outdated software is the number one reason WordPress sites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.

Automatic Updates Can Help

Automatic updates are a great choice for WordPress websites that don’t change very often. Lack of attention often leaves these sites neglected and vulnerable to attacks. Even with recommended security settings, running vulnerable software on your site can give an attacker an entry point into your site.

Using the iThemes Security Pro plugin’s Version Management feature, you can enable automatic WordPress updates to ensure you are getting the latest security patches. These settings help protect your site with options to automatically update to new versions or to increase user security when the site’s software is outdated.

WordPress Vulnerability Roundup: January 2020, Part 1 4

[…]

 



This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

You have to agree to the comment policy.

WordPress Vulnerability Roundup: December 2019, Part 1

WordPress Vulnerability Roundup: December 2019, Part 1

Remove Scountet Kalendar as it appears the plugin has been abandoned.

The vulnerability has been patched, and you should update it to version 1.6.90.

2. Materialis

Materialis versions 1.0.172 and below have an Authenticated Options Update vulnerability.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.0.173.

4. Superlist

Superlist Logo

Superlist versions 2.9.2 and below are vulnerable to a Stored Cross-Site Scripting attack.

What You Should Do

The vulnerability hasn’t been patched, and you should remove the theme. Keep an eye on the changelog for a security update.

How to Be Proactive About WordPress Theme & Plugin Vulnerabilities

Running outdated software is the number one reason WordPress sites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.

Automatic Updates Can Help

Automatic updates are a great choice for WordPress websites that don’t change very often. Lack of attention often leaves these sites neglected and vulnerable to attacks. Even with recommended security settings, running vulnerable software on your site can give an attacker an entry point into your site.

Using the iThemes Security Pro plugin’s Version Management feature, you can enable automatic WordPress updates to ensure you are getting the latest security patches. These settings help protect your site with options to automatically update to new versions or to increase user security when the site’s software is outdated.

WordPress Vulnerability Roundup: December 2019, Part 1 5

[…]

 



This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

You have to agree to the comment policy.

WordPress Vulnerability Roundup: December 2020, Part 2

WordPress Vulnerability Roundup: December 2020, Part 2

Written by

Michael Moore
on

December 23, 2020

Last Updated on December 23, 2020

New WordPress plugin and theme vulnerabilities were disclosed during the second half of December. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

In the December, Part 2 Report

WordPress Core Vulnerabilities

The latest version of WordPress core is currently 5.6. As a WordPress security best practice, make sure you’re running the latest version of WordPress core.

WordPress Plugin Vulnerabilities

1. DiveBook

DiveBook versions below 1.1.4 have an Improper Authorization Check, Unauthenticated SQL Injection, & Unauthenticated Reflected XSS vulnerabilities.

Remove the plugin until a security fix is released.

2. Pagelayer

WordPress Vulnerability Roundup: December 2020, Part 2 6

The vulnerability is patched, and you should update to version 1.3.5.

3. Ultimate Category Excluder

WordPress Vulnerability Roundup: December 2020, Part 2 7

The vulnerability is patched, and you should update to version 1.2.

4. Directories Pro

WordPress Vulnerability Roundup: December 2020, Part 2 8

The vulnerability is patched, and you should update to version 1.3.46.

5. Total Upkeep

WordPress Vulnerability Roundup: December 2020, Part 2 9

The vulnerability is patched, and you should update to version 1.14.10.

6. Redux Framework

WordPress Vulnerability Roundup: December 2020, Part 2 10

The vulnerability is patched, and you should update to version 4.1.21.

7. Contact

[…]

 



This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

You have to agree to the comment policy.

WordPress Vulnerability Roundup: December 2020, Part 1

vulnerability roundup

Written by

Michael Moore
on

December 9, 2020

Last Updated on December 9, 2020

New WordPress plugin and theme vulnerabilities were disclosed during the first half of December. This post covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

In the December, Part 1 Report

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

However, a new major version of WordPress core was just released yesterday. WordPress 5.6 includes several new features and improvements, so be sure to update.

WordPress Plugin Vulnerabilities

1. WPJobBoard

The vulnerability is patched, and you should update to version 5.7.0.

2. WP Google Map Plugin

WordPress Vulnerability Roundup: December 2020, Part 1 11

The vulnerability is patched, and you should update to version 4.1.4.

3. BuddyPress

WordPress Vulnerability Roundup: December 2020, Part 1 12

The vulnerability is patched, and you should update to version 6.4.0.

4. Events Manager

WordPress Vulnerability Roundup: December 2020, Part 1 13

The vulnerability is patched, and you should update to version 5.9.8.

5. Age Gate

WordPress Vulnerability Roundup: December 2020, Part 1 14

The vulnerability is patched, and you should update to version 2.13.5.

6. Canto

WordPress Vulnerability Roundup: December 2020, Part 1 15

Remove the plugin until a security fix is released.

7. Profile Builder

WordPress Vulnerability Roundup: December 2020, Part 1 16

[…]

 



This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

You have to agree to the comment policy.

WordPress Vulnerability Roundup: May 2020, Part 2

WordPress Vulnerability Roundup: May 2020, Part 2

Written by

Michael Moore
on

May 27, 2020

Last Updated On May 28, 2020

New WordPress plugin and theme vulnerabilities were disclosed during the second half of May, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

New WordPress plugin and theme vulnerabilities were disclosed during the second half of April, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into four different categories:

  1. WordPress core
  2. WordPress plugins
  3. WordPress themes

Each vulnerability will have a threat rating of Low, Medium, High, or Critical.

WordPress Core Vulnerabilities

There have not been any WordPress vulnerabilities disclosed in May 2020.

WordPress Plugin Vulnerabilities

Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.

1. Site Kit by Google – Critical

The vulnerability is patched, and you should update to version 1.8.0.

2. Easy Testimonials – Critical

WordPress Vulnerability Roundup: May 2020, Part 2 17

The vulnerability is patched, and you should update to version 3.6.

3. WP Product Review – High

WordPress Vulnerability Roundup: May 2020, Part 2 18

[…]

 



This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

You have to agree to the comment policy.

Scroll to Top