Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. This post covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.
WordPress Core Vulnerabilities
WordPress 5.7.1 is was released on April 15, 2021. This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release of WordPress core, it is recommended that you update your sites immediately!
1. WordPress 5.6 – 5.7
Vulnerability: Authenticated XXE Within the Media Library Affecting PHP 8
Patched in Version: 5.7
Severity: High – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
2. WordPress 4.7-5.7
Vulnerability: Authenticated Password Protected Pages Exposure
Patched in Version: 5.7
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
WordPress Plugin Vulnerabilities
1. Livemesh Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 6.8
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
2. HT Mega – Absolute Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 1.5.7
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
3. WooLentor – WooCommerce Elementor Addons
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 1.8.6
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4. BuddyPress
Vulnerability: Multiple Authenticated REST API Vulnerabilities
Patched in Version: 7.3.0
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5. PowerPack Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 2.3.2
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
6. Image Hover Effects – Elementor Addon
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 1.3.4
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
7. Rife Elementor Extensions & Templates
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 1.1.6
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
8. The Plus Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 2.0.6
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
9. All-in-One Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 2.3.10
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
10. JetWidgets For Elementor
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version:
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
11. Sina Extension for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 3.3.12
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
12. Ultimate Addons for Elementor
Vulnerability: Stored Cross-Site Scripting (XSS)
Patched in Version: 1.30.0
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
13. Fitness Calculators
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched in Version: 1.9.6
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
14. User Rights Access Manager
Vulnerability: Improper Access Controls
Patched in Version: 1.0.4
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
15. Clever Addons for Elementor
Vulnerability: Stored Cross-Site Scripting XSS
Patched in Version: 2.1.0
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
16. Easy Digital Downloads
Vulnerability: Unauthorized Stripe Disconnect via CSRF
Patched in Version: 2.10.3
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
17. Edwiser Bridge
Vulnerability: CSRF Nonce Bypass
Patched in Version: 2.0.7
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
18. WordPress Download Manager
Vulnerability: Unauthorized Download Duplication
Patched in Version: 3.1.18
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
19. Ultimate Maps by Supsystic
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.2.5
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
20. Popup by Supsystic
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.10.5
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
21. Photo Gallery by 10Web
Vulnerability: Multiple Reflected Cross-Site Scripting
Patched in Version: 1.5.69
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
22. Redirection for Contact Form 7
Vulnerability: Unauthenticated Arbitrary Nonce Generation
Patched in Version: 2.3.4
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability: Authenticated Arbitrary Plugin Installation
Patched in Version: 2.3.4
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vulnerability: Authenticated PHP Object Injection
Patched in Version: 2.3.4
Severity: High – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability: Authenticated Arbitrary Post Deletion
Patched in Version: 2.3.4
Severity: Medium – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Vulnerability: Unprotected AJAX Actions
Patched in Version: 2.3.4
Severity: Medium – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
WordPress Theme Vulnerabilities
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
The post WordPress Vulnerability Report: April 2021, Part 3 appeared first on iThemes.
This content was originally published here.