Seite auswählen

New WordPress plugin and theme vulnerabilities were disclosed during the third week of March. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. The severity ratings are based on the Common WordPress Vulnerability Scoring System.

In the March, Part 3 Report

    WordPress Core Vulnerabilities

    No new WordPress core vulnerabilities have been disclosed this month.

    WordPress Plugin Vulnerabilities

    1. Tutor LMS

    Vulnerability: Multiple SQL Injection & Unprotected AJAX including Privilege Escalation
    Patched in Version: 1.7.7
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N


    2. WP Super Cache

    Vulnerability: Authenticated RCE
    Patched in Version: 1.7.2
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H


    3. SEO Redirection

    Vulnerability: Authenticated Reflected Cross-Site Scripting
    Patched in Version: No Known Fix
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N


    4. Flo Forms

    Vulnerability: Authenticated Options Change to Stored XSS
    Patched in Version: 1.0.36
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H


    5. Social Slider Widget

    Vulnerability: Authenticated Reflected Cross-Site Scripting
    Patched in Version: 1.8.5
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L


    6. Paid Membership Pro 

    Vulnerability: Authenticated SQL Injection
    Patched in Version: 2.5.6
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L


    7. BuddyPress

    Vulnerability: Multiple vulnerabilities, including REST API Privilege Escalation
    Patched in Version: 7.2.1
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L


    8. Elementor

    Vulnerability: Multiple Authenticated Stored Cross-Site Scripting
    Patched in Version: 3.1.2
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N


    9. WordPress Related Posts

    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: No Known Fix 
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N


    10. WP Page Builder

    Vulnerability: Insecure default configuration Allows Subscribers Editing Access to Posts
    Patched in Version: 1.2.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N


    11. PhastPress

    Vulnerability: Open Redirect
    Patched in Version: 1.111
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N


    12. WordPress Related Posts

    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: No Known Fix 
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N


    13. WooCommerce Help Scout

    Vulnerability: Unauthenticated Arbitrary File Upload leading to RCE
    Patched in Version: No Known Fix (Actively Being Exploited Remove Now)
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H


    14. Controlled Admin Access

    Vulnerability: Improper Access Control & Privilege Escalation
    Patched in Version: 1.5.2
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H


    WordPress Theme Vulnerabilities

    No new theme vulnerabilities have been disclosed this month.

    Use a WordPress Security Plugin to Secure Your WordPress Site Today

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities like these. With WordPress two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website to keep the bad guys out.

    Get iThemes Security Pro

    The post WordPress Vulnerability Report: March 2021, Part 3 appeared first on iThemes.

    Source: Security Feed

    Share This