Seite wählen

New WordPress plugin and theme vulnerabilities were disclosed during the final week of March. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the March, Part 4 Report

    WordPress Core Vulnerabilities

    No new WordPress core vulnerabilities have been disclosed this month.

    WordPress Plugin Vulnerabilities

    1. GiveWP

    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 2.10.0
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L


    2. Mapplic and Mapplic Lite

    Vulnerability: SSRF to Stored Cross-Site Scripting 
    Patched in Version: Mapplic Lite 1.0.1 & Mapplic 6.2.1
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L


    3. MapifyLife

    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: No known fix
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L


    4. Thrive AB Page Testing

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 1.4.13.3
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    5. Thrive Comments

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 1.4.15.3
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    6. Thrive Headline Optimizer

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 1.3.7.3
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    7. Thrive Leads

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 2.3.9.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    8. Thrive Ultimatum

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 2.3.9.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    9. Thrive Quiz Builder

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 2.3.9.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    10. Thrive Apprentice

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 2.3.9.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    11. Thrive Visual Editor

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 2.6.7.4
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    12. Thrive Dashboard

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 2.3.9.3
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    13. Thrive Ovation

    Vulnerability: Unauthenticated Option Update
    Patched in Version: 2.4.5
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N


    14. JH 404 Logger

    Vulnerability: Unauthenticated Stored Cross-Site Scripting
    Patched in Version: No known fix
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H


    15. Business Directory

    Vulnerability: Unauthenticated Reflected Cross-Site Scripting
    Patched in Version: No known fix
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N


    16. Facebook for WordPress

    Vulnerability: PHP Object Injection with POP Chain
    Patched in Version: 3.0.0
    Severity: CriticalCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

    Vulnerability: CSRF to Stored XSS and Settings Deletion
    Patched in Version: 3.0.4
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


    17. Vertical News Scroller

    Vulnerability: Authenticated Reflected Cross-Site Scripting
    Patched in Version: 1.17
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H


    18. Quiz And Survey Master

    Vulnerability: Authenticated SQL injection via shortcode
    Patched in Version: 7.1.12
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Vulnerability: Authenticated SQL injection via Rest API
    Patched in Version: 7.1.14
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


    19. WP-Curricul Vitea Free

    Vulnerability: Unauthenticated Arbitrary File Upload to RCE
    Patched in Version: No known fix
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H


    20. N5 Upload Form

    Vulnerability: Unauthenticated Arbitrary File Upload to RCE
    Patched in Version: No known fix
    Severity: CriticalCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


    21. Easy Form Builder

    Vulnerability: Authenticated Arbitrary File Upload
    Patched in Version: No known fix
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H


    22. Patreon WordPress

    Vulnerability: Unauthenticated Local File Disclosure
    Patched in Version: 1.7.0
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    Vulnerability: CSRF to Overwrite/Create User Meta
    Patched in Version: 1.7.0
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

    Vulnerability: CSRF to Disconnect Sites From Patreon
    Patched in Version: 1.7.0
    Severity: MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

    Vulnerability: CSRF to Disconnect Sites From Patreon
    Patched in Version: 1.7.0
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    Vulnerability: Reflected XSS on Login Form
    Patched in Version: 1.7.2
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    Vulnerability:  Reflected XSS on patreon_save_attachment_patreon_level AJAX action
    Patched in Version: 1.7.2
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


    23. AccessAlly

    Vulnerability: $_SERVER Superglobal Leakage
    Patched in Version: 3.5.7
    Severity: HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N


    WordPress Theme Vulnerabilities

    1. All Thrive Themes Legacy Themes

    Affected Themes: Rise, Luxe, Minus, Ignition, Focusblog, Squared, Voice, Performag, Pressive, & Storied
    Vulnerability: Unauthenticated Arbitrary File Upload and Option Deletion
    Patched in Version: 2.0.0
    Severity: CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H


    A WordPress Security Plugin Can Help Secure Your Website

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

    Get iThemes Security Pro

    vulnerability roundup

    The post WordPress Vulnerability Report: March 2021, Part 4 appeared first on iThemes.

    Source: Security Feed

    Share This