New WordPress plugin and theme vulnerabilities were disclosed during the second half of January. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
This weeks WordPress Vulnerability Roundup is divided into four different categories: WordPress core, WordPress plugins, WordPress themes, and Server.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.
WordPress Core Vulnerabilities
WordPress Plugin Vulnerabilities
1. Easy Contact Form Pro – Critical
Easy Contact Form Pro versions below 1.1.1.9 have an Authenticated Stored Cross-Site Scripting vulnerability.
2. FV Flowplayer Video Player – Medium
FV Flowplayer Video Player versions below 7.4.38.727 have an Authenticated Stored Cross-Site Scripting vulnerability.
3. Simple Job Board – High
Simple Job Board versions below 2.9.4 have an Authenticated Path Traversal Leading to Arbitrary File Download vulnerability.
4. Easy Media Gallery Pro – Medium
Easy Media Gallery Pro versions below 1.3.0 have CSRF and XSS vulnerabilities.
5. Contact Form Submissions – Medium
All versions of Contact Form Submissions have an Authenticated SQL Injection vulnerability.
6. 301 Redirects – Critical
301 Redirects versions below 2.51 have an Authenticated SQL Injection vulnerability.
7.WP Shieldon – Medium
All versions of WP Shieldon have an Unauthenticated Cross-Site Scripting vulnerability.
8. Contact Form 7 Database Addon – Critical
Contact Form 7 Database Addon versions below 1.2.5.6 have an CSV Injection and Authenticated SQL Injections vulnerabilities.
9. WP24 Domain Check
WP24 Domain Check versions below 1.6.3 have an Authenticated Cross-Site Scripting vulnerability.
WordPress Theme Vulnerabilities
Sever Vulnerabilities
Security researchers at Qualys discovered a Privilege Escalation vulnerability in the Linux program sudo. An attacker could exploit the vulnerability to increase the privileges and take over the server.
For more information, check out our post covering this new Linux vulnerability.
January Security Tip: Scan Your Websites for Vulnerabilities
60% of website breaches involve vulnerabilities for which a patch was available but not applied. This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.
Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.
To solve this problem, the iThemes Security Pro plugin just rolled out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.
The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will automatically apply the fix for you … so you don’t have to. Whew. that’s some peace of mind.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Get iThemes Security Pro
The post WordPress Vulnerability Roundup: January 2021, Part 2 appeared first on iThemes.
Source: Security Feed