WordPress Vulnerability Report: April 2021, Part 4

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. This report covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the April, Part 4 Report
Get the iThemes Security WordPress Vulnerability Report delivered to your inbox

WordPress Core Vulnerabilities

WordPress 5.7.1 was released on April 15, 2021. This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release of WordPress core, it is recommended that you update your sites immediately!

WordPress Plugin Vulnerabilities

1. Accordion

Vulnerability: Authenticated Reflected Cross-Site Scripting
Patched in Version: 2.2.30
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

The vulnerability is patched, so you should update to version 2.2.30+.

2. RSS for Yandex Turbo

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 1.30
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

The vulnerability is patched, so you should update to version 1.30+.

3. Kaswara Modern VC Addons

Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

4. WP Content Copy Protection & No Right Click

Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: 3.4
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: 3.5.1
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The vulnerability is patched, so you should update to version 3.5.1+.

5. Conditional Marketing Mailer for WooCommerce

Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: 1.6
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: 1.5.2
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The vulnerability is patched, so you should update to version 1.6+.

6. Captchinoo, Google recaptcha for admin login page

Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

7. WP Maintenance Mode & Site Under Construction

Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

8. Tree Sitemap

Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

9. Login Protection – Limit Failed Login Attempts

Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

10. Visitor Traffic Real Time Statistics

Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: 2.13
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: 2.12
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The vulnerability is patched, so you should update to version 2.13+.

11. Login as User or Customer

Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: 2.1
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: 1.8
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The vulnerability is patched, so you should update to version 2.1+.

12. Redirect 404 to Parent

Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.1
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

The vulnerability is patched, so you should update to version 1.3.1+.

13. Select All Categories and Taxonomies

Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.2
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

The vulnerability is patched, so you should update to version 1.3.2+.

14. Software License Manager

Vulnerability:  CSRF to Stored XSS
Patched in Version: 4.4.6
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

The vulnerability is patched, so you should update to version 4.4.6+.

15. Car Seller – Auto Classifieds Script

Vulnerability: Unauthenticated SQL Injection
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

16. Store Locator Plus

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

17. Happy Addons for Elementor Free & Pro

Vulnerability: Stored Cross-Site Scripting
Free Patched in Version: 2.24.0
Pro Patched in Version: 1.17.0
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

The vulnerability is patched, so you should update to version 2.24.0+ (Free) / 1.17.0+ (Pro).

18. WP Fastest Cache

WP Fastest Cache Logo

Vulnerability: Authenticated Arbitrary File Deletion via Path Traversal
Patched in Version: 0.9.1.7
Severity: Low – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

The vulnerability is patched, so you should update to version 0.9.1.7+.

19. WPGraphQL

Vulnerability: Denial of Service
Patched in Version: No known fix
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

WordPress Theme Vulnerabilities

No new theme vulnerabilities have been disclosed this week.

A WordPress Security Plugin Can Help Secure Your Website

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Get iThemes Security Pro

Spread the love

Posted by News Monkey

blank