SEO and Web Care
Vulnerabilities Monthly Digest for April 2020
Vulnerabilities Monthly Digest for April 2020.
- Testimonial < 2.1.7 – Authenticated Stored Cross-Site Scripting (XSS)
- WooCommerce Smart Coupons < 4.6.5 – Unauthenticated Coupon Creation
- Appointment Booking Calendar < 1.3.35 – Authenticated Stored Cross-Site Scripting (XSS)
- Appointment Booking Calendar < 1.3.35 – CSV Injection
- Brizy – Page Builder < 1.0.114 – Unauthenticated Site Settings Update
- WPForms < 1.5.9 – Authenticated Cross Site Scripting (XSS)
- WP Advanced Search < 3.3.4 – Unauthenticated Database Access and Remote Code Execution (RCE)
- RegistrationMagic – Custom Registration Forms and User Login < 4.6.0.4 – Multiple Critical Issues
- Custom Searchable Data Entry System <= 1.7.1 – Unauthenticated Data Modification and Deletion (0-day, being exploited)
- WP Security Audit Log < 4.0.2 – Broken Access Control in First-Time Install Wizard
- Font Awesome 4.0.0-RC15 & RC16 – API Token & Access Token Disclosure
- MStore API < 2.1.6 – Unauthenticated Arbitrary Account Creation/Edition
- Search Meter <= 2.13.2 – CSV Injection
- Import Export WordPress Users < 1.3.9 – Authenticated Arbitrary User Creation
- Multiple WebToffee Plugins – Cross-Site Request Forgery (CSRF) Issue
- Popup Builder < 3.64.1 – Multiple Issues
- Fruitful < 3.8.2 – Authenticated Stored XSS & Theme Options Deletion
- WPML < 4.3.7 – Authenticated Cross Site Request Forgery leading to Remote Code Execution
- WordPress File Upload < 4.13.0 – Directory Traversal to RCE
- LearnPress < 3.2.6.7 – Privilege Escalation
- Newsletter < 6.5.4 – CSV Injection
- Advanced Ads < 1.17.4 – Authenticated Reflected XSS via Admin Dashboard
- Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 – Unprotected AJAX Endpoints
- Custom Post Type UI < 1.7.4 – CSRF to Stored XSS
- WPvivid Backup < 0.9.36 – Missing Authorization Leading To Database Leak
- Cookiebot < 3.6.1 – Authenticated Reflected Cross-Site Scripting (XSS)
- Data Tables Generator By Supsystic < 1.9.92 – Insecure Permissions on AJAX Actions
- Data Tables Generator By Supsystic < 1.9.92 – Authenticated Stored XSS
- Data Tables Generator By Supsystic < 1.9.92 – CSRF to Stored XSS, Data Table Creations, Settings Modification
- Multiple plugins – Unauthenticated Dompdf Local File Inclusion (LFI)
- Product Lister for Walmart <= 1.0.0 – Unauthenticated RCE via Outdated PHPUnit
- All-in-One WP Migration < 7.15 – Arbitrary Backup Download
- IMPress for IDX Broker < 2.6.2 – Authenticated Stored Cross-Site Scripting (XSS) via unprotected ‘idx_update_recaptcha_key’ AJAX
- IMPress for IDX Broker < 2.6.2 – Authenticated Post Creation, Modification, and Deletion
- CM Pop-Up banners < 1.4.11 – Authenticated Stored XSS
- Elementor Page Builder < 2.9.6 – Authenticated Safe Mode Privilege Escalation
- WordPress SEO Plugin – Rank Math < 1.0.41 – Privilege Escalation via Unprotected REST API Endpoint
- WordPress SEO Plugin – Rank Math < 1.0.41 – Redirect Creation via Unprotected REST API Endpoint
- LifterLMS < 3.37.15 – Arbitrary File Writing
To protect your WordPress site from these vulnerabilities, sign up for a weekly Web Care package from Futurised.