WordPress Flaws and Vulnerabilities

WordPress Vulnerabilities 2021 week 21 via Patchstack

Blog WordPress Flaws and Vulnerabilities WordPress Vulnerabilities 2021 week 21 via Patchstack
0 comments

Vulnerabilities discovered in plugins, themes and WordPress core from may, 24th to 30th 2021

iFlyChat – WordPress Chat

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Kishore Hariram in WordPress iFlyChat – WordPress Chat plugin (versions <= 4.6.4).



JNews

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Truoc Phan in WordPress JNews premium theme (versions <= 8.0.5).



Cookie Law Bar

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Mesut Cetin in WordPress Cookie Law Bar plugin (versions <= 1.2.1).



SP Project & Document Manager

Authenticated Shell Upload discovered by Viktor Markopoulos (vict0ni) in WordPress SP Project & Document Manager plugin (versions <= 4.21).



Gallery from files

Unauthenticated Remote Code Execution (RCE) vulnerability discovered by WPScanTeam in WordPress Gallery from files plugin (versions <= 1.60).



Visitors

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Mesut Cetin in WordPress Visitors plugin (versions <= 0.3).



WC Marketplace

Unauthenticated Arbitrary Product Comment Posting vulnerability discovered by WPScanTeam in WordPress WC Marketplace plugin (versions <= 3.7.3).



Simple 301 Redirects – Addon – Bulk Uploader

Authenticated Wildcard Activation and Retrieval vulnerability discovered by WordFence in WordPress Simple 301 Redirects by BetterLinks plugin (versions <= 2.0.3 only versions 2.0.0 – 2.0.3).



Simple 301 Redirects – Addon – Bulk Uploader

Authenticated Arbitrary Plugin Installation/Activation vulnerability discovered by WordFence in WordPress Simple 301 Redirects by BetterLinks plugin (versions <= 2.0.3 only versions from 2.0.0 to 2.0.3).



Simple 301 Redirects – Addon – Bulk Uploader

Unauthenticated Redirect Import/Export vulnerability Allowing Total Site Redirection discovered by WordFence in WordPress Simple 301 Redirects by BetterLinks plugin (versions <= 2.0.3 only versions from 2.0.0 to 2.0.3).



Side Menu

Authenticated SQL Injection (SQLi) vulnerability discovered by Shreya Pohekar in WordPress Side Menu plugin (versions <= 3.1.3).



Xllentech English Islamic Calendar

Authenticated SQL Injection (SQLi) vulnerability discovered by Syed Sheeraz Ali in WordPress Xllentech English Islamic Calendar plugin (versions <= 2.6.7).



Stock in & out

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Shreya Pohekar (Codevigilant Project) in WordPress Stock in & out plugin (versions <= 1.0.4).



Easy Preloader

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Kishore Hariram in WordPress Easy Preloader plugin (versions <= 1.0.0).



Sendit WP Newsletter

Authenticated SQL Injection (SQLi) vulnerability discovered by Shreya Pohekar in WordPress Sendit WP Newsletter plugin (versions <= 2.5.1).



XCloner Backup, Restore and Migrate

Authenticated SQL Injection (SQLi) vulnerability discovered by Ngo Van Thien (Sun* Research & Development) WordPress XCloner Backup, Restore and Migrate plugin (versions <= 4.2.161).



NinjaFirewall

Authenticated PHAR Deserialization vulnerability discovered by Chloe Chamberland in WordPress NinjaFirewall plugin (versions <= 4.3.3).


Stay updated!

Thanks to Patchstack.com

0 comments