The new WordPress plugin and theme vulnerabilities list that was shared in the first half of November by iTheme Security is out, please check your plugins and themes and be sure to update them.
WP plugins vulnerabilities –
BLog2Social: Social Media Auto Post and Scheduler
Vulnerability: Cross-Site Scripting
Action: Been Patched! Update to latest version 5.9
Currency Switcher for Woocommerce version 2.11.1
Vulnerability: Security Restrictions Bypass
Action: Been Patched! Update it to version 2.11.2.
Ignite – Coming Soon and maintenance mode
Vulnerability: Multiple vulnerabilities
- Arbitrary File Deletion
- HTML injection & CSRF in email messages
- Stored Cross-Site Scripting
- Disclosure of subscribers’ email address
- Arbitrary subscriber deletion
- Arbitrary plugin’s template switch
Action: Been Patched! Update to version 3.4.1.
Vulnerability: Cross-Site Scripting Bypass attack
Action: Been Patched! Update to version 1.9.6.
Tidio Live Chat V4.1
Vulnerability: Vulnerable to a Cross-Site Request Forgery leading to a Cross-Site Scripting attack.
Action: Been Patched! Update it to version 4.2.
WP Google Review Slider V6.1
Vulnerability: Authenticated SQL Injection attack.
Action: Been Patched! Update it to version 6.2.
YITH Plugin Framework – 39 individual plugins
Vulnerability: Authenticated Settings Change attack.
Action: Been Patched! Update all plugins to the latest versions.
WP Themes vulnerabilities
Zoner – Real estate theme V4.1.1
Vulnerability: Persistent Cross-Site Scripting and Insecure Direct Object Reference vulnerabilities.
Action: The vulnerabilities have not been patched. Keep an eye on the changelog for an update that includes a fix.