Headline
CVE-2021-39313: Vulnerability Advisories - Wordfence
The Simple Image Gallery WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/simple-image-gallery.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6.
Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence assigns CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.
Assigned CVE IDs and the vulnerability details are published below. For more information about submitting vulnerabilities to Wordfence for CVE ID assignment, please refer to our vulnerability disclosure policy.
WooCommerce myghpay Payment Gateway <= 3.0 Reflected Cross-Site Scripting
Affected Plugin: WooCommerce myghpay Payment Gateway
Plugin Slug: woo-myghpay-payment-gateway
Affected Versions: <= 3.0
CVE ID: CVE-2021-39308
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-14
The WooCommerce myghpay Payment Gateway WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the clientref parameter found in the ~/processresponse.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.8.
True Ranker <= 2.2.2 Directory Traversal/Arbitrary File Read
Affected Plugin: True Ranker
Plugin Slug: seo-local-rank
Affected Versions: <= 2.2.2
CVE ID: CVE-2021-39312
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Researcher/s: p7e4
Fully Patched Version: 2.2.4
Recommended Remediation: Update to version 2.2.4, or newer.
Publication Date: 2021-12-13
The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
duoFAQ – Responsive, Flat, Simple FAQ <= 1.4.8 Reflected Cross-Site Scripting
Affected Plugin: duoFAQ – Responsive, Flat, Simple FAQ
Plugin Slug: duofaq-responsive-flat-simple-faq
Affected Versions: <= 1.4.8
CVE ID: CVE-2021-39319
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The duoFAQ – Responsive, Flat, Simple FAQ WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/duogeek/duogeek-panel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.8.
H5P CSS Editor <= 1.0 Reflected Cross-Site Scripting
Affected Plugin: H5P CSS Editor
Plugin Slug: h5p-css-editor
Affected Versions: <= 1.0
CVE ID: CVE-2021-39318
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The H5P CSS Editor WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the h5p-css-file parameter found in the ~/h5p-css-editor.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.
Magic Post Voice <= 1.2 Reflected Cross-Site Scripting
Affected Plugin: Magic Post Voice
Plugin Slug: magic-post-voice
Affected Versions: <= 1.2
CVE ID: CVE-2021-39315
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The Magic Post Voice WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the ids parameter found in the ~/inc/admin/main.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.
WooCommerce EnvioPack <= 1.2 Reflected Cross-Site Scripting
Affected Plugin: WooCommerce EnvioPack
Plugin Slug: woo-enviopack
Affected Versions: <= 1.2
CVE ID: CVE-2021-39314
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The WooCommerce EnvioPack WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dataid parameter found in the ~/includes/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.
Simple Image Gallery <= 1.0.6 Reflected Cross-Site Scripting
Affected Plugin: Simple Image Gallery
Plugin Slug: simple-responsive-image-gallery
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-39313
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The Simple Image Gallery WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/simple-image-gallery.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6.
link-list-manager <= 1.0 Reflected Cross-Site Scripting
Affected Plugin: link-list-manager
Plugin Slug: link-list-manager
Affected Versions: <= 1.0
CVE ID: CVE-2021-39311
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The link-list-manager WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the category parameter found in the ~/llm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.
Real WYSIWYG <= 0.0.2 Reflected Cross-Site Scripting
Affected Plugin: Real WYSIWYG
Plugin Slug: real-wysiwyg
Affected Versions: <= 0.0.2
CVE ID: CVE-2021-39310
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHP_SELF in the ~/real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2.
Parsian Bank Gateway for Woocommerce <= 1.0 Reflected Cross-Site Scripting
Affected Plugin: Parsian Bank Gateway for Woocommerce
Plugin Slug: parsian-bank-gateway-for-woocommerce
Affected Versions: <= 1.0
CVE ID: CVE-2021-39309
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The Parsian Bank Gateway for Woocommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the demo parameter found in the ~/vendor/dpsoft/parsian-payment/sample/rollback-payment.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.
.htaccess Redirect <= 0.3.1 Reflected Cross-Site Scripting
Affected Plugin: .htaccess Redirect
Plugin Slug: htaccess-redirect
Affected Versions: <= 0.3.1
CVE ID: CVE-2021-38361
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-12-13
The .htaccess Redirect WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the link parameter found in the ~/htaccess-redirect.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.3.1.
RegistrationMagic <= 5.0.1.7 Authentication Bypass
Affected Plugin: RegistrationMagic
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 5.0.1.7
CVE ID: CVE-2021-4073
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Marco Wotschka, Chloe Chamberland, and AyeCode Ltd*
Fully Patched Version: 5.0.1.8
Recommended Remediation: Update to version 5.0.1.8, or newer.
Publication Date: 2021-12-08
The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.
Fathom Analytics <= 3.0.4 Authenticated Stored Cross-Site Scripting
Affected Plugin: Fathom Analytics
Plugin Slug: fathom-analytics
Affected Versions: <= 3.0.4
CVE ID: CVE-2021-41836
CVSS Score: 4.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Researcher/s: José Aguilera
Fully Patched Version: 3.0.5
Recommended Remediation: Update to version 3.0.5, or newer.
Publication Date: 2021-12-08
The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the fathom_site_id parameter found in the ~/fathom-analytics.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.0.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Variation Swatches for WooCommerce <= 2.1.1 Authenticated Stored Cross-Site Scripting
Affected Plugin: Variation Swatches for WooCommerce
Plugin Slug: variation-swatches-for-woocommerce
Affected Versions: <= 3.0.4
CVE ID: CVE-2021-42367
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.1.2
Recommended Remediation: Update to version 2.1.2, or newer.
Publication Date: 2021-12-01
The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability. Read more here.
Stetic <= 1.0.6 Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Stetic
Plugin Slug: stetic
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-42364
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Original Researcher/s: Naoki Ogawa, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-11-29
The Stetic WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the stats_page function found in the ~/stetic.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.0.6.
Contact Form With Captcha <= 1.6.2 Cross-Site Request Forgery to Reflected Cross-Site Scripting
Affected Plugin: Contact Form With Captcha
Plugin Slug: contact-form-with-captcha
Affected Versions: <= 1.6.2
CVE ID: CVE-2021-42358
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Original Researcher/s: Yuga Futatsuki, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-11-29
The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the ~/cfwc-form.php file during contact form submission, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.6.2.
Asgaros Forums <= 1.15.13 Authenticated Stored XSS
Affected Plugin: Asgaros Forums
Plugin Slug: asgaros-forum
Affected Versions: <= 1.15.13
CVE ID: CVE-2021-42365
CVSS Score: 4.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Mohammed Aadhil Ashfaq
Fully Patched Version: 1.15.14
Recommended Remediation: Update to version 1.15.14, or newer.
Publication Date: 2021-11-29
The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Easy Registration Forms <= 2.1.1 Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Easy Registration Forms
Plugin Slug: easy-registration-forms
Affected Versions: <= 2.1.1
CVE ID: CVE-2021-39353
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Original Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-11-18
The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajax_add_form function found in the ~/includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1.
Preview E-Mails for WooCommerce <= 1.6.8 Reflected Cross-Site Scripting
Affected Plugin: Preview E-Mails for WooCommerce
Plugin Slug: woo-preview-emails
Affected Versions: <= 1.6.8
CVE ID: CVE-2021-42363
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Original Researcher/s: Chloe Chamberland
Fully Patched Version: 2.0.0
Recommended Remediation: Update to version 2.0.0, or newer.
Publication Date: 2021-11-17
The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8. Read more here.
WordPress Popular Posts <= 5.3.2 Authenticated Arbitrary File Upload
Affected Plugin: WordPress Popular Posts
Plugin Slug: wordpress-popular-posts
Affected Versions: <= 5.3.2
CVE ID: CVE-2021-42362
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Original Researcher/s: Jerome Bruandet, NinTechNet
CVE Requester & Exploit Author: Simone Cristofaro
Fully Patched Version: 5.3.3
Recommended Remediation: Update to version 5.3.3, or newer.
Publication Date: 2021-11-12
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2. Read more here.
Starter Templates — Elementor, Gutenberg & Beaver Builder Templates <= 2.7.0 Authenticated Block Import to Stored XSS
On sites that also had Elementor installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite.
Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page. Read more here.
Contact Form Email <= 1.3.24 Authenticated Stored Cross-Site Scripting
Affected Plugin: Contact Form Email
Plugin Slug: contact-form-to-email
Affected Versions: <= 1.3.24
CVE ID: CVE-2021-42361
CVSS Score: 4.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Mohammed Aadhil Ashfaq
Fully Patched Version: 1.3.25
Recommended Remediation: Update to version 1.3.25, or newer.
Publication Date: 2021-11-11
The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This only affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
WP DSGVO Tools (GDPR) <= 3.1.23 Unauthenticated Arbitrary Post Deletion
Affected Plugin: WP DSGVO Tools (GDPR)
Plugin Slug: shapepress-dsgvo
Affected Versions: <= 3.1.23
CVE ID: CVE-2021-42359
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.24
Recommended Remediation: Update to version 3.1.24, or newer.
Publication Date: 2021-11-02
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
Google Maps Easy <= 1.9.33 Authenticated Stored Cross-Site Scripting
Affected Plugin: Google Maps Easy
Plugin Slug: google-maps-easy
Affected Versions: <= 1.9.33
CVE ID: CVE-2021-39346
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: 1.10.1
Recommended Remediation: Update to version 1.10.1, or newer.
Publication Date: 2021-11-01
The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.9.33. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
NextScripts: Social Networks Auto-Poster <= 4.3.20 Reflected Cross-Site Scripting
Affected Plugin: NextScripts: Social Networks Auto-Poster
Plugin Slug: social-networks-auto-poster-facebook-twitter-g
Affected Versions: <= 4.3.20
CVE ID: CVE-2021-38356
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 4.3.21
Recommended Remediation: Update to version 4.3.21, or newer.
Publication Date: 2021-10-28
The NextScripts: Social Networks Auto-Poster <= 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $_REQUEST[‘page’] parameter which is echoed out on inc/nxs_class_snap.php by supplying the appropriate value ‘nxssnap-post’ to load the page in $_GET[‘page’] along with malicious JavaScript in $_POST[‘page’]. Read more here.
OptinMonster <= 2.6.4 Unprotected REST-API Endpoints
Affected Plugin: OptinMonster
Plugin Slug: optinmonster
Affected Versions: <= 2.6.4
CVE ID: CVE-2021-39341
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.6.5
Recommended Remediation: Update to version 2.6.5, or newer.
Publication Date: 2021-10-27
The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4. Read more here.
Hashthemes Demo Importer <= 1.1.1 Improper Access Control Allowing Content Deletion
Affected Plugin: Hashthemes Demo Importer
Plugin Slug: hashthemes-demo-importer
Affected Versions: <= 1.1.1
CVE ID: CVE-2021-39333
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 1.1.2
Recommended Remediation: Update to version 1.1.2, or newer.
Publication Date: 2021-10-26
The Hashthemes Demo Importer Plugin <= 1.1.1 for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control, allowing them to execute a function that truncated nearly all database tables and removed the contents of wp-content/uploads. Read more here.
Notification – Custom Notifications and Alerts for WordPress <= 7.2.4 Authenticated Stored Cross-Site Scripting
The Notification WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/classes/Utils/Settings.php file which made it possible for attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 7.2.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Easy Digital Downloads <= 2.11.2 Authenticated Reflected Cross-Site Scripting
Affected Plugin: Easy Digital Downloads
Plugin Slug: easy-digital-downloads
Affected Versions: <= 2.11.2
CVE ID: CVE-2021-39354
CVSS Score: 4.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: 2.11.2.1
Recommended Remediation: Update to version 2.11.2.1, or newer.
Publication Date: 2021-10-21
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.
Catch Themes Demo Import <= 1.7 Admin+ Arbitrary File Upload
Affected Plugin: Catch Themes Demo Import
Plugin Slug: catch-themes-demo-import
Affected Versions: <= 1.7
CVE ID: CVE-2021-39352
CVSS Score: 9.1 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Researcher/s: Thinkland Security Team
Fully Patched Version: 1.8
Recommended Remediation: Update to version 1.8, or newer.
Publication Date: 2021-10-21
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.
Simple Job Board <= 2.9.4 Authenticated Stored Cross-Site Scripting
Affected Plugin: Simple Job Board
Plugin Slug: simple-job-board
Affected Versions: <= 2.9.4
CVE ID: CVE-2021-39328
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: 2.9.5
Recommended Remediation: Update to version 2.9.5, or newer.
Publication Date: 2021-10-21
The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo’d out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Sassy Social Share 3.3.23 – PHP Object Injection
Affected Plugin: Sassy Social Share
Plugin Slug: sassy-social-share
Affected Versions: 3.3.23
CVE ID: CVE-2021-39321
CVSS Score: 6.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.3.24
Recommended Remediation: Update to version 3.3.24, or newer.
Publication Date: 2021-10-20
Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection that can be exploited by subscriber-level users via the wp_ajax_heateor_sss_import_config AJAX action due to a missing capability check in the import_config function found in the ~/admin/class-sassy-social-share-admin.php file along with the implementation of deserialization on user supplied inputs passed through the config parameter. Read more here.
Leaky Paywall <= 4.16.5 Authenticated Stored Cross-Site Scripting
Affected Plugin: Leaky Paywall
Plugin Slug: leaky-paywall
Affected Versions: <= 4.16.5
CVE ID: CVE-2021-39357
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-18
The Leaky Paywall WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the ~/class.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.16.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Content Staging <= 2.0.1 Authenticated Stored Cross-Site Scripting
Affected Plugin: Content Staging
Plugin Slug: content-staging
Affected Versions: <= 2.0.1
CVE ID: CVE-2021-39356
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-18
The Content Staging WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo’d out via the ~/templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
LearnPress – WordPress LMS Plugin <= 4.1.3.1 Authenticated Stored Cross-Site Scripting
Affected Plugin: LearnPress – WordPress LMS Plugin
Plugin Slug: learnpress
Affected Versions: <= 4.1.3.1
CVE ID: CVE-2021-39348
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: 4.1.3.2
Recommended Remediation: Update to version 4.1.3.2, or newer.
Publication Date: 2021-10-18
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is separate issue from CVE-2021-24702.
Indeed Job Importer <= 1.0.5 Authenticated Stored Cross-Site Scripting
Affected Plugin: Indeed Job Importer
Plugin Slug: indeed-job-importer
Affected Versions: <= 1.0.5
CVE ID: CVE-2021-39355
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-15
The Indeed Job Importer WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/indeed-job-importer/trunk/indeed-job-importer.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
MPL-Publisher – Self-publish your book & ebook <= 1.30.2 Authenticated Stored Cross-Site Scripting
Affected Plugin: MPL-Publisher
Plugin Slug: mpl-publisher
Affected Versions: <= 1.30.2
CVE ID: CVE-2021-39343
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-15
The MPL-Publisher WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/libs/PublisherController.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.30.2. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
JobBoardWP – Job Board Listings and Submissions <= 1.0.7 Authenticated Stored Cross-Site Scripting
The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.6. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Author Bio Box <= 3.3.1 Authenticated Stored Cross-Site Scripting
Affected Plugin: Author Bio Box
Plugin Slug: author-bio-box
Affected Versions: <= 3.3.1
CVE ID: CVE-2021-39349
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The Author Bio Box WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-author-bio-box-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
HAL <= 2.1.1 Authenticated Stored Cross-Site Scripting
Affected Plugin: HAL
Plugin Slug: hal
Affected Versions: <= 2.1.1
CVE ID: CVE-2021-39345
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The HAL WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/wp-hal.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.1.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
KJM Admin Notices <= 2.0.1 Authenticated Stored Cross-Site Scripting
Affected Plugin: KJM Admin Notices
Plugin Slug: kjm-admin-notices
Affected Versions: <= 2.0.1
CVE ID: CVE-2021-39344
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The KJM Admin Notices WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/class-kjm-admin-notices-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
MyBB Cross-Poster <= 1.0 Authenticated Stored Cross-Site Scripting
Affected Plugin: MyBB Cross-Poster
Plugin Slug: mybb-cross-poster
Affected Versions: <= 1.0
CVE ID: CVE-2021-39338
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
job-portal <= 0.0.1 Authenticated Stored Cross-Site Scripting
Affected Plugin: job-portal
Plugin Slug: job-portal
Affected Versions: <= 0.0.1
CVE ID: CVE-2021-39337
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The job-portal WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/jobs_function.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Job Manager <= 0.7.25 Authenticated Stored Cross-Site Scripting
Affected Plugin: Job Manager
Plugin Slug: job-manager
Affected Versions: <= 0.7.25
CVE ID: CVE-2021-39336
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The Job Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin-jobs.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.7.25. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
WpGenius Job Listing <= 1.0.2 Authenticated Stored Cross-Site Scripting
Affected Plugin: WpGenius Job Listing
Plugin Slug: wpgenious-job-listing
Affected Versions: <= 1.0
CVE ID: CVE-2021-39335
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The WpGenius Job Listing WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/admin/class/class-wpgenious-job-listing-options.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.2. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Job Board Vanila Plugin <= 1.0 Authenticated Stored Cross-Site Scripting
Affected Plugin: Job Board Vanila Plugin
Plugin Slug: job-board-vanilla
Affected Versions: <= 1.0
CVE ID: CVE-2021-39334
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The Job Board Vanila WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the psjb_exp_in and the psjb_curr_in parameters found in the ~/job-settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Business Manager – WordPress ERP, HR, CRM, and Project Management Plugin <= 1.4.5 Authenticated Stored Cross-Site Scripting
Affected Plugin: Business Manager
Plugin Slug: business-manager
Affected Versions: <= 1.4.5
CVE ID: CVE-2021-39332
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14
The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Brizy – Page Builder <= 2.3.11 Authenticated File Upload and Path Traversal
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Affected Versions: <= 2.3.11
CVE ID: CVE-2021-38346
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12
Recommended Remediation: Update to version 2.3.12, or newer.
Publication Date: 2021-10-13
The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with “…/” to perform directory traversal, and the file contents were populated via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin added a .jpg extension to all uploaded filenames, a double extension attack was still possible, e.g. a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations. Read more here.
Brizy – Page Builder <= 2.3.11 Authenticated Stored Cross-Site Scripting
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Affected Versions: <= 2.3.11
CVE ID: CVE-2021-38344
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12
Recommended Remediation: Update to version 2.3.12, or newer.
Publication Date: 2021-10-13
The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and adding JavaScript to the data parameter, which would be executed in the session of any visitor viewing or previewing the post or page. Read more here.
Brizy – Page Builder <= 1.0.125 and 1.0.127 – 2.3.11 Incorrect Authorization Checks Allowing Post Modification
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Affected Versions: <= 1.0.125 and 1.0.127 – 2.3.11
CVE ID: CVE-2021-38345
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12
Recommended Remediation: Update to version 2.3.12, or newer.
Publication Date: 2021-10-13
The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127. Read more here.
Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress <= 5.0.06 Authenticated Stored Cross-Site Scripting
The Formidable Form Builder WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found in the ~/classes/helpers/FrmAppHelper.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 5.0.06. This only affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Access Demo Importer <= 1.0.6 – Authenticated Arbitrary File Upload
Affected Plugin: Access Demo Importer
Plugin Slug: access-demo-importer
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-39317
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 1.0.7
Recommended Remediation: Update to version 1.0.7, or newer.
Publication Date: 2021-10-06
Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the ~/inc/demo-functions.php. Read more here.
WP Bannerize 2.0.0 – 4.0.2 – Authenticated SQL Injection
Affected Plugin: WP Bannerize
Plugin Slug: wp-bannerize
Affected Versions: 2.0.0 – 4.0.2
CVE ID: CVE-2021-39351
CVSS Score: 7.7 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Researcher/s: Margaux DABERT from Intrinsec
Fully Patched Version: Unpatched.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-05
The WP Bannerize WordPress plugin is vulnerable to authenticated SQL injection via the id parameter found in the ~/Classes/wpBannerizeAdmin.php file which allows attackers to exfiltrate sensitive information from vulnerable sites. This issue affects versions 2.0.0 – 4.0.2.
FV Flowplayer Video Player <= 7.5.0.727 – 7.5.2.727 Reflected Cross-Site Scripting
Affected Plugin: FV Flowplayer Video Player
Plugin Slug: fv-wordpress-flowplayer
Affected Versions: 7.5.0.727 – 7.5.2.727
CVE ID: CVE-2021-39350
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Margaux DABERT from Intrinsec & Erwan from WPScan*
Fully Patched Version: 7.5.3.727
Recommended Remediation: Update to version 7.5.3.727, or newer.
Publication Date: 2021-10-05
The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 – 7.5.2.727.
*Both researchers discovered this vulnerability independently around the same time and both disclosed to the vendor independently.
Stripe for WooCommerce 3.0.0 – 3.3.9 Missing Authorization Controls to Financial Account Hijacking
Affected Plugin: Stripe for WooCommerce
Plugin Slug: woo-stripe-payment
Affected Versions: 3.0.0 – 3.3.9
CVE ID: CVE-2021-39347
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Margaux DABERT from Intrinsec
Fully Patched Version: 3.3.10
Recommended Remediation: Update to version 3.3.10, or newer.
Publication Date: 2021-10-01
The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 – 3.3.9.
Credova_Financial <= 1.4.8 Sensitive Information Disclosure
Affected Plugin: Credova_Financial
Plugin Slug: credova-financial
Affected Versions: <= 1.4.8
CVE ID: CVE-2021-39342
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Marvin Santos
Fully Patched Version: 1.4.9
Recommended Remediation: Update to version 1.4.9, or newer.
Publication Date: 2021-09-29
The Credova_Financial WordPress plugin discloses a site’s associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.
Countdown and CountUp, WooCommerce Sales Timers <= 1.5.7 Cross-Site Request Forgery to Stored Cross-Site Scripting
The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.
Ninja Forms <= 3.5.7 Unprotected REST-API to Email Injection
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions: <= 3.5.7
CVE ID: CVE-2021-34648
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.5.8
Recommended Remediation: Update to version 3.5.8, or newer.
Publication Date: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims. Read more here.
Ninja Forms <= 3.5.7 Unprotected REST-API to Sensitive Information Disclosure
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions: <= 3.5.7
CVE ID: CVE-2021-34647
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.5.8
Recommended Remediation: Update to version 3.5.8, or newer.
Publication Date: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information. Read more here.
Telefication <= 1.8.0 Open Relay and Server-Side Request Forgery
Affected Plugin: Telefication
Plugin Slug: telefication
Affected Versions: <= 1.8.0
CVE ID: CVE-2021-39339
CVSS Score: 5.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Researcher/s: Marco Wotschka & Charles Strader Sweethill
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-21
The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.
OptinMonster <= 2.6.0 Reflected Cross-Site Scripting
Affected Plugin: OptinMonster
Plugin Slug: optinmonster
Affected Versions: <= 2.6.0
CVE ID: CVE-2021-39325
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Mariia Aleksandrova
Fully Patched Version: 2.6.1
Recommended Remediation: Update to version 2.6.1, or newer.
Publication Date: 2021-09-20
The OptinMonster WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input validation in the load_previews function found in the ~/OMAPI/Output.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.6.0.
** eID Easy <= 4.6 Reflected Cross-Site Scripting**
Affected Plugin: eID Easy
Plugin Slug: smart-id
Affected Versions: <= 4.6
CVE ID: CVE-2021-34650
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: 4.7
Recommended Remediation: Update to version 4.7, or newer.
Publication Date: 2021-09-17
The eID Easy WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error parameter found in the ~/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.6.
BulletProof Security <= 5.1 Sensitive Information Disclosure
Affected Plugin: BulletProof Security
Plugin Slug: bulletproof-security
Affected Versions: <= 5.1
CVE ID: CVE-2021-39327
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Vincent Rakotomanga
Fully Patched Version: 5.2
Recommended Remediation: Update to version 5.2, or newer.
Publication Date: 2021-09-16
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
wp-publications <= 0.0 Local File Include
Affected Plugin: wp-publications
Plugin Slug: wp-publications
Affected Versions: <= 0.0
CVE ID: CVE-2021-38360
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0.
WordPress InviteBox Plugin for viral Refer-a-Friend Promotions <= 1.4.1 Reflected Cross-Site Scripting
Affected Plugin: WordPress InviteBox Plugin
Plugin Slug: refer-a-friend-widget-for-wp
Affected Versions: <= 1.4.1
CVE ID: CVE-2021-38359
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The WordPress InviteBox Plugin for viral Refer-a-Friend Promotions WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the message parameter found in the ~/admin/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.1.
MoolaMojo <= 0.7.4.1 Reflected Cross-Site Scripting
Affected Plugin: MoolaMojo
Plugin Slug: moolamojo
Affected Versions: <= 0.7.4.1
CVE ID: CVE-2021-38358
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The MoolaMojo WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the classes parameter found in the ~/views/button-generator.html.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.4.1.
SMS OVH <= 0.1 Reflected Cross-Site Scripting
Affected Plugin: SMS OVH
Plugin Slug: sms-ovh
Affected Versions: <= 0.1
CVE ID: CVE-2021-38357
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The SMS OVH WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the position parameter found in the ~/sms-ovh-sent.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1.
Bug Library <= 2.0.3 Reflected Cross-Site Scripting
Affected Plugin: Bug Library
Plugin Slug: bug-library
Affected Versions: <= 2.0.3
CVE ID: CVE-2021-38355
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Bug Library WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the successimportcount parameter found in the ~/bug-library.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.3.
GNU-Mailman Integration <= 1.0.6 Reflected Cross-Site Scripting
Affected Plugin: GNU-Mailman Integration
Plugin Slug: gnu-mailman-integration
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-38354
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The GNU-Mailman Integration WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the gm_error parameter found in the ~/includes/admin/mailing-lists-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6.
Dropdown and scrollable Text <= 2.0 Reflected Cross-Site Scripting
Affected Plugin: Dropdown and scrollable Text
Plugin Slug: dropdown-and-scrollable-text
Affected Versions: <= 2.0
CVE ID: CVE-2021-38353
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Dropdown and scrollable Text WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the content parameter found in the ~/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.
Feedify – Web Push Notifications <= 2.1.8 Reflected Cross-Site Scripting
Affected Plugin: Feedify – Web Push Notifications
Plugin Slug: push-notification-by-feedify
Affected Versions: <= 2.1.8
CVE ID: CVE-2021-38352
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Feedify – Web Push Notifications WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the feedify_msg parameter found in the ~/includes/base.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.8.
OSD Subscribe <= 1.2.3 Reflected Cross-Site Scripting
Affected Plugin: OSD Subscribe
Plugin Slug: osd-subscribe
Affected Versions: <= 1.2.3
CVE ID: CVE-2021-38351
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The OSD Subscribe WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the osd_subscribe_message parameter found in the ~/options/osd_subscribe_options_subscribers.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.3.
spideranalyse <= 0.0.1 Reflected Cross-Site Scripting
Affected Plugin: spideranalyse
Plugin Slug: spideranalyse
Affected Versions: <= 0.0.1
CVE ID: CVE-2021-38350
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The spideranalyse WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the date parameter found in the ~/analyse/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.1.
Integration of Moneybird for WooCommerce <= 2.1.1 Reflected Cross-Site Scripting
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error_description parameter found in the ~/templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1.
Advance Search <= 1.1.2 Reflected Cross-Site Scripting
Affected Plugin: Advance Search
Plugin Slug: advance-search
Affected Versions: <= 1.1.2
CVE ID: CVE-2021-38348
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Advance Search WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the wpas_id parameter found in the ~/inc/admin/views/html-advance-search-admin-options.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.2.
Custom Website Data <= 2.2 Reflected Cross-Site Scripting
Affected Plugin: Custom Website Data
Plugin Slug: simple-custom-website-data
Affected Versions: <= 2.2
CVE ID: CVE-2021-38347
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Custom Website Data WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter found in the ~/views/edit.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2.
WooCommerce Payment Gateway Per Category <= 2.0.10 Reflected Cross-Site Scripting
Affected Plugin: WooCommerce Payment Gateway Per Category
Plugin Slug: wc-payment-gateway-per-category
Affected Versions: <= 2.0.10
CVE ID: CVE-2021-38341
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The WooCommerce Payment Gateway Per Category WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/includes/plugin_settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.10.
WordPress Simple Shop <= 1.2 Reflected Cross-Site Scripting
Affected Plugin: WordPress Simple Shop
Plugin Slug: webful-simple-grocery-shop
Affected Versions: <= 1.2
CVE ID: CVE-2021-38340
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The WordPress Simple Shop WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the update_row parameter found in the ~/includes/add_product.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.
Simple Matted Thumbnails <= 1.01 Reflected Cross-Site Scripting
Affected Plugin: Simple Matted Thumbnails
Plugin Slug: simple-matted-thumbnails
Affected Versions: <= 1.01
CVE ID: CVE-2021-38339
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Simple Matted Thumbnails WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simple-matted-thumbnail.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.01.
Border Loading Bar <= 1.0.1 Reflected Cross-Site Scripting
Affected Plugin: Border Loading Bar
Plugin Slug: border-loading-bar
Affected Versions: <= 1.0.1
CVE ID: CVE-2021-38338
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Border Loading Bar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the f and t parameter found in the ~/titan-framework/iframe-googlefont-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.
RSVPMaker Excel <= 1.1 Reflected Cross-Site Scripting
Affected Plugin: RSVPMaker Excel
Plugin Slug: rsvpmaker-excel
Affected Versions: <= 1.1
CVE ID: CVE-2021-38337
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The RSVPMaker Excel WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/phpexcel/PHPExcel/Shared/JAMA/docs/download.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.
Edit Comments XT <= 1.0 Reflected Cross-Site Scripting
Affected Plugin: Edit Comments XT
Plugin Slug: edit-comments-xt
Affected Versions: <= 1.0
CVE ID: CVE-2021-38336
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Edit Comments XT WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/edit-comments-xt.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.
Wise Agent Capture Forms <= 1.0 Reflected Cross-Site Scripting
Affected Plugin: Wise Agent Capture Forms
Plugin Slug: wiseagentleadform
Affected Versions: <= 1.0
CVE ID: CVE-2021-38335
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Wise Agent Capture Forms WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.
WP Design Maps & Places <= 1.2 Reflected Cross-Site Scripting
Affected Plugin: WP Design Maps & Places
Plugin Slug: wp-design-maps-places
Affected Versions: <= 1.2
CVE ID: CVE-2021-38334
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The WP Design Maps & Places WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the filename parameter found in the ~/wpdmp-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.
WP Scrippets <= 1.5.1 Reflected Cross-Site Scripting
Affected Plugin: WP Scrippets
Plugin Slug: wp-scrippets
Affected Versions: <= 1.5.1
CVE ID: CVE-2021-38333
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The WP Scrippets WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/wp-scrippets.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.1.
On Page SEO + Whatsapp Chat Button <= 1.0.1 Reflected Cross-Site Scripting
Affected Plugin: On Page SEO + Whatsapp Chat Button
Plugin Slug: ops-robots-txt
Affected Versions: <= 1.0.1
CVE ID: CVE-2021-38332
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The On Page SEO + Whatsapp Chat Button Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.
WP-T-Wap <= 1.13.2 Reflected Cross-Site Scripting
Affected Plugin: WP-T-Wap
Plugin Slug: wp-t-wap
Affected Versions: <= 1.13.2
CVE ID: CVE-2021-38331
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The WP-T-Wap WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the posted parameter found in the ~/wap/writer.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.13.2.
Yet Another bol.com Plugin <= 1.4 Reflected Cross-Site Scripting
Affected Plugin: Yet Another bol.com Plugin
Plugin Slug: yabp
Affected Versions: <= 1.4
CVE ID: CVE-2021-38330
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Yet Another bol.com Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/yabp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.
DJ EmailPublish <= 1.7.2 Reflected Cross-Site Scripting
Affected Plugin: DJ EmailPublish
Plugin Slug: dj-email-publish
Affected Versions: <= 1.7.2
CVE ID: CVE-2021-38329
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The DJ EmailPublish WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/dj-email-publish.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.7.2.
Notices <= 6.1 Reflected Cross-Site Scripting
Affected Plugin: Notices
Plugin Slug: notices
Affected Versions: <= 6.1
CVE ID: CVE-2021-38328
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Notices WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/notices.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1.
YouTube Video Inserter <= 1.2.1.0 Reflected Cross-Site Scripting
Affected Plugin: YouTube Video Inserter
Plugin Slug: youtube-video-inserter
Affected Versions: <= 1.2.1.0
CVE ID: CVE-2021-38327
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The YouTube Video Inserter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/adminUI/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.1.0.
Post Title Counter <= 1.1 Reflected Cross-Site Scripting
Affected Plugin: Post Title Counter
Plugin Slug: post-title-counter
Affected Versions: <= 1.1
CVE ID: CVE-2021-38326
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09
The Post Title Counter WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the notice parameter found in the ~/post-title-counter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.
User Activation Email <= 1.3.0 Reflected Cross-Site Scripting
Affected Plugin: User Activation Email
Plugin Slug: user-activation-email
Affected Versions: <= 1.3.0
CVE ID: CVE-2021-38325
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The User Activation Email WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the uae-key parameter found in the ~/user-activation-email.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.0.
SP Rental Manager <= 1.5.3 Unauthenticated SQL Injection
Affected Plugin: SP Rental Manager
Plugin Slug: sp-rental-manager
Affected Versions: <= 1.5.3
CVE ID: CVE-2021-38324
CVSS Score: 8.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site’s database, in versions up to and including 1.5.3.
RentPress <= 6.6.4 Reflected Cross-Site Scripting
Affected Plugin: RentPress
Plugin Slug: rentpress
Affected Versions: <= 6.6.4
CVE ID: CVE-2021-38323
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The RentPress WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the selections parameter found in the ~/src/rentPress/AjaxRequests.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.6.4.
Twitter Friends Widget <= 3.1 Reflected Cross-Site Scripting
Affected Plugin: Twitter Friends Widget
Plugin Slug: twitter-friends-widget
Affected Versions: <= 3.1
CVE ID: CVE-2021-38322
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The Twitter Friends Widget WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the pmc_TF_user and pmc_TF_password parameter found in the ~/twitter-friends-widget.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.1.
Custom Menu Plugin <= 1.3.3 Reflected Cross-Site Scripting
Affected Plugin: Custom Menu Plugin
Plugin Slug: custom-sub-menus
Affected Versions: <= 1.3.3
CVE ID: CVE-2021-38321
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The Custom Menu Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the selected_menu parameter found in the ~/custom-menus.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.3.
simpleSAMLphp Authentication <= 0.7.0 Reflected Cross-Site Scripting
Affected Plugin: simpleSAMLphp Authentication
Plugin Slug: simplesamlphp-authentication
Affected Versions: <= 0.7.0
CVE ID: CVE-2021-38320
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The simpleSAMLphp Authentication WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simplesamlphp-authentication.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.0.
More From Google <= 0.0.2 Reflected Cross-Site Scripting
Affected Plugin: More From Google
Plugin Slug: more-from-google
Affected Versions: <= 0.0.2
CVE ID: CVE-2021-38319
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The More From Google WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/morefromgoogle.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2.
3D Cover Carousel <= 1.0 Reflected Cross-Site Scripting
Affected Plugin: 3D Cover Carousel
Plugin Slug: 3d-cover-carousel
Affected Versions: <= 1.0
CVE ID: CVE-2021-38318
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The 3D Cover Carousel WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/cover-carousel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.
Konnichiwa! Membership <= 0.8.3 Reflected Cross-Site Scripting
Affected Plugin: Konnichiwa! Membership
Plugin Slug: konnichiwa
Affected Versions: <= 0.8.3
CVE ID: CVE-2021-38317
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The Konnichiwa! Membership WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the plan_id parameter in the ~/views/subscriptions.html.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.8.3.
WP Academic People List <= 0.4.1 Reflected Cross-Site Scripting
Affected Plugin: WP Academic People List
Plugin Slug: wp-academic-people
Affected Versions: <= 0.4.1
CVE ID: CVE-2021-38316
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08
The WP Academic People List WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the category_name parameter in the ~/admin-panel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.4.1.
Gutenberg Template Library & Redux Framework <= 4.2.11 Sensitive Information Disclosure
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of ‘-redux’ and an md5 hash of the previous hash with a known salt value of ‘-support’. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site’s PHP version, and an unsalted md5 hash of site’s AUTH_KEY concatenated with the SECURE_AUTH_KEY. Read More Here.
Gutenberg Template Library & Redux Framework <= 4.2.11 Incorrect Authorization Check to Arbitrary Plugin Installation and Post Deletion
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The permissions_callback used in this file only checked for the edit_posts capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts. Read More Here.
Easy Social Icons <= 3.0.8 – Reflected Cross-Site Scripting
Affected Plugin: Easy Social Icons
Plugin Slug: easy-social-icons
Affected Versions: <= 3.0.8
CVE ID: CVE-2021-39322
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ram Gall
Fully Patched Version: 3.0.9
Recommended Remediation: Update to version 3.0.9, or newer.
Publication Date: 2021-09-01
The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of $_SERVER['PHP_SELF'] in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
underConstruction <= 1.18 – Reflected Cross-Site Scripting
Affected Plugin: underConstruction
Plugin Slug: underconstruction
Affected Versions: <= 1.18
CVE ID: CVE-2021-39320
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ram Gall
Fully Patched Version: 1.19
Recommended Remediation: Update to version 1.19, or newer.
Publication Date: 2021-08-31
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of $GLOBALS['PHP_SELF'] in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
DZS Zoomsounds <= 6.45 Unauthenticated Directory Traversal
Affected Plugin: DZS Zoomsounds
Plugin Slug: dzs-zoomsounds
Affected Versions: <= 6.45
CVE ID: CVE-2021-39316
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Researcher/s: DigitalJessica Ltd
Fully Patched Version: 6.50
Recommended Remediation: Update to version 6.50 or newer.
Publication Date: 2021-08-30
The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the dzsap_download action using directory traversal in the link parameter.
Nested Pages <= 3.1.15 Open Redirect
Affected Plugin: Nested Pages
Plugin Slug: wp-nested-pages
Affected Versions: <= 3.1.15
CVE ID: CVE-2021-38343
CVSS Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Researcher/s: Ram Gall
Fully Patched Version: 3.1.16
Recommended Remediation: Update to version 3.1.16 or newer.
Publication Date: 2021-08-25
The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to an Open Redirect via the page POST parameter in the npBulkActions, npBulkEdit, npListingSort, and npCategoryFilter admin_post actions. Read more here.
Nested Pages <= 3.1.15 Cross-Site Request Forgery to Arbitrary Post Deletion and Modification
Affected Plugin: Nested Pages
Plugin Slug: wp-nested-pages
Affected Versions: <= 3.1.15
CVE ID: CVE-2021-38342
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Researcher/s: Ram Gall
Fully Patched Version: 3.1.16
Recommended Remediation: Update to version 3.1.16 or newer.
Publication Date: 2021-08-25
The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the npBulkActions and npBulkEdit admin_post actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata. Read more here.
WordPress Real Media Library <= 4.14.1 Author-only Stored Cross-Site Scripting
Affected Plugin: WordPress Real Media Library
Plugin Slug: real-media-library-lite
Affected Versions: <= 4.14.1
CVE ID: CVE-2021-34668
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: 4.14.2
Recommended Remediation: Update to version 4.14.2 or newer.
Publication Date: 2021-08-25
The WordPress Real Media Library WordPress plugin is vulnerable to Stored Cross-Site Scripting via the name parameter in the ~/inc/overrides/lite/rest/Folder.php file which allows author-level attackers to inject arbitrary web scripts in folder names, in versions up to and including 4.14.1.
Booster for WooCommerce <= 5.4.3 Authentication Bypass
Affected Plugin: Booster For WooCommerce
Plugin Slug: woocommerce-jetpack
Affected Versions: <= 5.4.3
CVE ID: CVE-2021-34646
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 5.4.4
Recommended Remediation: Update to version 5.4.4 or newer.
Publication Date: 2021-08-24
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default. Read more here.
Shopping Cart & eCommerce Store <= 5.1.0 Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Affected Versions: <= 5.1.0
CVE ID: CVE-2021-34645
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Xu-Liang Liao
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-18
The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0.
SP Project & Document Manager <= 4.25 Attribute-based Reflected Cross-Site Scripting
Affected Plugin: SP Project & Document Manager
Plugin Slug: sp-client-document-manager
Affected Versions: <= 4.25
CVE ID: CVE-2021-38315
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-16
The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.
SEOPress 5.0.0 – 5.0.3 Authenticated Stored Cross-Site Scripting
Affected Plugin: SEOPress
Plugin Slug: wp-seopress
Affected Versions: 5.0.0 – 5.0.3
CVE ID: CVE-2021-34641
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 5.0.4
Recommended Remediation: Update to version 5.0.4 or newer.
Publication Date: 2021-08-16
The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 – 5.0.3. Read more here.
Calendar_plugin <= 1.0 Reflected Cross-Site Scripting
Affected Plugin: Calendar_plugin
Plugin Slug: calendar-plugin
Affected Versions: <= 1.0
CVE ID: CVE-2021-34667
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Calendar_plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/calendar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.
Add Sidebar <= 2.0.0 Reflected Cross-Site Scripting
Affected Plugin: Add Sidebar
Plugin Slug: sidebar-adder
Affected Versions: <= 2.0.0
CVE ID: CVE-2021-34666
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Add Sidebar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the add parameter in the ~/wp_sidebarMenu.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.0.
** WP SEO Tags <= 2.2.7 Reflected Cross-Site Scripting**
Affected Plugin: WP SEO Tags
Plugin Slug: wp-seo-tags
Affected Versions: <= 2.2.7
CVE ID: CVE-2021-34665
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The WP SEO Tags WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the saq_txt_the_filter parameter in the ~/wp-seo-tags.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2.7.
Moova for WooCommerce <= 3.5 Reflected Cross-Site Scripting
Affected Plugin: Moova for WooCommerce
Plugin Slug: moova-for-woocommerce
Affected Versions: <= 3.5
CVE ID: CVE-2021-34664
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.
jQuery Tagline Rotator <= 0.1.5 Reflected Cross-Site Scripting
Affected Plugin: jQuery Tagline Rotator
Plugin Slug: jquery-tagline-rotator
Affected Versions: <= 0.1.5
CVE ID: CVE-2021-34663
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The jQuery Tagline Rotator WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/jquery-tagline-rotator.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1.5.
Plugmatter Pricing Table Lite <= 1.0.32 Reflected Cross-Site Scripting
Affected Plugin: Plugmatter Pricing Table Lite
Plugin Slug: plugmatter-pricing-table
Affected Versions: <= 1.0.32
CVE ID: CVE-2021-34659
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Plugmatter Pricing Table Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the email parameter in the ~/license.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.32.
** Simple Popup Newsletter <= 1.4.7 Reflected Cross-Site Scripting**
Affected Plugin: Simple Popup Newsletter
Plugin Slug: simple-popup-newsletter
Affected Versions: <= 1.4.7
CVE ID: CVE-2021-34658
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.7.
TypoFR <= 0.11 Reflected Cross-Site Scripting
Affected Plugin: TypoFR
Plugin Slug: typofr
Affected Versions: <= 0.11
CVE ID: CVE-2021-34657
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The 2TypoFR WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the text function found in the ~/vendor/Org_Heigl/Hyphenator/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.11.
WP Songbook <= 2.0.11 Reflected Cross-Site Scripting
Affected Plugin: WP Songbook
Plugin Slug: wp-songbook
Affected Versions: <= 2.0.11
CVE ID: CVE-2021-34655
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The WP Songbook WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the url parameter found in the ~/inc/class.ajax.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.11.
Custom Post Type Relations <= 1.0 Reflected Cross-Site Scripting
Affected Plugin: Custom Post Type Relations
Plugin Slug: custom-post-type-relations
Affected Versions: <= 1.0
CVE ID: CVE-2021-34654
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Custom Post Type Relations WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the cptr[name] parameter found in the ~/pages/admin-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.
2Way VideoCalls and Random Chat – HTML5 Webcam Videochat <= 5.2.7 Reflected Cross-Site Scripting
The 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the vws_notice function found in the ~/inc/requirements.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.2.7.
WP Fountain <= 1.5.9 Reflected Cross-Site Scripting
Affected Plugin:WP Fountain
Plugin Slug: wp-fountain
Affected Versions: <= 1.5.9
CVE ID: CVE-2021-34653
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The WP Fountain WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/wp-fountain.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.9.
Media Usage <= 0.0.4 Reflected Cross-Site Scripting
Affected Plugin:Media Usage
Plugin Slug: media-usage
Affected Versions: <= 0.0.4
CVE ID: CVE-2021-34652
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Media Usage WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/mmu_admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.4.
Scribble Maps <= 1.2 Reflected Cross-Site Scripting
Affected Plugin: Scribble Maps
Plugin Slug: scribble-maps
Affected Versions: <= 1.2
CVE ID: CVE-2021-34651
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Scribble Maps WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the ~/includes/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.
Simple Behance Portfolio <= 0.2 Reflected Cross-Site Scripting
Affected Plugin: Simple Behance Portfolio
Plugin Slug: simple-behace-portfolio
Affected Versions: <= 0.2
CVE ID: CVE-2021-34649
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dark parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.2.
Multiplayer Games <= 3.7 Reflected Cross-Site Scripting
Affected Plugin:Multiplayer Games
Plugin Slug: multiplayer-plugin
Affected Versions: <= 3.7
CVE ID: CVE-2021-34644
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Multiplayer Games WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/multiplayergames.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.7.
Skaut bazar <= 1.3.2 Reflected Cross-Site Scripting
Affected Plugin: Skaut bazar
Plugin Slug: skaut-bazar
Affected Versions: <= 1.3.2
CVE ID: CVE-2021-34643
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2.
Smart Email Alerts <= 1.0.10 Reflected Cross-Site Scripting
Affected Plugin: Smart Email Alerts
Plugin Slug: smart-email-alerts
Affected Versions: <= 1.0.10
CVE ID: CVE-2021-34642
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13
The Smart Email Alerts WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the api_key in the ~/views/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.10.
Securimage-WP-Fixed <= 3.5.4 – Reflected Cross-Site Scripting
Affected Plugin: Securimage-WP-Fixed
Plugin Slug: securimage-wp-fixed
Affected Versions: <= 3.5.4
CVE ID: CVE-2021-34640
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-11
The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.4.
WP Fusion Lite <= 3.37.18 – Cross-Site Request Forgery to Data Deletion
Affected Plugin: WP Fusion Lite
Plugin Slug: wp-fusion-lite
Affected Versions: <= 3.37.18
CVE ID: CVE-2021-34661
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Researcher/s: Xu-Liang Liao
Fully Patched Version: 3.37.30
Recommended Remediation: Update to version 3.37.30, or newer.
Publication Date: 2021-08-06
The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the show_logs_section function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18.
WP Fusion Lite <= 3.37.18 – Reflected Cross-Site Scripting
Affected Plugin: WP Fusion Lite
Plugin Slug: wp-fusion-lite
Affected Versions: <= 3.37.18
CVE ID: CVE-2021-34660
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Xu-Liang Liao
Fully Patched Version: 3.37.30
Recommended Remediation: Update to version 3.37.30, or newer.
Publication Date: 2021-08-06
The WP Fusion Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.37.18.
Nifty Newsletters <= 4.0.23 – Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Nifty Newsletters
Plugin Slug: sola-newsletters
Affected Versions: <= 4.0.23
CVE ID: CVE-2021-34634
CVSS Score: 8.8(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Kohei Hino, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-07-30
The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23.
Youtube Feeder <= 2.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Youtube Feeder
Plugin Slug: youtube-feeder
Affected Versions: <= 2.0.1
CVE ID: CVE-2021-34633
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Kohei Hino, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-07-30
The Youtube Feeder WordPress plugin is vulnerable to Cross-Site Request Forgery via the printAdminPage function found in the ~/youtube-feeder.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.1.
WordPress Download Manager <= 3.1.24 Authenticated Arbitrary File Upload
Affected Plugin: WordPress Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.1.24
CVE ID: CVE-2021-34639
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.25
Recommended Remediation: Update to version 3.1.25 or newer.
Publication Date: 2021-07-29
Authenticated Arbitrary File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. “payload.php.png”. The destination folder is protected by an .htaccess file so most configurations are not vulnerable. Read more here.
WordPress Download Manager <= 3.1.24 Authenticated Directory Traversal
Affected Plugin:WordPress Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.1.24
CVE ID: CVE-2021-34638
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.25
Recommended Remediation: Update to version 3.1.25 or newer.
Publication Date: 2021-07-29
Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks by setting Download template to an uploaded JavaScript with an image extension. Read more here.
Post Index <= 0.7.5 Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Post Index
Plugin Slug: post-index
Affected Versions: <= 0.7.5
CVE ID: CVE-2021-34637
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Kentaro Kuroki, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-26
The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the ~/php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5.
Poll Maker <= 3.2.8 – Reflected Cross-Site Scripting
Affected Plugin: Poll Maker
Plugin Slug: poll-maker
Affected Versions: <=3.2.8
CVE ID: CVE-2021-34635
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Xu-Liang Liao
Fully Patched Version: 3.2.9
Recommended Remediation: Update to version 3.2.9 or newer.
Publication Date: 2021-07-26
The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the ~/admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8.
SEO Backlinks <= 4.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: SEO Backlinks
Plugin Slug: seo-backlinks
Affected Versions: <= 4.0.1
CVE ID: CVE-2021-34632
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Takahiro Yamashita, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-26
The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1.
Admin Custom Login <= 3.2.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Admin Custom Login
Plugin Slug: admin-custom-login
Affected Versions: <= 3.2.7
CVE ID: CVE-2021-34628
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Ryoma Nishioka, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: 3.2.8
Recommended Remediation: Update to version 3.2.8 or newer.
Publication Date: 2021-07-26
The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7.
GTranslate <= 2.8.64 – Reflected Cross-Site Scripting
Affected Plugin: GTranslate
Plugin Slug: gtranslate
Affected Versions: <= 2.8.64
CVE ID: CVE-2021-34630
CVSS Score: 5.0 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Researcher/s: N/A
Fully Patched Version: 2.8.65
Recommended Remediation: Update to the latest version available.
Publication Date: 2021-07-23
In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution.
NewsPlugin <= 1.0.18 – Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: NewsPlugin
Plugin Slug: newsplugin
Affected Versions: <= 1.0.18
CVE ID: CVE-2021-34631
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Taichi Ichimura, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-21
The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18.
SendGrid <= 1.11.8 – Authorization Bypass
Affected Plugin: SendGrid
Plugin Slug: sendgrid-email-delivery-simplified
Affected Versions: <= 1.11.8
CVE ID: CVE-2021-34629
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Prashant Baldha
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-21
The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistics for a WordPress multi-site main site, in versions up to and including 1.11.8. This vulnerability only affects the main site of WordPress multi-site installations.
WP Upload Restriction <= 2.2.3 – Authenticated Stored Cross-Site Scripting
Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34625
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Angelo Righi
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Missing Access Control in the saveCustomType function allows for authenticated users, such as subscribers, to add mime types and extensions through unsanitized parameters that makes it possible to inject malicious web scripts that later execute when an administrator visits the extensions page.
WP Upload Restriction <= 2.2.3 – Missing Access Control in deleteCustomType function
Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34626
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: N/A
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Missing access control in deleteCustomType function allows authenticated users, such as subscribers, to delete custom extensions.
WP Upload Restriction <= 2.2.3 – Missing Access Control in getSelectedMimeTypesByRole function
Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34627
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Researcher/s: N/A
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Missing access control in getSelectedMimeTypesByRole function allows authenticated users, such as subscribers, to retrieve approved mime types for any given role.
ProfilePress 3.0 – 3.1.3 – Unauthenticated Privilege Escalation
During user registration, users could supply arbitrary user meta data that would get updated during the registration process making it possible for anyone to register as an administrator. More details.
ProfilePress 3.0 – 3.1.3 – Authenticated Privilege Escalation
During user profile updates, users could supply arbitrary user meta data that would get updated making it possible for anyone to escalate their privileges to that of an administrator. More details.
ProfilePress 3.0 – 3.1.3 – Arbitrary File Upload in Image Uploader Component
The image uploader component used to upload profile photos and user cover photos was vulnerable to arbitrary file uploads due to insufficient file type validation. More details.
ProfilePress 3.0 – 3.1.3 – Arbitrary File Upload in File Uploader Component
The file uploader component used to upload files during registration was vulnerable to arbitrary file uploads due to insufficient file type validation. More details.
WP Fluent Forms <= 3.6.65 – CSRF to Stored XSS
Affected Plugin: WP Fluent Forms
Plugin Slug: fluentform
Affected Versions: < 3.6.67
CVE ID: CVE-2021-34620
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 3.6.67
Recommended Remediation: Update to version 3.6.67 or newer.
This plugin is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions. More details.
Woocommerce Stock Manager <= 2.5.7 – CSRF to Arbitrary File Upload
Affected Plugin: WooCommerce Stock Manager
Plugin Slug: woocommerce-stock-manager
Affected Versions: <= 2.5.7
CVE ID: CVE-2021-34619
CVSS Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.6.0
Recommended Remediation: Update to version 2.6.0 or newer.
This plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file. More details.