CMS

Monthly WordPress Security Roundup [June 2021]

Published on: June 29, 2021

Monthly WordPress Security Roundup [June 2021]

Hello everyone, it’s Kanishk again from Astra Security, bringing you the latest in WordPress security with another version of our Monthly WordPress Security Roundup for June 2021. 

We will be discussing vulnerabilities disclosures & bug fixes in the WP core, database, plugins and themes, and some other security issues related to the WordPress CMS platform.

So, let’s get started!

Thankfully, there were no vulnerabilities discovered in the WP core this month but it is advised that you should update to the latest version of WordPress.

In addition to this, we have seen a large number of plugin and theme vulnerabilities being actively exploited by hackers. Here are those:

Vulnerabilities Bulletin for WordPress plugins:

1. W3 Total Cache

  • Vulnerability Type: Authenticated Stored XSS
  • Plugin versions affected: < v2.1.3
  • Plugin users: 1 Million+
  • Fixed version of the plugin: v2.1.3+

2. WP Reset

  • Vulnerability Type: Authenticated Stored Cross-Site Scripting (XSS) 
  • Plugin versions affected: < 1.90
  • Plugin users: 300,000+
  • Fixed version of the plugin: v1.90+

3. Jetpack

  • Vulnerability Type: Carousel Non-Published Page/Post Attachment Comment Leak
  • Plugin versions affected: < 9.8
  • Plugin users: 5 Million+
  • Fixed version of the plugin: v9.8+

4. MC4WP: Mailchimp for WordPress

  • Vulnerability Type: Authenticated Arbitrary Redirect
  • Plugin versions affected: < v4.8.5
  • Plugin users: 2 Million+
  • Fixed version of the plugin: 4.8.5+

5. Smart Slider 3

  • Vulnerability Type: Authenticated Stored Cross-Site Scripting (XSS)
  • Plugin versions affected: < v3.5.0.9
  • Plugin users: 800,000+
  • Fixed version of the plugin: v3.5.0.9+

6. WP Google Maps

  • Vulnerability Type: Authenticated Reflected Cross-Site Scripting (XSS)
  • Plugin versions affected: < 8.1.12
  • Plugin users: 400,000+
  • Fixed version of the plugin: v8.1.12+

7. WordPress Popular Posts

  • Vulnerability Type: Authenticated Code Injection & Authenticated Stored XSS
  • Plugin versions affected: < v5.3.3
  • Plugin users: 300,000+
  • Fixed version of the plugin: v5.3.3+

8. FooGallery

  • Vulnerability Type: Authenticated Stored Cross-Site Scripting (XSS)
  • Plugin versions affected: < v2.0.35
  • Plugin users: 200,000+
  • Fixed version of the plugin: v2.0.35+

9. Simple 301 Redirects by BetterLinks

  • Vulnerability Type: Multiple Vulnerabilities
  • Plugin versions affected: < v2.0.4
  • Plugin users: 300,000+
  • Fixed version of the plugin: v2.0.4+

10. Admin Columns

  • Vulnerability Type: Authenticated Stored XSS
  • Plugin versions affected: < v4.3
  • Plugin users: 100,000+
  • Fixed version of the plugin: v4.3+

11. FileBird

  • Vulnerability Type: Unauthenticated SQL Injection
  • Plugin versions affected: <= v4.7.3
  • Plugin users: 90,000+
  • Fixed version of the plugin: v4.7.4+

12. NinjaFirewall (WP Edition)

  • Vulnerability Type: Authenticated PHAR Deserialization
  • Plugin versions affected: < v4.3.4
  • Plugin users: 60,000+
  • Fixed version of the plugin: v4.3.4+

13. wpForo Forum

  • Vulnerability Type: Open Redirect
  • Plugin versions affected: < v1.9.7
  • Plugin users: 30,000+
  • Fixed version of the plugin: v1.9.7+

14. Quiz And Survey Master

  • Vulnerability Type: Unauthenticated Stored XSS and Reflected XSS
  • Plugin versions affected: < v7.1.19
  • Plugin users: 40,000+
  • Fixed version of the plugin: v7.1.19+

15. WP SVG images

  • Vulnerability Type: Authenticated Stored XSS
  • Plugin versions affected: < v3.4
  • Plugin users: 20,000+
  • Fixed version of the plugin: v3.4+

16. WP YouTube Lyte

  • Vulnerability Type: Authenticated Stored XSS
  • Plugin versions affected: < v1.7.16
  • Plugin users: 30,000+
  • Fixed version of the plugin: v1.7.16+

Get the ultimate WordPress security checklist with 300+ test parameters

Vulnerabilities discovered in WordPress themes:

1. FoodBakery | Delivery Restaurant Directory WordPress Theme

  • Vulnerability Type: Reflected Cross-Site Scripting (XSS)
  • Theme versions affected: < v2.2
  • Fixed version of the Theme: v2.2+

2. JNews – WordPress Newspaper Magazine Blog AMP Theme

  • Vulnerability Type: Reflected Cross-Site Scripting (XSS)
  • Plugin versions affected: < v8.0.6
  • Fixed version of the plugin: v8.0.6+

3. Jannah – Newspaper Magazine News BuddyPress AMP

  • Vulnerability Type: Reflected XSS
  • Plugin versions affected: < v5.4.4
  • Fixed version of the plugin: v5.4.4

That does it for this month’s WordPress Security Roundup. Make sure to update to the latest version if you are running any of the above-mentioned WordPress plugins and themes.

Websites, plugins and themes that are protected by Astra Security Suite are already secured against vulnerabilities such as XSS, RCE, CSRF, arbitrary file upload & deletion, sensitive data exposure, and SQL injection..

Let experts find security gaps in your web application

Pen-testing results that comes without a 100 emails, 250 google searches and painstaking PDFs.

Check out our WP plugin security guide for plugin developers to secure WordPress plugins against vulnerability exploits and other hacking attempts.

Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and see you next time.

Thank you!

Was this post helpful?

Tags: ,

Kanishk Tagade

Kanishk Tagade is a Marketing Manager at Astra Security. Having a hawk-eyed view on the cybersecurity threat landscape, market-shifts, and hacktivism activities, Kanishk is a community member of the Nasscom and corporate contributor at many technology magazines and security awareness platforms. Editor-in-Chief at "QuickCyber.news", his work is published in more than 50+ news platforms. He is also a social micro-influencer for the latest cybersecurity defense mechanisms, Digital Transformation, Machine Learning, AI and IoT products.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany