Latest WordPress January Updates

Here is the lastest Vulnerability Roundup as reported by iThemes Security, one of the leading WordPress Security plugins. If you have any of these plugins or themes, you will want to login to your WordPress admin panel and go to plugins and update to the latest version to patch the vulnerability.

January Updates for Core WordPress

There were no vulnerabilities reported in January

January Updates for Plugins

1. Elementor Page Builder – Version 2.8.4 and below have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerabilities have been patched, so you should update to version 2.8.5.
2. Strong Testimonials – Versions 2.40.0 and below have a Stored Cross-Site Scripting vulnerability. The vulnerabilities have been patched, so you should update to version 2.40.0.
3. Portfolio Filter Gallery – Versions 1.1.2 and below have a Cross-Site Request Forgery vulnerability that can lead to a Reflected XSS attack. The vulnerabilities have been patched, so you should update to version 1.1.3.
4. Tutor LMS version 1.5.2 and below are vulnerable to a Cross-Site Request Forgery attack. The vulnerabilities have been patched, so you should update to version 1.5.3.
5. Login by Auth0 – Versions 3.11.2 and below are vulnerable to an Unauthenticated Reflected XSS attack. The vulnerabilities have been patched, so you should update to version 3.11.3.
6. Htaccess by BestWebSoft – The plugin has a Cross-Site Request Forgery vulnerability that can lead to an attacker editing the .htaccess. Remove the plugin, it has been closed on the WordPress.org plugin repository pending review.
7. Ultimate Membership Pro – Versions below 8.6.1 have multiple vulnerabilities that can lead to a low lever user performing a Remote Code Execution attack. The vulnerabilities have been patched, so you should update to version 8.6.1.
8. Events Manager and Events Manager Pro–  Events Manager below version 5.9.7.2 and Events Manager Pro below version 2.6.7.2 are vulnerable to a CSV Injection attack. The vulnerabilities have been patched, and you should update to Events Manager version 5.9.7.2 and Events Manager Pro version 2.6.7.2.
9. Profile Builder and Profile Builder Pro – Versions below version 3.1.1 have a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the Administrator role using the plugin’s forms The vulnerabilities have been patched, and you should update to version 3.1.1.
10. Participants Database version 1.9.5.5 and below are vulnerable to an Authenticated SQL Injection attack. The vulnerabilities have been patched, and you should update to version 1.9.5.6.

11. GDPR Cookie Consent – Versions 1.8.2 and below have an Improper Access Controls vulnerability that could allow a low-level user to change the status of a post or page and could lead to a Cross-Site Scripting attack. The vulnerabilities have been patched, so you should update to version 1.8.3.

January Updates for Themes

1. Reality Theme – Versions 2.5.1 and below are vulnerable to an Unauthenticated Reflected Cross-Site Scripting attack. The vulnerabilities have been patched, so you should update to version 2.5.2.

Weekly Updates

You need to log into your WordPress admin site at least once a week to ensure all of your files are updated to the latest version. Outdated code is the No.1 reason sites get hacked.
If you are not comfortable with running these updates, then feel free to reach out to us, and we can work with you to make sure your site is backed up regularly and up to date on all of your code with one of our monthly care plans.
Also, if you want to get this Vulnerability Roundup when they are published, fill out the form below and you will receive an email anytime we publish an update.