fbpx
Book your free web consultation today!

June 2020 Security Roundup

Jul 1, 2020 | Blog, WordPress Maintenance

June 2020 Security

 Latest WordPress June 2020 Security Updates

Here is the latest Vulnerability Roundup as reported by iThemes Security, one of the leading WordPress Security plugins. If you have any of these plugins or themes, you will want to login to your WordPress admin panel and go to plugins and update to the latest version to patch the vulnerability.

June 2020 Security Updates for Core WordPress

WordPress versions 5.4.2 is now available. This is an important security and maintenance release. Earlier versions are affected by multiple security bugs, which are fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.

You can download WordPress 5.4.2 from WordPress.org, or visit your WP Admin Dashboard > Updates and click Update Now. If you have sites that support automatic background updates, they should have already updated.

June 2020 Security Updates for Plugins

  1. BrizyPage Builder versions below 1.0.126 have an Improper Access Controls on AJAX Calls vulnerability. The vulnerability is patched, and you should update to version 1.0.126.
  2. wpDiscuz – Versions below 5.3.6 have an Unauthenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 5.3.6v.
  3. Page Builder: KingComposer Page Builder: KingComposer versions below 2.9.4 have multiple security issues including Arbitrary File Deletion and Remote Code Execution vulnerabilities. The vulnerability is patched, and you should update to version 2.9.4.
  4. Delete All Comments Easily – All versions of Delete All Comments Easily have Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.
  5. Testimonial Rotator – Testimonial Rotator versions below 3.0.3 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.0.3.
  6. All in One Support Button – All in One Support Button versions below 1.8.8 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.8.8.
  7. YITH WooCommerce Ajax Product Filter – YITH WooCommerce Ajax Product Filter versions below 3.11.1 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.11.1.
  8. WP Pro Quiz – All versions of WP Pro Quiz have a Cross-Site Request Forgery vulnerability. Remove the plugin until a security fix is released.
  9. WooCommerce – WooCommerce versions below 4.2.1 have a Potential Cross-Site Scripting vulnerability via SelectWoo. The vulnerability is patched, and you should update to version 4.2.1.
  10. Drag and Drop Multiple File Upload for Contact Form 7 – Drag and Drop Multiple File Upload for Contact Form 7 versions below 1.3.3.3 have an Unauthenticated File Upload Bypass vulnerability. The vulnerability is patched, and you should update to version 1.3.3.3.
  11. Page Builder: PageLayer – Drag and Drop website builder – Versions below 1.1.2 have an Unprotected AJAX’s leading to XSS and a CSRF leading to XSS vulnerabilities. The vulnerability is patched, and you should update to version 1.1.2.
  12. MapPress Maps – MapPress Maps versions below 2.54.6 have an Improper Capability Checks in AJAX Calls vulnerability. The vulnerability is patched, and you should update to version 2.54.6.
  13. Image Photo Gallery Final Tiles Grid – Versions below 3.4.19 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.4.19.
  14. bbPress – Versions below 2.6.5 have an Unauthenticated Privilege Escalation vulnerability when New User Registration enabled. The vulnerability is patched, and you should update to version 2.6.5.
  15. Multi Scheduler –All versions of Multi Scheduler have an Arbitrary Record Deletion via CSRF vulnerability. Remove the plugin until a security fix is released.
  16. JobSearch – Versions below 1.5.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.5.1.
  17. AdRotate – Versions below 5.8.4 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 5.8.4.
  18. Elementor Page Builder – Vversions below 2.9.10 have an Authenticated Stored XSS vulnerability. The vulnerability is patched, and you should update to version 2.9.10.
  19. SportsPress –Versions below 2.7.2 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.7.2.

June 2020 Updates for Themes

  1. Travel Booking – Travel Booking versions below 2.8.2 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.8.2.
  2. TownHub – TownHub versions below 1.3.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.3.0.
  3. CityBook – CityBook versions below 2.4.4 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.4.4.
  4. Careerfy –Versions below 3.9.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.9.0.
  5. Newspaper – Versions below 10.3.4 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 10.3.4.

 

Weekly Updates

You need to log into your WordPress admin site at least once a week to ensure all of your files are updated to the latest version. Outdated code is the No.1 reason sites get hacked.
If you are not comfortable with running these updates, then feel free to reach out to us, and we can work with you to make sure your site is backed up regularly and up to date on all of your code with one of our monthly care plans.
Also, if you want to get this Vulnerability Roundup when they are published, fill out the form below and you will receive an email anytime we publish an update.

  • I was most impressed that Darrell was able to take the pages from my website and get them to a point where we could take the next step to refine the pages to my ideas. I was very happy with his response to my suggestions and requests on various components of the page; images, text, etc.

    After updating my site, he took some time to show me how to do my own editing and use the tools he put into place. Kudos, Mr. Jordan!

    Michael Beall

Pin It on Pinterest

Share This