June 2020 Security Roundup

Jul 1, 2020 | Blog, WordPress Maintenance | 0 comments

June 2020 Security

 Latest WordPress June 2020 Security Updates

Here is the latest Vulnerability Roundup as reported by iThemes Security, one of the leading WordPress Security plugins. If you have any of these plugins or themes, you will want to login to your WordPress admin panel and go to plugins and update to the latest version to patch the vulnerability.

June 2020 Security Updates for Core WordPress

WordPress versions 5.4.2 is now available. This is an important security and maintenance release. Earlier versions are affected by multiple security bugs, which are fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.

You can download WordPress 5.4.2 from WordPress.org, or visit your WP Admin Dashboard > Updates and click Update Now. If you have sites that support automatic background updates, they should have already updated.

June 2020 Security Updates for Plugins

  1. BrizyPage Builder versions below 1.0.126 have an Improper Access Controls on AJAX Calls vulnerability. The vulnerability is patched, and you should update to version 1.0.126.
  2. wpDiscuz – Versions below 5.3.6 have an Unauthenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 5.3.6v.
  3. Page Builder: KingComposer Page Builder: KingComposer versions below 2.9.4 have multiple security issues including Arbitrary File Deletion and Remote Code Execution vulnerabilities. The vulnerability is patched, and you should update to version 2.9.4.
  4. Delete All Comments Easily – All versions of Delete All Comments Easily have Cross-Site Scripting vulnerability. Remove the plugin until a security fix is released.
  5. Testimonial Rotator – Testimonial Rotator versions below 3.0.3 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.0.3.
  6. All in One Support Button – All in One Support Button versions below 1.8.8 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.8.8.
  7. YITH WooCommerce Ajax Product Filter – YITH WooCommerce Ajax Product Filter versions below 3.11.1 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.11.1.
  8. WP Pro Quiz – All versions of WP Pro Quiz have a Cross-Site Request Forgery vulnerability. Remove the plugin until a security fix is released.
  9. WooCommerce – WooCommerce versions below 4.2.1 have a Potential Cross-Site Scripting vulnerability via SelectWoo. The vulnerability is patched, and you should update to version 4.2.1.
  10. Drag and Drop Multiple File Upload for Contact Form 7 – Drag and Drop Multiple File Upload for Contact Form 7 versions below 1.3.3.3 have an Unauthenticated File Upload Bypass vulnerability. The vulnerability is patched, and you should update to version 1.3.3.3.
  11. Page Builder: PageLayer – Drag and Drop website builder – Versions below 1.1.2 have an Unprotected AJAX’s leading to XSS and a CSRF leading to XSS vulnerabilities. The vulnerability is patched, and you should update to version 1.1.2.
  12. MapPress Maps – MapPress Maps versions below 2.54.6 have an Improper Capability Checks in AJAX Calls vulnerability. The vulnerability is patched, and you should update to version 2.54.6.
  13. Image Photo Gallery Final Tiles Grid – Versions below 3.4.19 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.4.19.
  14. bbPress – Versions below 2.6.5 have an Unauthenticated Privilege Escalation vulnerability when New User Registration enabled. The vulnerability is patched, and you should update to version 2.6.5.
  15. Multi Scheduler –All versions of Multi Scheduler have an Arbitrary Record Deletion via CSRF vulnerability. Remove the plugin until a security fix is released.
  16. JobSearch – Versions below 1.5.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.5.1.
  17. AdRotate – Versions below 5.8.4 have an Authenticated SQL Injection vulnerability. The vulnerability is patched, and you should update to version 5.8.4.
  18. Elementor Page Builder – Vversions below 2.9.10 have an Authenticated Stored XSS vulnerability. The vulnerability is patched, and you should update to version 2.9.10.
  19. SportsPress –Versions below 2.7.2 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.7.2.

June 2020 Updates for Themes

  1. Travel Booking – Travel Booking versions below 2.8.2 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.8.2.
  2. TownHub – TownHub versions below 1.3.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 1.3.0.
  3. CityBook – CityBook versions below 2.4.4 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 2.4.4.
  4. Careerfy –Versions below 3.9.0 have an Unauthenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 3.9.0.
  5. Newspaper – Versions below 10.3.4 have an Authenticated Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, and you should update to version 10.3.4.

 

Weekly Updates

You need to log into your WordPress admin site at least once a week to ensure all of your files are updated to the latest version. Outdated code is the No.1 reason sites get hacked.
If you are not comfortable with running these updates, then feel free to reach out to us, and we can work with you to make sure your site is backed up regularly and up to date on all of your code with one of our monthly care plans.
Also, if you want to get this Vulnerability Roundup when they are published, fill out the form below and you will receive an email anytime we publish an update.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Previous post you may be interested in.

Cons of WordPress Automatic Updates

Cons of WordPress Automatic Updates

Last week we talked about WordPress Automatic Updates that came with version 5.5. It sounds like a no brainier to turn automatic updates on and use it. However, there are some potential problems that you could run into. Cons of WordPress automatic updates Could break...

WordPress Automatic Updates

WordPress Automatic Updates

Back in August, WordPress introduced automatic updates with the release of version 5.5 but should you be using it? There are several reasons why you should be using it but you do have to be careful. Let’s start with why you should. Why you should use WordPress...

September 2020 Security Update

September 2020 Security Update

September 2020 WordPress Updates iThemes Security, one of the leading WordPress Security plugins, publishes a list of WordPress vulnerabilities reported by the WordPress community. If you have any of these plugins or themes, you will want to login to your WordPress...

Pin It on Pinterest

Share This