List of WordPress Plugins and Themes Vulnerabilities for April 2020
New WordPress plugin and theme vulnerabilities
This is a roundup of all WordPress plugin and theme vulnerabilities for the month of April. The list of vulnerable plugin and themes are collected from time to time to alert the users to take action.
WordPress plugins and themes often become vulnerable with time due to lack of constant update or as a result of omission by the developer. WordPress plugins and themes are however placed under watch while reports are also taken from the WordPress community on any vulnerable plugin or theme.
New WordPress plugin and theme vulnerabilities were disclosed during the first half of April, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories:
WordPress Core Vulnerabilities
There haven’t been any disclosed WordPress vulnerabilities in 2020.
WordPress Plugin Vulnerabilities
Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.
1 IMPress for IDX Broker
2 CM Pop-Up banners for WordPress
3 Rank Math
LifterLMS versions below 3.37.15 have an Arbitrary File Writing vulnerability.
The vulnerability has been patched, and you should update to version 3.37.15.
5 Elementor Page Builder
7 Login by Auth0
8 WordPress WP-Advanced-Search
WordPress WP-Advanced-Search versions below 3.3.6 have an Unauthenticated SQL Injection vulnerability.
The vulnerability has been patched, and you should update to version 3.3.6.
9 Contact Form 7 Datepicker
All versions of Art-Picture-Gallery have an Unauthenticated Arbitrary File Upload vulnerability.
Remove the plugin, it has been closed on the WordPress.org plugin repository pending review.
11 WP Last Modified Info
12 WP Lead Plus X
13 Ultimate Addons for Gutenberg
14 Klarna Checkout for WooCommerce
15 Tickera – WordPress Event Ticketing
Tickera – WordPress Event Ticketing versions below 188.8.131.52 have an Unauthenticated Sensitive Data Exposure vulnerability.
The vulnerability has been patched, and you should update to version 184.108.40.206.
16 Responsive Poll
17 Media Library Assistant
The vulnerability has been patched, and you should update to version 2.82.
There haven’t been any disclosed Theme vulnerabilities in April 2020.
As said earlier, outdated WordPress plugin or theme can make your site vulnerable to attacks and get your site hacked. It is most advisable for sites owners who do not frequently visit their sites to do so at least once a week in order to update all outdated plugins or themes. You can also set up automatic updates for your WordPress installation.
Also, check from our last post on WordPress Vulnerabilities to see anyone you might have missed.