Webmaster Forum

...A vulnerability has been discovered in Contact Form 7 that allows an attacker to upload malicious scripts. The publishers of Contact Form 7 have released an update to fix the vulnerability....

Accrete wrote: ↑Fri Dec 18, 2020 3:22 pm Those using Contact Form 7 need to read this and update:

Two security vulnerabilities — one a privilege-escalation problem and the other a stored XSS bug — afflict a WordPress plugin with 40,000 installs.

Two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website....

The flaw could have let attackers send out custom newsletters and delete newsletter subscribers from 200,000 affected websites.

Developers of a plugin, used by WordPress websites for building pop-up ads for newsletter subscriptions, have issued a patch for a serious flaw. The vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.

The plugin in question is Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter, from developer Sygnoos. The plugin has been installed on 200,000 WordPress websites. Versions 3.71 and below are affected by the vulnerability (a fix has been issued in version 3.72; and the latest version is 3.73)...

...This maintenance release features 20 bug fixes as well as 7 issues fixed for the block editor. These bugs affect WordPress version 5.6, so you’ll want to upgrade...

An CRSF-to-stored-XSS security bug plagues 50,000 ‘Contact Form 7’ Style users.

A security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, could allow for malicious JavaScript injection on a victim website.

The latest WordPress plugin security vulnerability is a cross-site request forgery (CSRF) to stored cross-site scripting (XSS) problem in Contact Form 7 Style, which is an add-on to the well-known Contact Form 7 umbrella plugin. It ranks 8.8 out of 10 on the CVSS vulnerability-severity scale (CVE is pending).

A patch in the NextGen Gallery WordPress plugin fixes critical and high-severity cross-site request forgery flaws.

Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws..

The popular plugin is installed on more than 1 million websites, and has four flaws that allow various kinds of serious attacks, including site takeover and email hijacking.

Ninja Forms, a WordPress plugin used by more than 1 million sites, contains four critical security vulnerabilities that together make it possible for a remote attacker to take over a WordPress site and create various kinds of problems.

...WordPress 5.6.2 is a small maintenance release focused on fixing user-facing issues discovered in 5.6.1. The next major release will be version 5.7, currently scheduled for release on March 9, 2021....