WordPress Vulnerability Roundup: July 2019, Part 1

New WordPress plugin and theme vulnerabilities were disclosed during the first half of this month, so we want to keep you aware.

Yoast SEO versions 1.2.0-11.5 and below is vulnerable to an Authenticated Stored XSS attack.

WooCommerce version 3.6.4 and below is vulnerable to a Cross-Site Request Forgery and File Type Check.

Ad Inserter version 2.4.19 and below is vulnerable to an Authenticated Path Traversal attack.

Ocean Extra plugin version 1.5.8 and below is vulnerable to an Unauthenticated Settings change and CSS injection. The exploit will allow an attacker to change some WordPress settings and inject CSS to deface the site.

WP Statistics plugin, version 12.6.6.1 and below, is vulnerable to an Unauthenticated Blind SQL Injection.

Visitors Traffic Real Time Statistics plugin 2.0.5 and below is vulnerable to a Cross-Site Request Forgery attack.

Essential Real Estate plugin version 1.7.1 and below is vulnerable to a Cross-Site Scripting attack.

Appointment Booking Calendar version 1.3.18 and below is vulnerable to an Unauthenticated Stored XSS attack. The lack of an authorization check could lead to a Cross-Site Scripting attack.

Gallery PhotoBlocks version 1.1.40 and below is vulnerable to a Cross-Site Scripting attack.

Slimstat Analytics version 4.8.3 and below is vulnerable to a Cross-Site Request Forgery and Stored XSS attack.

WP Google Maps version 7.11.34 and below is vulnerable to a Cross-Site Request Forgery and Stored XSS attack.

LiveChat version 3.7.2 and below is vulnerable to a Cross-Site Request Forgery and Stored XSS attack.

Icegram version 1.10.28.2 and below is vulnerable to a Cross-Site Request Forgery and Stored XSS attack.

The WP Like Button plugin is vulnerable to an Authentication Bypass attack.

Read about these and more at https://ithemes.com/wordpress-vulnerability-roundup-july-2019-part-1/