There are twenty four issues this week, with five unfixed. The most critical this week is an unfixed Authenticated Arbitrary File Upload vulnerability with the MapsSVG Lite plugin and an unfixed Authenticate Remote Code Execution vulnerability in the Newsletter plugin. Both plugins have been closed in the public plugin repository. In addition, there was an Authenticated Arbitrary Folder Deletion/Rename vulnerability in the Insert or Embed Articulate Content into WordPress plugin (fixed as of version 4.29991).
View this week’s vulnerable plugins list.
Other Security News
Last week, Magento released an update to the 2.3.X, 2.2.X, and 2.1.X branches that contains numerous security fixes, including an unauthenticated stored cross-site scripting vulnerability that can lead to remote code execution, discovered and recently disclosed by RIPs.