Security Advisory: WordPress Vulnerabilities
SUMMARY
Three recently disclosed vulnerabilities affect multiple versions of WordPress sites and one 3rd party plugin. WordPress has released Security Updates to remediate these vulnerabilities alongside an update from the developer for users of the “Fancy Product Designer” plugin.
IMPACTED SYSTEMS
- WordPress version 5.7.1 (remediated in 5.7.2)
- WordPress version 5.7 (remediated in 5.7.2)
- WordPress version 5.6 through 5.6.3 (remediated in 5.6.4)
- WordPress version 5.5.1 through 5.5.4 (remediated in 5.5.5)
- “Fancy Product Designer” plugin version 4.6.9 (remediated with latest version)
REMEDIATION STEPS
To remediate CVE-2020-36326, and CVE-2018-19296, update to WordPress version 5.7.2, or another patched minor version listed above. To remediate CVE-2021-24370, navigate to https://codecanyon.net visit the “Fancy Product Designer” product page to re-download the plugin. Once downloaded, the patched version can be uploaded to your WordPress site.
MANAGED CLIENTS
If you are an Atomic Data managed services client, your Account Coordinator will contact you shortly to determine the remediation schedule.
UNMANAGED CLIENTS
If you are not an Atomic Data managed services client and you would like to schedule a specific time for remediation services, please contact your Account Coordinator as soon as possible.
ADDITIONAL DETAILS
The vulnerabilities are documented in the following CVEs: CVE-2020-36326, CVE-2018-19296, CVE-2021-24370
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24370
https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d