Site Vulnerabilities reported by Cpanel at inMotion Host

This topic has 2 replies, 2 voices, and was last updated 6 months, 1 weeks ago ago by Rose Tyler

  • Avatar: Budeva
    Budeva
    Participant
    June 13, 2024 at 18:40

    Hello Theme8 Team

    This is not a request for support. Its an inquiry in regards to these existing security vulnerabilities the cPanel at inMotion is reporting as unresolved during its daily scan of the wordpress installation in regards to both the xstore theme and the xstore core.

    Are your team aware of these vulnerabilities? if so, whats the expected updated time frame if your team is already addressing them?
    I see mention of only one vulnerability on the changelog but its old, not related to these current ones https://xstore.8theme.com/update-history/

    Thanks 🙂

    The vulnerabilities list is attached below as of today’s scan (jun 13th 2024)

    Risk Where How To Fix
    High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated Account Takeover vulnerability Unauthenticated Account Takeover vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8) Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated PHP Object Injection vulnerability Unauthenticated PHP Object Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8) Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated SQL Injection vulnerability Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8) Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore theme <= 9.3.8 - Unauthenticated SQL Injection vulnerability Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XStore (versions <= 9.3.8) Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore theme <= 9.3.8 - Unauthenticated Local File Inclusion vulnerability Unauthenticated Local File Inclusion vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XStore (versions <= 9.3.8) Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore theme <= 9.3.8 - Arbitrary Option Update vulnerability Arbitrary Option Update vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme X... Show more Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore Core plugin <= 5.3.8 - Local File Inclusion vulnerability Local File Inclusion vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XSt... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Upload vulnerability Limited Arbitrary File Upload vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress P... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore Core plugin <= 5.3.8 - Multiple Authenticated Broken Access Control vulnerability Multiple Authenticated Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack)... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore theme <= 9.3.8 - Broken Access Control vulnerability Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XSt... Show more Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore theme <= 9.3.8 - Unauthenticated Broken Access Control vulnerability Unauthenticated Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack) in Wor... Show more Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Download vulnerability Limited Arbitrary File Download vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin Medium WordPress XStore Core plugin <= 5.3.8 - Reflected Cross Site Scripting (XSS) vulnerability Reflected Cross Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin Medium WordPress XStore theme <= 9.3.8 - Reflected Cross Site Scripting (XSS) vulnerability Reflected Cross Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more Theme No updates available

    1 Answer
    Avatar: Rose Tyler
    Rose Tyler
    Support staff
    June 14, 2024 at 08:38
  • Viewing 2 results - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.Log in/Sign up

We're using our own and third-party cookies to improve your experience and our website. Keep on browsing to accept our cookie policy.