Multiple plugins used to convert WordPress default plain text emails to HTML format are found to be vulnerable to HTML injection. We have automatically updated plugins in all applicable WordPress customer accounts. Affected versions:
Email Templates <1.3.1
WP HTML Mail – Email Designer <2.9.1
WP Email Template <2.2.11
We have automatically upgraded the Nextgen Gallery plugin in all applicable WordPress customer accounts.
We have automatically upgraded the All-in-One WP Migration plugin in all applicable WordPress customer accounts.
We have automatically upgraded the File Manager plugin in all applicable WordPress customer accounts.
We have automatically upgraded Yoast SEO / Premium in all applicable WordPress customer accounts.
We have automatically upgraded WooCommerce to 3.6.5 in all applicable WordPress customer accounts.
A privilege escalation vulnerability has been found in Contact Form 7 5.0.3 and older versions. See https://wpvulndb.com/vulnerabilities/9127 for more information on this vulnerability. We have automatically upgraded all applicable WordPress customer accounts.
According to WooCommerce: "Versions 3.4.4 and earlier are affected by an issue where a function that updates attributes could lead to object injection. This is related to the WordPress 4.8.3 security release." We have automatically upgraded WooCommerce to 3.4.5 in all applicable WordPress customer accounts.
There are some recent changes by the .nz domain name registry to improve security of the domain name space, compliance with GDPR (Privacy for European citizens no matter where they reside). For information, see https://dnc.org.nz/sites/default/files/2018-04/DNC%20Newsletter%20April%202018_0.pdf.
WP Retina 2x <= 5.2.0 is vulnerable to a Cross-Site Scripting (XSS) attack. We have automatically upgraded all applicable WordPress customer accounts.