This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Tabs, Video.js, Post Grid, and more!

Plugin: Stream

Vulnerability: Subscriber+ Alert Creation vulnerability
Patched Version: Update the WordPress Stream plugin to the latest available version (at least 3.9.2).
Recommended Action: Update the WordPress Stream plugin to the latest available version (at least 3.9.2).

Plugin: PDF Generator for WordPress – Create & Customize PDF for Post, Pages and WooCommerce Products

Vulnerability: Reflected XSS vulnerability
Patched Version: Update the WordPress PDF Generator for WordPress – Create & Customize PDF for Post, Pages and WooCommerce Products plugin to the latest available version (at least 1.1.2).
Recommended Action: Update the WordPress PDF Generator for WordPress – Create & Customize PDF for Post, Pages and WooCommerce Products plugin to the latest available version (at least 1.1.2).

Plugin: YourChannel: Everything you want in a YouTube

Vulnerability: Subscriber+ Stored XSS vulnerability
Patched Version: Update the WordPress YourChannel: Everything you want in a YouTube plugin to the latest available version (at least 1.2.2).
Recommended Action: Update the WordPress YourChannel: Everything you want in a YouTube plugin to the latest available version (at least 1.2.2).

Plugin: Freesoul Deactivate Plugins – Plugin manager and cleanup

Vulnerability: Content Spoofing
Patched Version: Update the WordPress Freesoul Deactivate Plugins – Plugin manager and cleanup plugin to the latest available version (at least 1.9.4.1).
Recommended Action: Update the WordPress Freesoul Deactivate Plugins – Plugin manager and cleanup plugin to the latest available version (at least 1.9.4.1).

Plugin: Custom 404 Pro

Vulnerability: Admin+ SQL Injection Vulnerability
Patched Version: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.1).
Recommended Action: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.1).

Plugin: GamiPress – Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Vulnerability
Patched Version: Update the WordPress GamiPress – Button plugin to the latest available version (at least 1.0.5).
Recommended Action: Update the WordPress GamiPress – Button plugin to the latest available version (at least 1.0.5).

Plugin: GamiPress

Vulnerability: Cross-Site Request Forgery Vulnerability
Patched Version: Update the WordPress GamiPress plugin to the latest available version (at least 2.5.1).
Recommended Action: Update the WordPress GamiPress plugin to the latest available version (at least 2.5.1).

Plugin: Survey Maker

Vulnerability: Authenticated SQL Injection Vulnerability
Patched Version: Update the WordPress Survey Maker plugin to the latest available version (at least 3.1.2).
Recommended Action: Update the WordPress Survey Maker plugin to the latest available version (at least 3.1.2).

Plugin: Paid Memberships Pro

Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: Update the WordPress Paid Memberships Pro plugin to the latest available version (at least 2.9.8).
Recommended Action: Update the WordPress Paid Memberships Pro plugin to the latest available version (at least 2.9.8).

Plugin: Easy Digital Downloads

Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.0.4).
Recommended Action: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.0.4).

Plugin: Launchpad – Coming Soon & Maintenance Mode Plugin

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 9, 2022 and is not available for download.

Plugin: Advanced Custom Fields: Image Crop Add-on

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Dashicons + Custom Post Types

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Superior FAQ

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Booklet

Vulnerability: Remote Code Execution (RCE)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Online Exam Software : eExamhall

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Hover Image

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: DNUI

Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: No API Amazon Affiliate

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Better Emails

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Super Popup

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP-OliveCart

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 16, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: ipBlockList

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 14, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Map Multi Marker

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: ExactMetrics

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress ExactMetrics plugin to the latest available version (at least 7.12.1).
Recommended Action: Update the WordPress ExactMetrics plugin to the latest available version (at least 7.12.1).

Plugin: Google Analytics by Monster Insights

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Google Analytics by Monster Insights plugin to the latest available version (at least 8.12.1).
Recommended Action: Update the WordPress Google Analytics by Monster Insights plugin to the latest available version (at least 8.12.1).

Plugin: Happyforms

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Happyforms plugin to the latest available version (at least 1.22.0).
Recommended Action: Update the WordPress Happyforms plugin to the latest available version (at least 1.22.0).

Plugin: Materialis Companion

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Materialis Companion plugin to the latest available version (at least 1.3.40).
Recommended Action: Update the WordPress Materialis Companion plugin to the latest available version (at least 1.3.40).

Plugin: SiteGround Security

Vulnerability: Admin+ SQLi vulnerability
Patched Version: Update the WordPress SiteGround Security plugin to the latest available version (at least 1.3.1).
Recommended Action: Update the WordPress SiteGround Security plugin to the latest available version (at least 1.3.1).

Plugin: MagicForm

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: alfred24 Click & Collect

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 14, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Mediamatic – Media Library Folders

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Extra Block Design, Style, CSS for ANY Gutenberg Blocks

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Universal Star Rating

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 9, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Crayon Syntax Highlighter

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 13, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Tutor LMS

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: Update the WordPress Tutor LMS plugin to the latest available version (at least 2.0.10).
Recommended Action: Update the WordPress Tutor LMS plugin to the latest available version (at least 2.0.10).

Plugin: Mega Main Menu

Vulnerability: Plugin Settings Information Disclosure Vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Simple Membership WP user Import

Vulnerability: Authenticated (Admin+) SQL Injection Vulnerability
Patched Version: Update the WordPress Simple Membership WP user Import plugin to the latest available version (at least 1.8).
Recommended Action: Update the WordPress Simple Membership WP user Import plugin to the latest available version (at least 1.8).

Plugin: WP Blog and Widget

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress WP Blog and Widget plugin to the latest available version (at least 2.3.1).
Recommended Action: Update the WordPress WP Blog and Widget plugin to the latest available version (at least 2.3.1).

Plugin: Leaflet Maps Marker

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Leaflet Maps Marker plugin to the latest available version (at least 3.12.7).
Recommended Action: Update the WordPress Leaflet Maps Marker plugin to the latest available version (at least 3.12.7).

Plugin: Giveaways and Contests by RafflePress

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Giveaways and Contests by RafflePress plugin to the latest available version (at least 1.11.3).
Recommended Action: Update the WordPress Giveaways and Contests by RafflePress plugin to the latest available version (at least 1.11.3).

Plugin: Html5 Audio Player

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Html5 Audio Player plugin to the latest available version (at least 2.1.12).
Recommended Action: Update the WordPress Html5 Audio Player plugin to the latest available version (at least 2.1.12).

Plugin: jQuery T(-) Countdown Widget

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress jQuery T(-) Countdown Widget plugin to the latest available version (at least 2.3.24).
Recommended Action: Update the WordPress jQuery T(-) Countdown Widget plugin to the latest available version (at least 2.3.24).

Plugin: WP VR – 360 Panorama and Virtual Tour Builder For WordPress

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin to the latest available version (at least 8.2.7).
Recommended Action: Update the WordPress WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin to the latest available version (at least 8.2.7).

Plugin: Annual Archive

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Annual Archive plugin to the latest available version (at least 1.6.0).
Recommended Action: Update the WordPress Annual Archive plugin to the latest available version (at least 1.6.0).

Plugin: Send PDF for Contact Form 7

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: Update the WordPress Send PDF for Contact Form 7 plugin to the latest available version (at least 0.9.9.2).
Recommended Action: Update the WordPress Send PDF for Contact Form 7 plugin to the latest available version (at least 0.9.9.2).

Plugin: HUSKY – Products Filter for WooCommerce (formerly WOOF)

Vulnerability: WordPress WOOF – Products Filter for WooCommerce plugin < 1.3.2 - Admin+ PHP Object Injection vulnerability Patched Version: Update the WordPress HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin to the latest available version (at least 1.3.2). Recommended Action: Update the WordPress HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin to the latest available version (at least 1.3.2).

Plugin: ResponsiveVoice Text To Speech

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Vimeo Video Autoplay Automute

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Cloak Front End Email

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WordPrezi

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.