Watch Out Wednesday – January 25, 2023

by FocusWP | Jan 24, 2023 | WoW Archive

woman with surprised expression looking through binoculars, captioned watch out wednesday

Watch Out Wednesday – January 25, 2023

by FocusWP | Jan 24, 2023 | WoW Archive

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including LearnPress, Automator WP, Booking Calendar, and more!

Plugin: ProfilePress

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.5.4
Recommended Action: Update the WordPress ProfilePress plugin to the latest available version (at least 4.5.4).

Plugin: AutomatorWP

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.5.1
Recommended Action: Update the WordPress AutomatorWP plugin to the latest available version (at least 2.5.1).

Plugin: Booking Calendar

Vulnerability: SQL Injection
Patched Version: 9.4.3.1
Recommended Action: Update the WordPress Booking Calendar plugin to the latest available version (at least 9.4.3.1).

Plugin: VikRentCar

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3.1
Recommended Action: Update the WordPress VikRentCar plugin to the latest available version (at least 1.3.1).

Plugin: LearnPress

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Vulnerability: Unauthenticated SQL Injection Vulnerability
Vulnerability: Local File Inclusion
Patched Version: 4.2.0
Recommended Action: Update the WordPress LearnPress plugin to the latest available version (at least 4.2.0).

Plugin: MailOptin

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.54.1
Recommended Action: Update the WordPress MailOptin plugin to the latest available version (at least 1.2.54.1).

Plugin: Media Library Categories

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.0
Recommended Action: Update the WordPress Media Library Categories plugin to the latest available version (at least 2.0.0).

Plugin: ARMember

Vulnerability: Broken Access Control
Patched Version: 3.4.11
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 3.4.11).

Plugin: WP Google Maps

Vulnerability: Directory Traversal
Patched Version: 9.0.16
Recommended Action: Update the WordPress WP Google Maps plugin to the latest available version (at least 9.0.16).

Plugin: Essential Blocks for Gutenberg

Vulnerability: Broken Access Control
Patched Version: 3.8.6
Recommended Action: Update the WordPress Essential Blocks for Gutenberg plugin to the latest available version (at least 3.8.6).

Plugin: Amazon JS

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download.

Plugin: WP Pipes

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.4.0
Recommended Action: Update the WordPress WP Pipes plugin to the latest available version (at least 1.4.0).

Plugin: FL3R FeelBox

Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 13, 2022 and is not available for download.

Plugin: Social Like Box and Page by WpDevArt

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 0.8.40
Recommended Action: Update the WordPress Social Like Box and Page by WpDevArt plugin to the latest available version (at least 0.8.40).

Plugin: RegistrationMagic

Vulnerability: Arbitrary Price Change
Vulnerability: Content Injection
Patched Version: 5.1.9.3
Recommended Action: Update the WordPress RegistrationMagic plugin to the latest available version (at least 5.1.9.3).

Plugin: User Registration

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.3.1
Recommended Action: Update the WordPress User Registration plugin to the latest available version (at least 2.3.1).

Plugin: Quick Event Manager

Vulnerability: Broken Access Control
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.7.5
Recommended Action: Update the WordPress Quick Event Manager plugin to the latest available version (at least 9.7.5).

Plugin: WP Client Reports

Vulnerability: Subscriber+ Sensitive Data Exposure
Patched Version: 1.0.17
Recommended Action: Update the WordPress WP Client Reports plugin to the latest available version (at least 1.0.17).

Plugin: Quick Event Manager

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 9.7.5
Recommended Action: Update the WordPress Quick Event Manager plugin to the latest available version (at least 9.7.5).

Plugin: My Tickets

Vulnerability: Payment Bypass Vulnerability
Patched Version: 1.9.12
Recommended Action: Update the WordPress My Tickets plugin to the latest available version (at least 1.9.12).

Plugin: Quiz Maker

Vulnerability: Content Spoofing
Patched Version: 6.3.9.5
Recommended Action: Update the WordPress Quiz Maker plugin to the latest available version (at least 6.3.9.5).

Plugin: Reviews and Rating – Google My Business

Vulnerability: Broken Access Control
Patched Version: 4.15
Recommended Action: Update the WordPress Reviews and Rating – Google My Business plugin to the latest available version (at least 4.15).

Plugin: Bubble Menu – circle floating menu

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.0.2
Recommended Action: Update the WordPress Bubble Menu – circle floating menu plugin to the latest available version (at least 3.0.2).

Plugin: WP Time Slots Booking Form

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.82
Recommended Action: Update the WordPress WP Time Slots Booking Form plugin to the latest available version (at least 1.1.82).

Plugin: Contact Us page – Contact people LITE

Vulnerability: Cross Site Request Forgery (CSRF) Leading To Contact Creation Vulnerability
Patched Version: 3.7.1
Recommended Action: Update the WordPress Contact Us page – Contact people LITE plugin to the latest available version (at least 3.7.1).

Plugin: CTT Expresso para WooCommerce

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.2.12
Recommended Action: Update the WordPress CTT Expresso para WooCommerce plugin to the latest available version (at least 3.2.12).

Plugin: Participants Database

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.4.6
Recommended Action: Update the WordPress Participants Database plugin to the latest available version (at least 2.4.6).

Plugin: Responsive Vertical Icon Menu

Vulnerability: Cross Site Request Forgery (CSRF) Leading To Settings Change Vulnerability
Patched Version: 1.5.9
Recommended Action: Update the WordPress Responsive Vertical Icon Menu plugin to the latest available version (at least 1.5.9).

Plugin: WPFrom Email

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.8.9
Recommended Action: Update the WordPress WPFrom Email plugin to the latest available version (at least 1.8.9).

Plugin: GPT3 AI Content Writer

Vulnerability: Subscriber+ Arbitrary Post Content Update Vulnerability
Patched Version: 1.4.38
Recommended Action: Update the WordPress GPT3 AI Content Writer plugin to the latest available version (at least 1.4.38).

Plugin: Conversational Forms for ChatBot

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.7
Recommended Action: Update the WordPress Conversational Forms for ChatBot plugin to the latest available version (at least 1.1.7).

Plugin: Heateor Social Comments

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.6.2
Recommended Action: Update the WordPress Heateor Social Comments plugin to the latest available version (at least 1.6.2).

Plugin: WP Airbnb Review Slider

Vulnerability: Cross Site Request Forgery (CSRF) Leading To Reviews Removal Vulnerability
Patched Version: 3.3
Recommended Action: Update the WordPress WP Airbnb Review Slider plugin to the latest available version (at least 3.3).

Plugin: RapidLoad Power-Up for Autoptimize

Vulnerability: SQL Injection
Patched Version: 1.6.36
Recommended Action: Update the WordPress RapidLoad Power-Up for Autoptimize plugin to the latest available version (at least 1.6.36).

Plugin: Responsive Vertical Icon Menu

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.5.9
Recommended Action: Update the WordPress Responsive Vertical Icon Menu plugin to the latest available version (at least 1.5.9).

Plugin: Extensions For CF7

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.9
Recommended Action: Update the WordPress Extensions For CF7 plugin to the latest available version (at least 2.0.9).

Plugin: PixelYourSite – Your smart PIXEL (TAG) Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 9.3.1
Recommended Action: Update the WordPress PixelYourSite – Your smart PIXEL (TAG) Manager plugin to the latest available version (at least 9.3.1).

Plugin: WP Google Map Plugin

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.4.0
Recommended Action: Update the WordPress WP Google Map Plugin plugin to the latest available version (at least 4.4.0).

Plugin: Pods

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.9.11
Recommended Action: Update the WordPress Pods plugin to the latest available version (at least 2.9.11).

Plugin: WP Time Slots Booking Form

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.1.83
Recommended Action: Update the WordPress WP Time Slots Booking Form plugin to the latest available version (at least 1.1.83).

Plugin: Interactive Polish Map

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.1
Recommended Action: Update the WordPress Interactive Polish Map plugin to the latest available version (at least 1.2.1).

Plugin: Quick Event Manager

Vulnerability: Reflected Cross-Site Scripting Vulnerability
Patched Version: 9.7.5
Recommended Action: Update the WordPress Quick Event Manager plugin to the latest available version (at least 9.7.5).

Plugin: Login with phone number

Vulnerability: Reflected Cross-Site Scripting Vulnerability
Patched Version: 1.4.2
Recommended Action: Update the WordPress Login with phone number plugin to the latest available version (at least 1.4.2).

Plugin: My Calendar

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.4.4
Recommended Action: Update the WordPress My Calendar plugin to the latest available version (at least 3.4.4).

Plugin: WP Smart Preloader

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.15.1
Recommended Action: Update the WordPress WP Smart Preloader plugin to the latest available version (at least 1.15.1).

Plugin: Image Hover Effects For WPBakery Page Builder

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.0
Recommended Action: Update the WordPress Image Hover Effects For WPBakery Page Builder plugin to the latest available version (at least 5.0).

Plugin: Simple Staff List

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.2.3
Recommended Action: Update the WordPress Simple Staff List plugin to the latest available version (at least 2.2.3).

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 11.14
Recommended Action: Update the WordPress WPMobile.App — Android and iOS Mobile Application plugin to the latest available version (at least 11.14).

Plugin: Category Specific RSS feed Subscription

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.2
Recommended Action: Update the WordPress Category Specific RSS feed Subscription plugin to the latest available version (at least v2.2).

Plugin: WP eBay Product Feeds

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.4
Recommended Action: Update the WordPress WP eBay Product Feeds plugin to the latest available version (at least 3.4).

Plugin: WP Flipclock

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.8
Recommended Action: Update the WordPress WP Flipclock plugin to the latest available version (at least 1.8).

Plugin: Very Simple Google Maps

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.9
Recommended Action: Update the WordPress Very Simple Google Maps plugin to the latest available version (at least 2.9).

Plugin: Contact Form 7 Dynamic Text Extension

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.0.0
Recommended Action: Update the WordPress Contact Form 7 Dynamic Text Extension plugin to the latest available version (at least 3.0.0).

Plugin: WP Helper Premium

Vulnerability: Authenticated (Contributor+) SQL Injection vulnerability
Patched Version: 4.4.4
Recommended Action: Update the WordPress WP Helper Premium plugin to the latest available version (at least 4.4.4).

Plugin: URL Shortener by MyThemeShop

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: M Chart

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: GPT AI Power

Vulnerability: Subscriber+ Arbitrary Post Content Update Vulnerability
Patched Version: 1.4.38
Recommended Action: Update the WordPress GPT AI Power plugin to the latest available version (at least 1.4.38).

Plugin: YARPP

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Easy PayPal Buy Now Button

Vulnerability: CSRF to Stored Cross-Site Scripting vulnerability
Patched Version: 1.7.3
Recommended Action: Update the WordPress Easy PayPal Buy Now Button plugin to the latest available version (at least 1.7.3).

Plugin: Easy PayPal Buy Now Button

Vulnerability: Contributor+ Stored XSS in Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Mapwiz

Vulnerability: Admin+ SQLi vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Amr Shortcode Any Widget

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Themify Portfolio Post

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 1.2.2
Recommended Action: Update the WordPress Themify Portfolio Post plugin to the latest available version (at least 1.2.2).

Plugin: Lightbox Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 0.9.5
Recommended Action: Update the WordPress Lightbox Gallery plugin to the latest available version (at least 0.9.5).

Plugin: JetWidgets For Elementor

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 3, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Oi Yandex.Maps for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Coming Soon by Supsystic

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Youtube shortcode

Plugin: WP TopBar

Vulnerability: SQL Injection
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Admin Log

Plugin: Page Loading Effects

Plugin: Theme Blvd Responsive Google Maps

Plugin: Camera slideshow

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Nice PayPal Button Lite

Plugin: WP Tabs Slides

Plugin: SRS Simple Hits Counter

Plugin: WP Fast Cache

Plugin: User Meta Manager

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.5.0
Recommended Action: Update the WordPress User Meta Manager plugin to the latest available version (at least 3.5.0).

Plugin: User Meta Manager

Plugin: GiveWP

Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: 2.24.0
Recommended Action: Update the WordPress GiveWP plugin to the latest available version (at least 2.24.0).

Plugin: Custom 404 Pro

Vulnerability: Cross-Site Request Forgery Vulnerability
Patched Version: 3.7.2
Recommended Action: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.2).

Plugin: WP Customer Area

Vulnerability: RCE via CSRF vulnerability
Patched Version: 8.1.4
Recommended Action: Update the WordPress WP Customer Area plugin to the latest available version (at least 8.1.4).

Plugin: TemplatesNext ToolKit

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 3.2.9
Recommended Action: Update the WordPress TemplatesNext ToolKit plugin to the latest available version (at least 3.2.9).

Plugin: Better Font Awesome

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 2.0.4
Recommended Action: Update the WordPress Better Font Awesome plugin to the latest available version (at least 2.0.4).

Plugin: Location Weather

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 1.3.4
Recommended Action: Update the WordPress Location Weather plugin to the latest available version (at least 1.3.4).

Plugin: Enable Media Replace

Vulnerability: Author+ Arbitrary File Upload Vulnerability
Patched Version: 4.0.2
Recommended Action: Update the WordPress Enable Media Replace plugin to the latest available version (at least 4.0.2).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

Meet the Author: FocusWP

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!