Watch Out Wednesday – July 5, 2023

by | Jul 4, 2023 | WoW Archive

woman with surprised expression looking through binoculars, captioned watch out wednesday
woman with surprised expression looking through binoculars, captioned watch out wednesday
Watch Out Wednesday – July 5, 2023

by | Jul 4, 2023 | WoW Archive

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Ultimate Member, TrustProfile, Post Hit Counter and more!

Plugin: TrustProfile

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.25
Recommended Action: Update the WordPress TrustProfile plugin to the latest available version (at least 3.25).

Plugin: Easy Accordion FAQ and Knowledge Base Software for WordPress

Vulnerability: Authenticated Cross-Site Scripting vulnerability
Patched Version: 2.8
Recommended Action: Update the WordPress Easy Accordion FAQ and Knowledge Base Software for WordPress plugin to the latest available version (at least 2.8).

Plugin: Request a Quote

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 2.3.11
Recommended Action: Update the WordPress Request a Quote plugin to the latest available version (at least 2.3.11).

Plugin: Web3 – Crypto wallet Login & NFT token gating

Vulnerability: Authentication Bypass vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of June 29, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: SP Project & Document Manager

Vulnerability: Auth. Insecure Direct Object Reference vulnerability
Vulnerability: SQL Injection
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of June 29, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Ultimate Member

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.6.7
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.6.7).

Plugin: LiquidPoll – Advanced Polls for Creators and Brands

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.3.69
Recommended Action: Update the WordPress LiquidPoll – Advanced Polls for Creators and Brands plugin to the latest available version (at least 3.3.69).

Plugin: Short URL

Vulnerability: Authenticated Stored Cross-Site Scripting Vulnerability
Patched Version: 1.6.5
Recommended Action: Update the WordPress Short URL plugin to the latest available version (at least 1.6.5).

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Authentication Bypass Vulnerability
Patched Version: 7.6.5
Recommended Action: Update the WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin to the latest available version (at least 7.6.5).

Plugin: Zippy

Vulnerability: PHP Object Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WCP OpenWeather

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Side Cart Woocommerce (Ajax)

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Layer Slider

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Form Builder

Vulnerability: CSV Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Enhanced Text Widget

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Houzez CRM

Vulnerability: SQL Injection
Patched Version: 1.3.5
Recommended Action: Update the WordPress Houzez CRM plugin to the latest available version (at least 1.3.5).

Plugin: WPGraphQL

Vulnerability: Server Side Request Forgery (SSRF) vulnerability
Patched Version: 1.14.6
Recommended Action: Update the WordPress WPGraphQL plugin to the latest available version (at least 1.14.6).

Plugin: WP Post Author

Vulnerability: Privilege Escalation
Patched Version: 3.3.0
Recommended Action: Update the WordPress WP Post Author plugin to the latest available version (at least 3.3.0).

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Unauthenticated LDAP Injection vulnerability
Patched Version: 4.1.6
Recommended Action: Update the WordPress Active Directory Integration / LDAP Integration plugin to the latest available version (at least 4.1.6).

Plugin: Short URL

Vulnerability: SQL Injection
Patched Version: 1.6.5
Recommended Action: Update the WordPress Short URL plugin to the latest available version (at least 1.6.5).

Plugin: NOO Timetable

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: NOO Timetable

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Post to CSV by BestWebSoft

Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Catalyst Connect Zoho CRM Client Portal

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Catalyst Connect Zoho CRM Client Portal plugin to the latest available version (at least 2.1.0).

Plugin: Booked

Vulnerability: Unauth. Appointment Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: The7

Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is provided by the vendor.

Plugin: Image Map Pro

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Salon booking system

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 8.4.8
Recommended Action: Update the WordPress Salon booking system plugin to the latest available version (at least 8.4.8).

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.5.3
Recommended Action: Update the WordPress Waitlist WooCommerce ( Back in stock notifier ) plugin to the latest available version (at least 2.5.3).

Plugin: Enable SVG, WebP & ICO Upload

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Front User Submit / Front Editor

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.8.5
Recommended Action: Update the WordPress WP Front User Submit / Front Editor plugin to the latest available version (at least 3.8.5).

Plugin: Autochat Automatic Conversation

Vulnerability: Unauth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Formidable Forms

Vulnerability: Auth. Remote Code Execution (RCE) vulnerability
Patched Version: 6.3.1
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 6.3.1).

Plugin: WP Inventory Manager

Vulnerability: Inventory Items Deletion via CSRF vulnerability
Patched Version: 2.1.0.14
Recommended Action: Update the WordPress WP Inventory Manager plugin to the latest available version (at least 2.1.0.14).

Plugin: WP ERP

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.12.4
Recommended Action: Update the WordPress WP ERP plugin to the latest available version (at least 1.12.4).

Plugin: File Manager Advanced Shortcode

Vulnerability: Unauth. Remote Code Execution vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Kanban Boards for WordPress

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.5.21
Recommended Action: Update the WordPress Kanban Boards for WordPress plugin to the latest available version (at least 2.5.21).

Plugin: Editorial Calendar

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Editorial Calendar

Vulnerability: Insecure Direct Object References (IDOR) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: LearnDash LMS

Vulnerability: Authenticated IDOR to Account Takeover Vulnerability
Patched Version: 4.6.0.1
Recommended Action: Update the WordPress LearnDash LMS plugin to the latest available version (at least 4.6.0.1).

Plugin: ARMember

Vulnerability: Stored Cross Site Scripting (XSS) on Common Messages Settings
Patched Version: 4.0.5
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 4.0.5).

Plugin: Duplicate Post Page Menu & Custom Post Type

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WPJobBoard

Vulnerability: Unauth. Blind SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is provided for the validation.

Plugin: Email download link

Vulnerability: Sensitive Data Exposure
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Quiz Expert – Easy Quiz Maker, Exam and Test Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: SW Product Bundles

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Post Hit Counter

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Contact Form & Lead Form Elementor Builder

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.5
Recommended Action: Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version (at least 1.8.5).

Plugin: Th Product Compare

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.6
Recommended Action: Update the WordPress Th Product Compare plugin to the latest available version (at least 1.2.6).

Plugin: WP Abstracts

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Caldera Forms Google Sheets Connector

Vulnerability: Access Code Update via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Popup by Supsystic

Vulnerability: Prototype Pollution vulnerability
Patched Version: 1.10.19
Recommended Action: Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.19).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

Meet the Author: FocusWP
FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *