This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Accordion Slider, Post Ticker Ultimate, RSVPMarker and more!
Plugin: Save as PDF plugin by Pdfcrowd
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Refused by the vendor.
Plugin: Save as Image plugin by Pdfcrowd
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Refused by the vendor.
Plugin: DoLogin Security
Vulnerability: IP Address Spoofing vulnerability
Patched Version: 3.7
Recommended Action: Update the WordPress DoLogin Security plugin to the latest available version (at least 3.7).
Plugin: WooCommerce PDF Invoice Builder
Vulnerability: Missing Authorization to Sensitive Information Exposure vulnerability
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting vulnerability
Patched Version: 1.2.91
Recommended Action: Update the WordPress WooCommerce PDF Invoice Builder plugin to the latest available version (at least 1.2.91).
Plugin: Event Tickets with Ticket Scanner
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.5.5
Recommended Action: Update the WordPress Event Tickets with Ticket Scanner plugin to the latest available version (at least 1.5.5).
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Cost Calculator Builder
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.1.43
Recommended Action: Update the WordPress Cost Calculator Builder plugin to the latest available version (at least 3.1.43).
Plugin: WP VR
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 8.3.5
Recommended Action: Update the WordPress WP VR plugin to the latest available version (at least 8.3.5).
Plugin: Cookies and Content Security Policy
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 2.16
Recommended Action: Update the WordPress Cookies and Content Security Policy plugin to the latest available version (at least 2.16).
Plugin: BigBlueButton
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Stripe Payment Gateway for WooCommerce
Vulnerability: Missing Authorization to Arbitrary Order Status Modification vulnerability
Patched Version: 3.8.0
Recommended Action: Update the WordPress Stripe Payment Gateway for WooCommerce plugin to the latest available version (at least 3.8.0).
Plugin: Serial Codes Generator and Validator with WooCommerce Support
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability
Patched Version: 2.4.15
Recommended Action: Update the WordPress Serial Codes Generator and Validator with WooCommerce Support plugin to the latest available version (at least 2.4.15).
Plugin: wpDataTables
Vulnerability: Authenticated(Administrator+) PHP Object Injection vulnerability
Patched Version: 2.1.66
Recommended Action: Update the WordPress wpDataTables plugin to the latest available version (at least 2.1.66).
Plugin: Smart SEO Tool
Vulnerability: Cross-Site Request Forgery via ‘wp_ajax_wb_smart_seo_tool’ vulnerability
Patched Version: 4.0.2
Recommended Action: Update the WordPress Smart SEO Tool plugin to the latest available version (at least 4.0.2).
Plugin: Paid Memberships Pro CCBill Gateway
Vulnerability: Unauthenticated Broken Access Control vulnerability
Patched Version: 0.4
Recommended Action: Update the WordPress Paid Memberships Pro – CCBill Gateway plugin to the latest available version (at least 0.4).
Plugin: CLUEVO LMS, E-Learning Platform
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.11.0
Recommended Action: Update the WordPress CLUEVO LMS, E-Learning Platform plugin to the latest available version (at least 1.11.0).
Plugin: Kanban Boards for WordPress
Vulnerability: Arbitrary Code Execution vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: GD Security Headers
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Typing Effect
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: RSVPMarker
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Cookies by JM
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of February 10, 2023 and is not available for download. This closure is permanent. Reason: Author Request.
Plugin: JS Help Desk – Best Help Desk & Support Plugin
Vulnerability: Arbitrary File Upload vulnerability
Patched Version: 2.7.8
Recommended Action: Update the WordPress JS Help Desk – Best Help Desk & Support Plugin plugin to the latest available version (at least 2.7.8).
Plugin: Simple Staff List
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Contact form 7 Custom validation
Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Doofinder for WooCommerce
Vulnerability: Open Redirection vulnerability
Patched Version: 2.0.0
Recommended Action: Update the WordPress Doofinder for WooCommerce plugin to the latest available version (at least 2.0.0).
Plugin: Simple Org Chart
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Simple Org Chart
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Mortgage Calculator Estatik
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of March 28, 2023 and is not available for download. Reason: Security Issue.
Plugin: Media from FTP
Vulnerability: Author+ Arbitrary File Access vulnerability
Patched Version: 11.17
Recommended Action: Update the WordPress Media from FTP plugin to the latest available version (at least 11.17).
Plugin: College
Vulnerability: Reflected XSS vulnerability
Patched Version: 1.5.1
Recommended Action: Update the WordPress College theme to the latest available version (at least 1.5.1).
Plugin: Cafe Bistro
Vulnerability: Reflected XSS vulnerability
Patched Version: 1.1.4
Recommended Action: Update the WordPress Cafe Bistro theme to the latest available version (at least 1.1.4).
Plugin: BunnyPressLite
Vulnerability: Reflected XSS vulnerability
Patched Version: 2.1
Recommended Action: Update the WordPress BunnyPressLite theme to the latest available version (at least 2.1).
Plugin: Brain Power
Vulnerability: Reflected XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Bazaar Lite
Vulnerability: Reflected XSS vulnerability
Patched Version: 1.8.6
Recommended Action: Update the WordPress Bazaar Lite theme to the latest available version (at least 1.8.6).
Plugin: Arendelle
Vulnerability: Reflected XSS vulnerability
Patched Version: 1.1.3
Recommended Action: Update the WordPress Arendelle theme to the latest available version (at least 1.1.3).
Plugin: Anfaust
Vulnerability: Reflected XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Anand
Vulnerability: Reflected XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Aapna
Vulnerability: Reflected XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Orders Tracking for WooCommerce
Vulnerability: Admin+ Arbitrary File Access/Read vulnerability
Patched Version: 1.2.6
Recommended Action: Update the WordPress Orders Tracking for WooCommerce plugin to the latest available version (at least 1.2.6).
Plugin: Cleverwise Daily Quotes
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: CT Commerce
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Carrot
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Custom Admin Login Page | WPZest
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Accordion Slider
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.9.7
Recommended Action: Update the WordPress Accordion Slider plugin to the latest available version (at least 1.9.7).
Plugin: WP-PostRatings
Vulnerability: Rating limit Bypass vulnerability
Patched Version: 1.91.1
Recommended Action: Update the WordPress WP-PostRatings plugin to the latest available version (at least 1.91.1).
Plugin: Portfolio and Projects
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.3.8
Recommended Action: Update the WordPress Portfolio and Projects plugin to the latest available version (at least 1.3.8).
Plugin: Post Ticker Ultimate
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.5.6
Recommended Action: Update the WordPress Post Ticker Ultimate plugin to the latest available version (at least 1.5.6).
Plugin: Accordion and Accordion Slider
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.5
Recommended Action: Update the WordPress Accordion and Accordion Slider plugin to the latest available version (at least 1.2.5).
Plugin: Video gallery and Player
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.6.6
Recommended Action: Update the WordPress Video gallery and Player plugin to the latest available version (at least 2.6.6).
Plugin: Trending/Popular Post Slider and Widget
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.6.1
Recommended Action: Update the WordPress Trending/Popular Post Slider and Widget plugin to the latest available version (at least 1.6.1).
Plugin: Team Slider and Team Grid Showcase plus Team Carousel
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.6.1
Recommended Action: Update the WordPress Team Slider and Team Grid Showcase plus Team Carousel plugin to the latest available version (at least 2.6.1).
Plugin: Timeline and History slider
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.1.1
Recommended Action: Update the WordPress Timeline and History slider plugin to the latest available version (at least 2.1.1).
Plugin: Meta slider and carousel with lightbox
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.3
Recommended Action: Update the WordPress Meta slider and carousel with lightbox plugin to the latest available version (at least 1.8.3).
Plugin: Post grid and filter ultimate
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.5.3
Recommended Action: Update the WordPress Post grid and filter ultimate plugin to the latest available version (at least 1.5.3).
Plugin: Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.3.1
Recommended Action: Update the WordPress Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget plugin to the latest available version (at least 3.3.1).
Plugin: Album and Image Gallery plus Lightbox
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.7.1
Recommended Action: Update the WordPress Album and Image Gallery plus Lightbox plugin to the latest available version (at least 1.7.1).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments