This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Mail SMTP Pro, Automated Editor, Mailrelay and more!

Plugin: Automated Editor

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Contact Form builder with drag & drop – Kali Forms

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: SendPulse Free Web Push

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Stout Google Calendar

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Notice Dismissal Vulnerability
Patched Version: 1.0.74
Recommended Action: Update the WordPress 10Web Map Builder for Google Maps plugin to the latest available version (at least 1.0.74).

Plugin: ProductX – Gutenberg WooCommerce Blocks

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.0.0
Recommended Action: Update the WordPress ProductX – Gutenberg WooCommerce Blocks plugin to the latest available version (at least 3.0.0).

Plugin: Pinpoint Booking System

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Simple SEO

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Hitsteps Web Analytics

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: IRivYou

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Bold Timeline Lite

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress Bold Timeline Lite plugin to the latest available version (at least 1.2.0).

Plugin: WhitePage

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Mailrelay

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: GoodBarber

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Urvanov Syntax Highlighter

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: affiliate-toolkit – WordPress Affiliate Plugin

Vulnerability: Open Redirection vulnerability
Patched Version: 3.4.0
Recommended Action: Update the WordPress affiliate-toolkit – WordPress Affiliate Plugin plugin to the latest available version (at least 3.4.0).

Plugin: Profile Extra Fields by BestWebSoft

Vulnerability: Missing Authorization to Sensitive Information Exposure vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress Profile Extra Fields by BestWebSoft plugin to the latest available version (at least 1.2.8).

Plugin: Hotjar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of October 4, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Permalinks Customizer

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Blog Manager Light

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Customer Reviews for WooCommerce

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.36.1
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.36.1).

Plugin: Geo Controller

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 8.5.3
Recommended Action: Update the WordPress Geo Controller plugin to the latest available version (at least 8.5.3).

Plugin: Booster for WooCommerce

Vulnerability: Authenticated Arbitrary WordPress Option Disclosure Vulnerability
Patched Version: 7.1.2
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 7.1.2).

Plugin: Optimize Database after Deleting Revisions

Vulnerability: Missing Authorization via ‘odb_csv_download’ vulnerability
Patched Version: 5.1
Recommended Action: Update the WordPress Optimize Database after Deleting Revisions plugin to the latest available version (at least 5.1).

Plugin: Post SMTP Mailer/Email Log

Vulnerability: Authenticated (Administrator+) SQL Injection vulnerability
Patched Version: 2.6.1
Recommended Action: Update the WordPress Post SMTP Mailer/Email Log plugin to the latest available version (at least 2.6.1).

Plugin: WP Mail SMTP Pro

Vulnerability: Missing Authorization to Information Dislcosure via is_print_page vulnerability
Patched Version: 3.8.1
Recommended Action: Update the WordPress WP Mail SMTP Pro plugin to the latest available version (at least 3.8.1).

Plugin: Redirection for Contact Form 7

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.0.0
Recommended Action: Update the WordPress Redirection for Contact Form 7 plugin to the latest available version (at least 3.0.0).

***
Check out the WoW Archive for past Watch Out Wednesday posts.