This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP 2FA, WP Social Sharing, and more!

Plugin: WP CSV Exporter

Vulnerability: Auth. CSV Injection Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 3, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP 2FA

Vulnerability: Broken Authentication vulnerability
Patched Version: 2.2.1
Recommended Action: Update the WordPress WP 2FA plugin to the latest available version (at least 2.2.1).

Plugin: wpForo Forum

Vulnerability: Auth. HTML Injection vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.1.0).

Plugin: WP Calendar

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 2, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: GC Testimonials

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 2, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Social Sharing

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 6, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Login with Cognito

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 6, 2022 and is not available for download. This closure is temporary, pending a full review.

***
Check out the WoW Archive for past Watch Out Wednesday posts.