This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Recently Viewed Products, WooCommerce Shipping & Tax, Elementor Website Builder and more!

Plugin: QuBotChat

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 1.1.6
Recommended Action: Update the WordPress QuBotChat plugin to the latest available version (at least 1.1.6).

Plugin: WP Coder

Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter vulnerability
Patched Version: 2.5.6
Recommended Action: Update the WordPress WP Coder plugin to the latest available version (at least 2.5.6).

Plugin: Bubble Menu – circle floating menu

Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter vulnerability
Patched Version: 3.0.4
Recommended Action: Update the WordPress Bubble Menu – circle floating menu plugin to the latest available version (at least 3.0.4).

Plugin: This Day In History

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.

Plugin: Recently Viewed Products

Vulnerability: PHP Object Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Mar 27, 2023.

Plugin: SKU Label Changer For WooCommerce

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 3, 2023.

Plugin: IP Metaboxes

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.

Plugin: IP Metaboxes

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.

Plugin: WooCommerce Product Categories Selection Widget

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 14, 2023.

Plugin: Button Generator – easily Button Builder

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Feb 8, 2023.

Plugin: HashOne

Vulnerability: Broken Access Control Vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Viral

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.1
Recommended Action: Update the WordPress Viral theme to the latest available version (at least 1.8.1).

Plugin: Viral News

Vulnerability: Broken Access Control
Patched Version: 1.4.6
Recommended Action: Update the WordPress Viral News theme to the latest available version (at least 1.4.6).

Plugin: Video Contest WordPress Plugin

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Video Contest WordPress Plugin

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Product Gallery Slider for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.2.9
Recommended Action: Update the WordPress Product Gallery Slider for WooCommerce plugin to the latest available version (at least 2.2.9).

Plugin: Custom Twitter Feeds (Tweets Widget)

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0
Recommended Action: Update the WordPress Custom Twitter Feeds (Tweets Widget) plugin to the latest available version (at least 2.0).

Plugin: WS Form LITE

Vulnerability: CAPTCHA Bypass vulnerability
Patched Version: 1.9.118
Recommended Action: Update the WordPress WS Form LITE plugin to the latest available version (at least 1.9.118).

Plugin: Uncanny Automator

Vulnerability: Cross-Site Request Forgery via update_automator_connect vulnerability
Patched Version: 4.15
Recommended Action: Update the WordPress Uncanny Automator plugin to the latest available version (at least 4.15).

Plugin: Go Pricing

Vulnerability: WordPress Go Pricing – WordPress Responsive Pricing Tables plugin <= 3.3.19 - Authenticated (Subscriber+) PHP Object Injection vulnerability Patched Version: 3.4 Recommended Action: Update the WordPress Go Pricing plugin to the latest available version (at least 3.4).

Plugin: MStore API

Vulnerability: Authentication Bypass vulnerability
Patched Version: 3.9.3
Recommended Action: Update the WordPress MStore API plugin to the latest available version (at least 3.9.3).

Plugin: UTM Tracker

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Download Theme

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Download Theme plugin to the latest available version (at least 1.1.0).

Plugin: Download Plugin

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.5
Recommended Action: Update the WordPress Download Plugin plugin to the latest available version (at least 2.0.5).

Plugin: Flickr Justified Gallery

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Tiles

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of March 15, 2023 and is not available for download. This closure is permanent. Reason: Author Request.

Plugin: Easy Google Maps

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.11.8
Recommended Action: Update the WordPress Easy Google Maps plugin to the latest available version (at least 1.11.8).

Plugin: WordPress Backup & Migration

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.4.1
Recommended Action: Update the WordPress WordPress Backup & Migration plugin to the latest available version (at least 1.4.1).

Plugin: Tutor LMS

Vulnerability: Multiple Broken Access Control vulnerabilities
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WooCommerce Product Vendors

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Vendor Admin+ SQL Injection vulnerability
Patched Version: 2.1.77
Recommended Action: Update the WordPress WooCommerce Product Vendors plugin to the latest available version (at least 2.1.77).

Plugin: WooCommerce Follow-Up Emails

Vulnerability: Follow-Up Emails Manager+ SQL Injection vulnerability
Patched Version: 4.9.51
Recommended Action: Update the WordPress WooCommerce Follow-Up Emails plugin to the latest available version (at least 4.9.51).

Plugin: Yoast SEO: Local

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 15.0
Recommended Action: Update the WordPress Yoast SEO: Local plugin to the latest available version (at least 15.0).

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Broken Authentication vulnerability
Patched Version: 6.23.4
Recommended Action: Update the WordPress OAuth Single Sign On – SSO (OAuth Client) plugin to the latest available version (at least 6.23.4).

Plugin: Elementor Website Builder

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.13.3
Recommended Action: Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.13.3).

Plugin: WooCommerce Shipping & Tax

Vulnerability: Stored Cross-Site Scripting vulnerability
Patched Version: 2.2.5
Recommended Action: Update the WordPress WooCommerce Shipping & Tax plugin to the latest available version (at least 2.2.5).

Plugin: Easy Admin Menu

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: SIS Handball

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: SQL Injection vulnerability
Patched Version: 3.3.20
Recommended Action: Update the WordPress Multiple Page Generator Plugin – MPG plugin to the latest available version (at least 3.3.20).

Plugin: YouTube Playlist Player

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.6.5
Recommended Action: Update the WordPress YouTube Playlist Player plugin to the latest available version (at least 4.6.5).

***
Check out the WoW Archive for past Watch Out Wednesday posts.