Plugin: QuBotChat
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 1.1.6
Recommended Action: Update the WordPress QuBotChat plugin to the latest available version (at least 1.1.6).
Plugin: WP Coder
Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter vulnerability
Patched Version: 2.5.6
Recommended Action: Update the WordPress WP Coder plugin to the latest available version (at least 2.5.6).
Plugin: Bubble Menu – circle floating menu
Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter vulnerability
Patched Version: 3.0.4
Recommended Action: Update the WordPress Bubble Menu – circle floating menu plugin to the latest available version (at least 3.0.4).
Plugin: This Day In History
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.
Plugin: Recently Viewed Products
Vulnerability: PHP Object Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Mar 27, 2023.
Plugin: SKU Label Changer For WooCommerce
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 3, 2023.
Plugin: IP Metaboxes
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.
Plugin: IP Metaboxes
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.
Plugin: WooCommerce Product Categories Selection Widget
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 14, 2023.
Plugin: Button Generator – easily Button Builder
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Feb 8, 2023.
Plugin: HashOne
Vulnerability: Broken Access Control Vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Viral
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.1
Recommended Action: Update the WordPress Viral theme to the latest available version (at least 1.8.1).
Plugin: Viral News
Vulnerability: Broken Access Control
Patched Version: 1.4.6
Recommended Action: Update the WordPress Viral News theme to the latest available version (at least 1.4.6).
Plugin: Video Contest WordPress Plugin
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Video Contest WordPress Plugin
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Product Gallery Slider for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.2.9
Recommended Action: Update the WordPress Product Gallery Slider for WooCommerce plugin to the latest available version (at least 2.2.9).
Plugin: Custom Twitter Feeds (Tweets Widget)
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0
Recommended Action: Update the WordPress Custom Twitter Feeds (Tweets Widget) plugin to the latest available version (at least 2.0).
Plugin: WS Form LITE
Vulnerability: CAPTCHA Bypass vulnerability
Patched Version: 1.9.118
Recommended Action: Update the WordPress WS Form LITE plugin to the latest available version (at least 1.9.118).
Plugin: Uncanny Automator
Vulnerability: Cross-Site Request Forgery via update_automator_connect vulnerability
Patched Version: 4.15
Recommended Action: Update the WordPress Uncanny Automator plugin to the latest available version (at least 4.15).
Plugin: Go Pricing
Vulnerability: WordPress Go Pricing – WordPress Responsive Pricing Tables plugin <= 3.3.19 - Authenticated (Subscriber+) PHP Object Injection vulnerability Patched Version: 3.4 Recommended Action: Update the WordPress Go Pricing plugin to the latest available version (at least 3.4).
Plugin: MStore API
Vulnerability: Authentication Bypass vulnerability
Patched Version: 3.9.3
Recommended Action: Update the WordPress MStore API plugin to the latest available version (at least 3.9.3).
Plugin: UTM Tracker
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Download Theme
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Download Theme plugin to the latest available version (at least 1.1.0).
Plugin: Download Plugin
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.5
Recommended Action: Update the WordPress Download Plugin plugin to the latest available version (at least 2.0.5).
Plugin: Flickr Justified Gallery
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Tiles
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of March 15, 2023 and is not available for download. This closure is permanent. Reason: Author Request.
Plugin: Easy Google Maps
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.11.8
Recommended Action: Update the WordPress Easy Google Maps plugin to the latest available version (at least 1.11.8).
Plugin: WordPress Backup & Migration
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.4.1
Recommended Action: Update the WordPress WordPress Backup & Migration plugin to the latest available version (at least 1.4.1).
Plugin: Tutor LMS
Vulnerability: Multiple Broken Access Control vulnerabilities
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WooCommerce Product Vendors
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Vendor Admin+ SQL Injection vulnerability
Patched Version: 2.1.77
Recommended Action: Update the WordPress WooCommerce Product Vendors plugin to the latest available version (at least 2.1.77).
Plugin: WooCommerce Follow-Up Emails
Vulnerability: Follow-Up Emails Manager+ SQL Injection vulnerability
Patched Version: 4.9.51
Recommended Action: Update the WordPress WooCommerce Follow-Up Emails plugin to the latest available version (at least 4.9.51).
Plugin: Yoast SEO: Local
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 15.0
Recommended Action: Update the WordPress Yoast SEO: Local plugin to the latest available version (at least 15.0).
Plugin: OAuth Single Sign On – SSO (OAuth Client)
Vulnerability: Broken Authentication vulnerability
Patched Version: 6.23.4
Recommended Action: Update the WordPress OAuth Single Sign On – SSO (OAuth Client) plugin to the latest available version (at least 6.23.4).
Plugin: Elementor Website Builder
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.13.3
Recommended Action: Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.13.3).
Plugin: WooCommerce Shipping & Tax
Vulnerability: Stored Cross-Site Scripting vulnerability
Patched Version: 2.2.5
Recommended Action: Update the WordPress WooCommerce Shipping & Tax plugin to the latest available version (at least 2.2.5).
Plugin: Easy Admin Menu
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: SIS Handball
Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: SQL Injection vulnerability
Patched Version: 3.3.20
Recommended Action: Update the WordPress Multiple Page Generator Plugin – MPG plugin to the latest available version (at least 3.3.20).
Plugin: YouTube Playlist Player
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.6.5
Recommended Action: Update the WordPress YouTube Playlist Player plugin to the latest available version (at least 4.6.5).
***
Check out the WoW Archive for past Watch Out Wednesday posts.