This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Amelia, BookingPress, Paid Memberships Pro and more!

Plugin: Sensei LMS

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.18.0
Recommended Action: Update the WordPress Sensei LMS plugin to the latest available version (at least 4.18.0).

Plugin: Ajax Load More

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 6.2.0
Recommended Action: Update the WordPress Ajax Load More plugin to the latest available version (at least 6.2.0).

Plugin: Add Any Extension to Pages

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.5
Recommended Action: Update the WordPress Add Any Extension to Pages plugin to the latest available version (at least 1.5).

Plugin: HUSKY – Products Filter for WooCommerce (formerly WOOF)

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.4.4
Recommended Action: Update the WordPress HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin to the latest available version (at least 1.3.4.4).

Plugin: Amelia

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.86
Recommended Action: Update the WordPress Amelia plugin to the latest available version (at least 1.0.86).

Plugin: WP Crowdfunding

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.7
Recommended Action: Update the WordPress WP Crowdfunding plugin to the latest available version (at least 2.1.7).

Plugin: Anti Hacker

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.35
Recommended Action: Update the WordPress Anti Hacker plugin to the latest available version (at least 4.35).

Plugin: Uncode Core

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Arbitrary File Deletion vulnerability
Vulnerability: Privilege Escalation vulnerability
Patched Version: 2.8.9
Recommended Action: Update the WordPress Uncode Core plugin to the latest available version (at least 2.8.9).

Plugin: Automation By Autonami

Vulnerability: SQL Injection vulnerability
Patched Version: 2.7.0
Recommended Action: Update the WordPress Automation By Autonami plugin to the latest available version (at least 2.7.0).

Plugin: Funnel Builder for WordPress by FunnelKit

Vulnerability: SQL Injection vulnerability
Patched Version: 2.14.4
Recommended Action: Update the WordPress Funnel Builder for WordPress by FunnelKit plugin to the latest available version (at least 2.14.4).

Plugin: Pre* Party Resource Hints

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Photo Gallery by 10Web

Vulnerability: Authenticated Stored Cross-Site Scripting via Widget vulnerability
Patched Version: 1.8.19
Recommended Action: Update the WordPress Photo Gallery by 10Web plugin to the latest available version (at least 1.8.19).

Plugin: Squirrly SEO – Advanced Pack

Vulnerability: WordPress Squirrly SEO – Advanced Pack plugin <= 2.3.8 – SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration

Vulnerability: SQL Injection vulnerability
Patched Version: 1.76.0
Recommended Action: Update the WordPress Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration plugin to the latest available version (at least 1.76.0).

Plugin: BookIt

Vulnerability: SQL Injection vulnerability
Patched Version: 2.4.4
Recommended Action: Update the WordPress BookIt plugin to the latest available version (at least 2.4.4).

Plugin: Simply Schedule Appointments

Vulnerability: SQL Injection vulnerability
Patched Version: 1.6.6.1
Recommended Action: Update the WordPress Simply Schedule Appointments plugin to the latest available version (at least 1.6.6.1).

Plugin: e2pdf

Vulnerability: SQL Injection vulnerability
Patched Version: 1.20.24
Recommended Action: Update the WordPress e2pdf plugin to the latest available version (at least 1.20.24).

Plugin: 404 Solution

Vulnerability: SQL Injection vulnerability
Patched Version: 2.35.0
Recommended Action: Update the WordPress 404 Solution plugin to the latest available version (at least 2.35.0).

Plugin: Welcart e-Commerce

Vulnerability: SQL Injection vulnerability
Patched Version: 2.9.4
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.9.4).

Plugin: RegistrationMagic

Vulnerability: SQL Injection vulnerability
Patched Version: 5.2.4.6
Recommended Action: Update the WordPress RegistrationMagic plugin to the latest available version (at least 5.2.4.6).

Plugin: GeoDirectory

Vulnerability: SQL Injection vulnerability
Patched Version: 2.3.29
Recommended Action: Update the WordPress GeoDirectory plugin to the latest available version (at least 2.3.29).

Plugin: WP Mail Catcher

Vulnerability: SQL Injection vulnerability
Patched Version: 2.1.4
Recommended Action: Update the WordPress WP Mail Catcher plugin to the latest available version (at least 2.1.4).

Plugin: Clockwork SMS Notfications

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: MF Gig Calendar

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: BookingPress

Vulnerability: SQL Injection vulnerability
Patched Version: 1.0.73
Recommended Action: Update the WordPress BookingPress plugin to the latest available version (at least 1.0.73).

Plugin: Booking Manager

Vulnerability: SQL Injection vulnerability
Patched Version: 2.1.6
Recommended Action: Update the WordPress Booking Manager plugin to the latest available version (at least 2.1.6).

Plugin: JS Help Desk – Best Help Desk & Support Plugin

Vulnerability: Unauthenticated SQL Injection vulnerability
Patched Version: 2.8.2
Recommended Action: Update the WordPress JS Help Desk – Best Help Desk & Support Plugin plugin to the latest available version (at least 2.8.2).

Plugin: NEX-Forms – Ultimate Form Builder

Vulnerability: SQL Injection vulnerability
Patched Version: 8.5.6
Recommended Action: Update the WordPress NEX-Forms – Ultimate Form Builder plugin to the latest available version (at least 8.5.6).

Plugin: Login Lockdown

Vulnerability: SQL Injection vulnerability
Patched Version: 2.07
Recommended Action: Update the WordPress Login Lockdown plugin to the latest available version (at least 2.07).

Plugin: HTML Forms

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Paid Memberships Pro

Vulnerability: Missing Authorization via API vulnerability
Patched Version: 2.12.6
Recommended Action: Update the WordPress Paid Memberships Pro plugin to the latest available version (at least 2.12.6).

Plugin: Limit Login Attempts Reloaded

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.25.27
Recommended Action: Update the WordPress Limit Login Attempts Reloaded plugin to the latest available version (at least 2.25.27).

Plugin: Clone

Vulnerability: Sensitive Information Exposure vulnerability
Patched Version: 2.4.3
Recommended Action: Update the WordPress Clone plugin to the latest available version (at least 2.4.3).

***
Check out the WoW Archive for past Watch Out Wednesday posts.