This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Amelia, BookingPress, Paid Memberships Pro and more!
Plugin: Sensei LMS
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.18.0
Recommended Action: Update the WordPress Sensei LMS plugin to the latest available version (at least 4.18.0).
Plugin: Ajax Load More
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 6.2.0
Recommended Action: Update the WordPress Ajax Load More plugin to the latest available version (at least 6.2.0).
Plugin: Add Any Extension to Pages
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.5
Recommended Action: Update the WordPress Add Any Extension to Pages plugin to the latest available version (at least 1.5).
Plugin: HUSKY – Products Filter for WooCommerce (formerly WOOF)
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.4.4
Recommended Action: Update the WordPress HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin to the latest available version (at least 1.3.4.4).
Plugin: Amelia
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.86
Recommended Action: Update the WordPress Amelia plugin to the latest available version (at least 1.0.86).
Plugin: WP Crowdfunding
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.7
Recommended Action: Update the WordPress WP Crowdfunding plugin to the latest available version (at least 2.1.7).
Plugin: Anti Hacker
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.35
Recommended Action: Update the WordPress Anti Hacker plugin to the latest available version (at least 4.35).
Plugin: Uncode Core
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Arbitrary File Deletion vulnerability
Vulnerability: Privilege Escalation vulnerability
Patched Version: 2.8.9
Recommended Action: Update the WordPress Uncode Core plugin to the latest available version (at least 2.8.9).
Plugin: Automation By Autonami
Vulnerability: SQL Injection vulnerability
Patched Version: 2.7.0
Recommended Action: Update the WordPress Automation By Autonami plugin to the latest available version (at least 2.7.0).
Plugin: Funnel Builder for WordPress by FunnelKit
Vulnerability: SQL Injection vulnerability
Patched Version: 2.14.4
Recommended Action: Update the WordPress Funnel Builder for WordPress by FunnelKit plugin to the latest available version (at least 2.14.4).
Plugin: Pre* Party Resource Hints
Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Photo Gallery by 10Web
Vulnerability: Authenticated Stored Cross-Site Scripting via Widget vulnerability
Patched Version: 1.8.19
Recommended Action: Update the WordPress Photo Gallery by 10Web plugin to the latest available version (at least 1.8.19).
Plugin: Squirrly SEO – Advanced Pack
Vulnerability: WordPress Squirrly SEO – Advanced Pack plugin <= 2.3.8 – SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration
Vulnerability: SQL Injection vulnerability
Patched Version: 1.76.0
Recommended Action: Update the WordPress Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration plugin to the latest available version (at least 1.76.0).
Plugin: BookIt
Vulnerability: SQL Injection vulnerability
Patched Version: 2.4.4
Recommended Action: Update the WordPress BookIt plugin to the latest available version (at least 2.4.4).
Plugin: Simply Schedule Appointments
Vulnerability: SQL Injection vulnerability
Patched Version: 1.6.6.1
Recommended Action: Update the WordPress Simply Schedule Appointments plugin to the latest available version (at least 1.6.6.1).
Plugin: e2pdf
Vulnerability: SQL Injection vulnerability
Patched Version: 1.20.24
Recommended Action: Update the WordPress e2pdf plugin to the latest available version (at least 1.20.24).
Plugin: 404 Solution
Vulnerability: SQL Injection vulnerability
Patched Version: 2.35.0
Recommended Action: Update the WordPress 404 Solution plugin to the latest available version (at least 2.35.0).
Plugin: Welcart e-Commerce
Vulnerability: SQL Injection vulnerability
Patched Version: 2.9.4
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.9.4).
Plugin: RegistrationMagic
Vulnerability: SQL Injection vulnerability
Patched Version: 5.2.4.6
Recommended Action: Update the WordPress RegistrationMagic plugin to the latest available version (at least 5.2.4.6).
Plugin: GeoDirectory
Vulnerability: SQL Injection vulnerability
Patched Version: 2.3.29
Recommended Action: Update the WordPress GeoDirectory plugin to the latest available version (at least 2.3.29).
Plugin: WP Mail Catcher
Vulnerability: SQL Injection vulnerability
Patched Version: 2.1.4
Recommended Action: Update the WordPress WP Mail Catcher plugin to the latest available version (at least 2.1.4).
Plugin: Clockwork SMS Notfications
Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: MF Gig Calendar
Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: BookingPress
Vulnerability: SQL Injection vulnerability
Patched Version: 1.0.73
Recommended Action: Update the WordPress BookingPress plugin to the latest available version (at least 1.0.73).
Plugin: Booking Manager
Vulnerability: SQL Injection vulnerability
Patched Version: 2.1.6
Recommended Action: Update the WordPress Booking Manager plugin to the latest available version (at least 2.1.6).
Plugin: JS Help Desk – Best Help Desk & Support Plugin
Vulnerability: Unauthenticated SQL Injection vulnerability
Patched Version: 2.8.2
Recommended Action: Update the WordPress JS Help Desk – Best Help Desk & Support Plugin plugin to the latest available version (at least 2.8.2).
Plugin: NEX-Forms – Ultimate Form Builder
Vulnerability: SQL Injection vulnerability
Patched Version: 8.5.6
Recommended Action: Update the WordPress NEX-Forms – Ultimate Form Builder plugin to the latest available version (at least 8.5.6).
Plugin: Login Lockdown
Vulnerability: SQL Injection vulnerability
Patched Version: 2.07
Recommended Action: Update the WordPress Login Lockdown plugin to the latest available version (at least 2.07).
Plugin: HTML Forms
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Paid Memberships Pro
Vulnerability: Missing Authorization via API vulnerability
Patched Version: 2.12.6
Recommended Action: Update the WordPress Paid Memberships Pro plugin to the latest available version (at least 2.12.6).
Plugin: Limit Login Attempts Reloaded
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.25.27
Recommended Action: Update the WordPress Limit Login Attempts Reloaded plugin to the latest available version (at least 2.25.27).
Plugin: Clone
Vulnerability: Sensitive Information Exposure vulnerability
Patched Version: 2.4.3
Recommended Action: Update the WordPress Clone plugin to the latest available version (at least 2.4.3).
***
Check out the WoW Archive for past Watch Out Wednesday posts.