This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Advanced Custom Fields, Easy Sign Up, and more!

Plugin: Formidable Forms

Vulnerability: Unauth. PHP Object Injection vulnerability
Patched Version: 6.2
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 6.2).

Plugin: Spiffy Calendar

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 4.9.2
Recommended Action: Update the WordPress Spiffy Calendar plugin to the latest available version (at least 4.9.2).

Plugin: Simple Job Board

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.10.4
Recommended Action: Update the WordPress Simple Job Board plugin to the latest available version (at least 2.10.4).

Plugin: Comments Ratings

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.7
Recommended Action: Update the WordPress Comments Ratings plugin to the latest available version (at least 1.1.7).

Plugin: PixTypes

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.15
Recommended Action: Update the WordPress PixTypes plugin to the latest available version (at least 1.4.15).

Plugin: WP Data Access

Vulnerability: Authenticated (Subscriber+) Privilege Escalation vulnerability
Patched Version: 5.3.8
Recommended Action: Update the WordPress WP Data Access plugin to the latest available version (at least 5.3.8).

Plugin: Maps Widget for Google Maps

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 4.25
Recommended Action: Update the WordPress Maps Widget for Google Maps plugin to the latest available version (at least 4.25).

Plugin: WP Limit Login Attempts

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 1.7.2
Recommended Action: Update the WordPress WP Limit Login Attempts plugin to the latest available version (at least 1.7.2).

Plugin: SimpleModal Contact Form (SMCF)

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Connections Business Directory

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 10.4.37
Recommended Action: Update the WordPress Connections Business Directory plugin to the latest available version (at least 10.4.37).

Plugin: Easy Sign Up

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: IMPress Listings

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of March 28, 2023 and is not available for download. This closure is permanent.

Plugin: Tiny carousel horizontal slider plus

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Cryptocurrency All-in-One

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: tencentcloud-cos

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of March 27, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: IFrame Shortcode

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugin review team on 2023 Feb 27.

Plugin: Optin Forms

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Houzez

Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: 2.8.3
Recommended Action: Update the WordPress Houzez theme to the latest available version (at least 2.8.3).

Plugin: Health Check & Troubleshooting

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.6.0
Recommended Action: Update the WordPress Health Check & Troubleshooting plugin to the latest available version (at least 1.6.0).

Plugin: qTranslate X Cleanup and WPML Import

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.0.2
Recommended Action: Update the WordPress qTranslate X Cleanup and WPML Import plugin to the latest available version (at least 3.0.2).

Plugin: PHP Compatibility Checker

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.0
Recommended Action: Update the WordPress PHP Compatibility Checker plugin to the latest available version (at least 1.6.0).

Plugin: TheRoof

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress TheRoof theme to the latest available version (at least 1.0.4).

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 2.85.5
Recommended Action: Update the WordPress MapPress Maps for WordPress plugin to the latest available version (at least 2.85.5).

Plugin: User Registration

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress User Registration plugin to the latest available version (at least 2.3.3).

Plugin: Transbank Webpay REST

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.6.7
Recommended Action: Update the WordPress Transbank Webpay REST plugin to the latest available version (at least 1.6.7).

Plugin: Superb Social Media Share Buttons and Follow Buttons

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.5
Recommended Action: Update the WordPress Superb Social Media Share Buttons and Follow Buttons plugin to the latest available version (at least 1.1.5).

Plugin: Amelia

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.76
Recommended Action: Update the WordPress Amelia plugin to the latest available version (at least 1.0.76).

Plugin: Spreadshop Plugin

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.6
Recommended Action: Update the WordPress Spreadshop Plugin plugin to the latest available version (at least 1.6.6).

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.9.24
Recommended Action: Update the WordPress ShiftController Employee Shift Scheduling plugin to the latest available version (at least 4.9.24).

Plugin: Cancel order request WooCommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.3
Recommended Action: Update the WordPress Cancel order request WooCommerce plugin to the latest available version (at least 1.3.3).

Plugin: Dynamics 365 Integration

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.3.14
Recommended Action: Update the WordPress Dynamics 365 Integration plugin to the latest available version (at least 1.3.14).

Plugin: The7

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 11.6.1
Recommended Action: Update the WordPress The7 theme to the latest available version (at least 11.6.1).

Plugin: Product Catalog Simple

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.7.0
Recommended Action: Update the WordPress Product Catalog Simple plugin to the latest available version (at least 1.7.0).

Plugin: SEOPress

Vulnerability: Authenticated (Administrator+) PHP Object Injection vulnerability
Patched Version: 6.5.0.3
Recommended Action: Update the WordPress SEOPress plugin to the latest available version (at least 6.5.0.3).

Plugin: Fancy Product Designer

Vulnerability: Insufficient Authorization to Arbitrary Options Update via fpd_update_options vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Fancy Product Designer plugin to the latest available version (at least 4.7.0).

Plugin: WCFM Membership

Vulnerability: Missing Authorization vulnerability
Patched Version: 2.10.11
Recommended Action: Update the WordPress WCFM Membership plugin to the latest available version (at least 2.10.11).

Plugin: Fancy Product Designer

Vulnerability: Insufficient Authorization on Multiple AJAX Actions vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Fancy Product Designer plugin to the latest available version (at least 4.7.0).

Plugin: WCFM Membership

Vulnerability: Cross-Site Request Forgery vulnerability
Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress WCFM Membership plugin to the latest available version (at least 2.10.1).

Plugin: WCFM – Frontend Manager for WooCommerce

Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 6.6.0
Recommended Action: Update the WordPress WCFM – Frontend Manager for WooCommerce plugin to the latest available version (at least 6.6.0).

Plugin: WCFM Marketplace

Vulnerability: Missing Authorization vulnerability
Patched Version: 3.4.12
Recommended Action: Update the WordPress WCFM Marketplace plugin to the latest available version (at least 3.4.12).

Plugin: WCFM Marketplace

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.5.0
Recommended Action: Update the WordPress WCFM Marketplace plugin to the latest available version (at least 3.5.0).

Plugin: Weaver Xtreme

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name vulnerability
Patched Version: 6.2
Recommended Action: Update the WordPress Weaver Xtreme theme to the latest available version (at least 6.2).

Plugin: WP FEvents Book

Vulnerability: Auth. Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: YourChannel: Everything you want in a YouTube

Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Vulnerability: Missing Authorization vulnerability
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability

Plugin: Ajax Search Pro

Vulnerability: Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities
Patched Version: 4.26.2
Recommended Action: Update the WordPress Ajax Search Pro plugin to the latest available version (at least 4.26.2).

Plugin: Ajax Search Pro

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 4.26.2
Recommended Action: Update the WordPress Ajax Search Pro plugin to the latest available version (at least 4.26.2).

Plugin: Ajax Search Lite

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 4.11.1
Recommended Action: Update the WordPress Ajax Search Lite plugin to the latest available version (at least 4.11.1).

Plugin: WPCode

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.9
Recommended Action: Update the WordPress WPCode plugin to the latest available version (at least 2.0.9).

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.08
Recommended Action: Update the WordPress Sp*tify Play Button for WordPress plugin to the latest available version (at least 2.08).

Plugin: Libsyn Publisher Hub

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Comment Reply Notification

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Outdoor

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.9.7
Recommended Action: Update the WordPress Outdoor theme to the latest available version (at least 3.9.7).

Plugin: MasterStudy LMS

Vulnerability: Missing Authorization via wp_ajax_stm_wpcfto_get_settings vulnerability
Patched Version: 2.9.35
Recommended Action: Update the WordPress MasterStudy LMS plugin to the latest available version (at least 2.9.35).

Plugin: Advanced Custom Fields

Vulnerability: Authenticated (Contributor+) PHP Object Injection vulnerability
Patched Version: 5.12.5 or 6.1.0
Recommended Action: Update the WordPress Advanced Custom Fields plugin to the latest available version (at least 5.12.5 or 6.1.0).

***
Check out the WoW Archive for past Watch Out Wednesday posts.