This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Advanced Custom Fields, Easy Sign Up, and more!
Plugin: Formidable Forms
Vulnerability: Unauth. PHP Object Injection vulnerability
Patched Version: 6.2
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 6.2).
Plugin: Spiffy Calendar
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 4.9.2
Recommended Action: Update the WordPress Spiffy Calendar plugin to the latest available version (at least 4.9.2).
Plugin: Simple Job Board
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.10.4
Recommended Action: Update the WordPress Simple Job Board plugin to the latest available version (at least 2.10.4).
Plugin: Comments Ratings
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.7
Recommended Action: Update the WordPress Comments Ratings plugin to the latest available version (at least 1.1.7).
Plugin: PixTypes
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.15
Recommended Action: Update the WordPress PixTypes plugin to the latest available version (at least 1.4.15).
Plugin: WP Data Access
Vulnerability: Authenticated (Subscriber+) Privilege Escalation vulnerability
Patched Version: 5.3.8
Recommended Action: Update the WordPress WP Data Access plugin to the latest available version (at least 5.3.8).
Plugin: Maps Widget for Google Maps
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 4.25
Recommended Action: Update the WordPress Maps Widget for Google Maps plugin to the latest available version (at least 4.25).
Plugin: WP Limit Login Attempts
Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 1.7.2
Recommended Action: Update the WordPress WP Limit Login Attempts plugin to the latest available version (at least 1.7.2).
Plugin: SimpleModal Contact Form (SMCF)
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Connections Business Directory
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 10.4.37
Recommended Action: Update the WordPress Connections Business Directory plugin to the latest available version (at least 10.4.37).
Plugin: Easy Sign Up
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: IMPress Listings
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of March 28, 2023 and is not available for download. This closure is permanent.
Plugin: Tiny carousel horizontal slider plus
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Cryptocurrency All-in-One
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: tencentcloud-cos
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of March 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: IFrame Shortcode
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugin review team on 2023 Feb 27.
Plugin: Optin Forms
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Houzez
Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: 2.8.3
Recommended Action: Update the WordPress Houzez theme to the latest available version (at least 2.8.3).
Plugin: Health Check & Troubleshooting
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.6.0
Recommended Action: Update the WordPress Health Check & Troubleshooting plugin to the latest available version (at least 1.6.0).
Plugin: qTranslate X Cleanup and WPML Import
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.0.2
Recommended Action: Update the WordPress qTranslate X Cleanup and WPML Import plugin to the latest available version (at least 3.0.2).
Plugin: PHP Compatibility Checker
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.0
Recommended Action: Update the WordPress PHP Compatibility Checker plugin to the latest available version (at least 1.6.0).
Plugin: TheRoof
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress TheRoof theme to the latest available version (at least 1.0.4).
Plugin: MapPress Maps for WordPress
Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 2.85.5
Recommended Action: Update the WordPress MapPress Maps for WordPress plugin to the latest available version (at least 2.85.5).
Plugin: User Registration
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress User Registration plugin to the latest available version (at least 2.3.3).
Plugin: Transbank Webpay REST
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.6.7
Recommended Action: Update the WordPress Transbank Webpay REST plugin to the latest available version (at least 1.6.7).
Plugin: Superb Social Media Share Buttons and Follow Buttons
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.5
Recommended Action: Update the WordPress Superb Social Media Share Buttons and Follow Buttons plugin to the latest available version (at least 1.1.5).
Plugin: Amelia
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.76
Recommended Action: Update the WordPress Amelia plugin to the latest available version (at least 1.0.76).
Plugin: Spreadshop Plugin
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.6
Recommended Action: Update the WordPress Spreadshop Plugin plugin to the latest available version (at least 1.6.6).
Plugin: ShiftController Employee Shift Scheduling
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.9.24
Recommended Action: Update the WordPress ShiftController Employee Shift Scheduling plugin to the latest available version (at least 4.9.24).
Plugin: Cancel order request WooCommerce
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.3
Recommended Action: Update the WordPress Cancel order request WooCommerce plugin to the latest available version (at least 1.3.3).
Plugin: Dynamics 365 Integration
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.3.14
Recommended Action: Update the WordPress Dynamics 365 Integration plugin to the latest available version (at least 1.3.14).
Plugin: The7
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 11.6.1
Recommended Action: Update the WordPress The7 theme to the latest available version (at least 11.6.1).
Plugin: Product Catalog Simple
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.7.0
Recommended Action: Update the WordPress Product Catalog Simple plugin to the latest available version (at least 1.7.0).
Plugin: SEOPress
Vulnerability: Authenticated (Administrator+) PHP Object Injection vulnerability
Patched Version: 6.5.0.3
Recommended Action: Update the WordPress SEOPress plugin to the latest available version (at least 6.5.0.3).
Plugin: Fancy Product Designer
Vulnerability: Insufficient Authorization to Arbitrary Options Update via fpd_update_options vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Fancy Product Designer plugin to the latest available version (at least 4.7.0).
Plugin: WCFM Membership
Vulnerability: Missing Authorization vulnerability
Patched Version: 2.10.11
Recommended Action: Update the WordPress WCFM Membership plugin to the latest available version (at least 2.10.11).
Plugin: Fancy Product Designer
Vulnerability: Insufficient Authorization on Multiple AJAX Actions vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Fancy Product Designer plugin to the latest available version (at least 4.7.0).
Plugin: WCFM Membership
Vulnerability: Cross-Site Request Forgery vulnerability
Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress WCFM Membership plugin to the latest available version (at least 2.10.1).
Plugin: WCFM – Frontend Manager for WooCommerce
Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 6.6.0
Recommended Action: Update the WordPress WCFM – Frontend Manager for WooCommerce plugin to the latest available version (at least 6.6.0).
Plugin: WCFM Marketplace
Vulnerability: Missing Authorization vulnerability
Patched Version: 3.4.12
Recommended Action: Update the WordPress WCFM Marketplace plugin to the latest available version (at least 3.4.12).
Plugin: WCFM Marketplace
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.5.0
Recommended Action: Update the WordPress WCFM Marketplace plugin to the latest available version (at least 3.5.0).
Plugin: Weaver Xtreme
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name vulnerability
Patched Version: 6.2
Recommended Action: Update the WordPress Weaver Xtreme theme to the latest available version (at least 6.2).
Plugin: WP FEvents Book
Vulnerability: Auth. Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: YourChannel: Everything you want in a YouTube
Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Vulnerability: Missing Authorization vulnerability
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Plugin: Ajax Search Pro
Vulnerability: Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities
Patched Version: 4.26.2
Recommended Action: Update the WordPress Ajax Search Pro plugin to the latest available version (at least 4.26.2).
Plugin: Ajax Search Pro
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 4.26.2
Recommended Action: Update the WordPress Ajax Search Pro plugin to the latest available version (at least 4.26.2).
Plugin: Ajax Search Lite
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 4.11.1
Recommended Action: Update the WordPress Ajax Search Lite plugin to the latest available version (at least 4.11.1).
Plugin: WPCode
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.9
Recommended Action: Update the WordPress WPCode plugin to the latest available version (at least 2.0.9).
Plugin: Sp*tify Play Button for WordPress
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.08
Recommended Action: Update the WordPress Sp*tify Play Button for WordPress plugin to the latest available version (at least 2.08).
Plugin: Libsyn Publisher Hub
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Comment Reply Notification
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Outdoor
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.9.7
Recommended Action: Update the WordPress Outdoor theme to the latest available version (at least 3.9.7).
Plugin: MasterStudy LMS
Vulnerability: Missing Authorization via wp_ajax_stm_wpcfto_get_settings vulnerability
Patched Version: 2.9.35
Recommended Action: Update the WordPress MasterStudy LMS plugin to the latest available version (at least 2.9.35).
Plugin: Advanced Custom Fields
Vulnerability: Authenticated (Contributor+) PHP Object Injection vulnerability
Patched Version: 5.12.5 or 6.1.0
Recommended Action: Update the WordPress Advanced Custom Fields plugin to the latest available version (at least 5.12.5 or 6.1.0).
0 Comments