Watch Out Wednesday – April 12, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Advanced Custom Fields, Easy Sign Up, and more!

Plugin: Formidable Forms

Vulnerability: Unauth. PHP Object Injection vulnerability
Patched Version: 6.2
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 6.2).

Plugin: Spiffy Calendar

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 4.9.2
Recommended Action: Update the WordPress Spiffy Calendar plugin to the latest available version (at least 4.9.2).

Plugin: Simple Job Board

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.10.4
Recommended Action: Update the WordPress Simple Job Board plugin to the latest available version (at least 2.10.4).

Plugin: Comments Ratings

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.7
Recommended Action: Update the WordPress Comments Ratings plugin to the latest available version (at least 1.1.7).

Plugin: PixTypes

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.15
Recommended Action: Update the WordPress PixTypes plugin to the latest available version (at least 1.4.15).

Plugin: WP Data Access

Vulnerability: Authenticated (Subscriber+) Privilege Escalation vulnerability
Patched Version: 5.3.8
Recommended Action: Update the WordPress WP Data Access plugin to the latest available version (at least 5.3.8).

Plugin: Maps Widget for Google Maps

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 4.25
Recommended Action: Update the WordPress Maps Widget for Google Maps plugin to the latest available version (at least 4.25).

Plugin: WP Limit Login Attempts

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 1.7.2
Recommended Action: Update the WordPress WP Limit Login Attempts plugin to the latest available version (at least 1.7.2).

Plugin: SimpleModal Contact Form (SMCF)

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Connections Business Directory

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 10.4.37
Recommended Action: Update the WordPress Connections Business Directory plugin to the latest available version (at least 10.4.37).

Plugin: Easy Sign Up

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: IMPress Listings

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of March 28, 2023 and is not available for download. This closure is permanent.

Plugin: Tiny carousel horizontal slider plus

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Cryptocurrency All-in-One

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: tencentcloud-cos

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of March 27, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: IFrame Shortcode

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugin review team on 2023 Feb 27.

Plugin: Optin Forms

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Houzez

Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: 2.8.3
Recommended Action: Update the WordPress Houzez theme to the latest available version (at least 2.8.3).

Plugin: Health Check & Troubleshooting

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.6.0
Recommended Action: Update the WordPress Health Check & Troubleshooting plugin to the latest available version (at least 1.6.0).

Plugin: qTranslate X Cleanup and WPML Import

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.0.2
Recommended Action: Update the WordPress qTranslate X Cleanup and WPML Import plugin to the latest available version (at least 3.0.2).

Plugin: PHP Compatibility Checker

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.0
Recommended Action: Update the WordPress PHP Compatibility Checker plugin to the latest available version (at least 1.6.0).

Plugin: TheRoof

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress TheRoof theme to the latest available version (at least 1.0.4).

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 2.85.5
Recommended Action: Update the WordPress MapPress Maps for WordPress plugin to the latest available version (at least 2.85.5).

Plugin: User Registration

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress User Registration plugin to the latest available version (at least 2.3.3).

Plugin: Transbank Webpay REST

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.6.7
Recommended Action: Update the WordPress Transbank Webpay REST plugin to the latest available version (at least 1.6.7).

Plugin: Superb Social Media Share Buttons and Follow Buttons

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.5
Recommended Action: Update the WordPress Superb Social Media Share Buttons and Follow Buttons plugin to the latest available version (at least 1.1.5).

Plugin: Amelia

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.76
Recommended Action: Update the WordPress Amelia plugin to the latest available version (at least 1.0.76).

Plugin: Spreadshop Plugin

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.6
Recommended Action: Update the WordPress Spreadshop Plugin plugin to the latest available version (at least 1.6.6).

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.9.24
Recommended Action: Update the WordPress ShiftController Employee Shift Scheduling plugin to the latest available version (at least 4.9.24).

Plugin: Cancel order request WooCommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.3
Recommended Action: Update the WordPress Cancel order request WooCommerce plugin to the latest available version (at least 1.3.3).

Plugin: Dynamics 365 Integration

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.3.14
Recommended Action: Update the WordPress Dynamics 365 Integration plugin to the latest available version (at least 1.3.14).

Plugin: The7

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 11.6.1
Recommended Action: Update the WordPress The7 theme to the latest available version (at least 11.6.1).

Plugin: Product Catalog Simple

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.7.0
Recommended Action: Update the WordPress Product Catalog Simple plugin to the latest available version (at least 1.7.0).

Plugin: SEOPress

Vulnerability: Authenticated (Administrator+) PHP Object Injection vulnerability
Patched Version: 6.5.0.3
Recommended Action: Update the WordPress SEOPress plugin to the latest available version (at least 6.5.0.3).

Plugin: Fancy Product Designer

Vulnerability: Insufficient Authorization to Arbitrary Options Update via fpd_update_options vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Fancy Product Designer plugin to the latest available version (at least 4.7.0).

Plugin: WCFM Membership

Vulnerability: Missing Authorization vulnerability
Patched Version: 2.10.11
Recommended Action: Update the WordPress WCFM Membership plugin to the latest available version (at least 2.10.11).

Plugin: Fancy Product Designer

Vulnerability: Insufficient Authorization on Multiple AJAX Actions vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Fancy Product Designer plugin to the latest available version (at least 4.7.0).

Plugin: WCFM Membership

Vulnerability: Cross-Site Request Forgery vulnerability
Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress WCFM Membership plugin to the latest available version (at least 2.10.1).

Plugin: WCFM – Frontend Manager for WooCommerce

Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 6.6.0
Recommended Action: Update the WordPress WCFM – Frontend Manager for WooCommerce plugin to the latest available version (at least 6.6.0).

Plugin: WCFM Marketplace

Vulnerability: Missing Authorization vulnerability
Patched Version: 3.4.12
Recommended Action: Update the WordPress WCFM Marketplace plugin to the latest available version (at least 3.4.12).

Plugin: WCFM Marketplace

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.5.0
Recommended Action: Update the WordPress WCFM Marketplace plugin to the latest available version (at least 3.5.0).

Plugin: Weaver Xtreme

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name vulnerability
Patched Version: 6.2
Recommended Action: Update the WordPress Weaver Xtreme theme to the latest available version (at least 6.2).

Plugin: WP FEvents Book

Vulnerability: Auth. Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: YourChannel: Everything you want in a YouTube

Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Vulnerability: Missing Authorization vulnerability
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability

Plugin: Ajax Search Pro

Vulnerability: Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities
Patched Version: 4.26.2
Recommended Action: Update the WordPress Ajax Search Pro plugin to the latest available version (at least 4.26.2).

Plugin: Ajax Search Pro

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 4.26.2
Recommended Action: Update the WordPress Ajax Search Pro plugin to the latest available version (at least 4.26.2).

Plugin: Ajax Search Lite

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 4.11.1
Recommended Action: Update the WordPress Ajax Search Lite plugin to the latest available version (at least 4.11.1).

Plugin: WPCode

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.9
Recommended Action: Update the WordPress WPCode plugin to the latest available version (at least 2.0.9).

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.08
Recommended Action: Update the WordPress Sp*tify Play Button for WordPress plugin to the latest available version (at least 2.08).

Plugin: Libsyn Publisher Hub

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Comment Reply Notification

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Outdoor

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.9.7
Recommended Action: Update the WordPress Outdoor theme to the latest available version (at least 3.9.7).

Plugin: MasterStudy LMS

Vulnerability: Missing Authorization via wp_ajax_stm_wpcfto_get_settings vulnerability
Patched Version: 2.9.35
Recommended Action: Update the WordPress MasterStudy LMS plugin to the latest available version (at least 2.9.35).

Plugin: Advanced Custom Fields

Vulnerability: Authenticated (Contributor+) PHP Object Injection vulnerability
Patched Version: 5.12.5 or 6.1.0
Recommended Action: Update the WordPress Advanced Custom Fields plugin to the latest available version (at least 5.12.5 or 6.1.0).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.