Watch Out Wednesday – April 19, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP EasyPay, Events Made Easy, Easy Appointments, and more!

Plugin: Quiz And Survey Master

Vulnerability: Unauthenticated SQL Injection vulnerability
Patched Version: 8.1.5
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 8.1.5).

Plugin: Educenter

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Motor Racing League

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Plugin is abandoned.

Plugin: WP Reroute Email

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of March 28, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Electric Studio Client Login

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Booqable Rental Plugin

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Custom Order Numbers for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Easy Appointments

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.11.1
Recommended Action: Update the WordPress Easy Appointments plugin to the latest available version (at least 3.11.1).

Plugin: External Videos

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Roles at Registration

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Article Directory Redux

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor. This plugin has been closed as of March 8, 2023 and is not available for download. This closure is permanent.

Plugin: Paytm Payment Donation

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Optima Express + MarketBoost IDX Plugin

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP EasyPay

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Affiliate Links Lite

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce

Vulnerability: Reflected XSS vulnerability
Patched Version: 2.124
Recommended Action: Update the WordPress MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce plugin to the latest available version (at least 2.124).

Plugin: Database Collation Fix

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Shortcodes

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Cyr to Lat

Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 3.7
Recommended Action: Update the WordPress Cyr to Lat plugin to the latest available version (at least 3.7).

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Reflected Cross-Site Scripting via Query String vulnerability
Patched Version: 4.9.26
Recommended Action: Update the WordPress ShiftController Employee Shift Scheduling plugin to the latest available version (at least 4.9.26).

Plugin: Square

Vulnerability: Broken Access Control
Patched Version: 2.0.1
Recommended Action: Update the WordPress Square theme to the latest available version (at least 2.0.1).

Plugin: Betheme

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 26.8
Recommended Action: Update the WordPress Betheme theme to the latest available version (at least 26.8).

Plugin: Featured Post Creative

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress Featured Post Creative plugin to the latest available version (at least 1.2.8).

Plugin: Email Subscription Popup

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.17
Recommended Action: Update the WordPress Email Subscription Popup plugin to the latest available version (at least 1.2.17).

Plugin: AFFILIATE Solution

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Simple Popup Images

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Landing Page Builder – Free Landing Page Templates

Vulnerability: Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Neshan Maps

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Shortlinks by Pretty Links

Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: 3.4.1
Recommended Action: Update the WordPress Shortlinks by Pretty Links plugin to the latest available version (at least 3.4.1).

Plugin: Enable Accessibility

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor. WordPress plugins review team notified on Feb 10, 2023.

Plugin: Fantastic Content Protector Free

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Download Manager

Vulnerability: Unauthenticated Sensitive Information Disclosure vulnerability
Patched Version: 6.3.0
Recommended Action: Update the WordPress Download Manager Pro plugin to the latest available version (at least 6.3.0).

Plugin: Stamped.io Product Reviews & UGC for WooCommerce

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: CoSchedule

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Newsletters

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Blogger Buzz

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: ReviewX

Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version available.

Plugin: Coupon Affiliates

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 5.4.6
Recommended Action: Update the WordPress Coupon Affiliates plugin to the latest available version (at least 5.4.6).

Plugin: FooGallery

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.2.41
Recommended Action: Update the WordPress FooGallery plugin to the latest available version (at least 2.2.41).

Plugin: a3 Portfolio

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.1
Recommended Action: Update the WordPress a3 Portfolio plugin to the latest available version (at least 3.1.1).

Plugin: Watu Quiz

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.3.9.3
Recommended Action: Update the WordPress Watu Quiz plugin to the latest available version (at least 3.3.9.3).

Plugin: Ultimate Noindex Nofollow Tool II

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.4
Recommended Action: Update the WordPress Ultimate Noindex Nofollow Tool II plugin to the latest available version (at least 1.3.4).

Plugin: SupportCandy

Vulnerability: Unauthenticated SQLi vulnerability
Patched Version: 3.1.5
Recommended Action: Update the WordPress SupportCandy plugin to the latest available version (at least 3.1.5).

Plugin: Forminator

Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 1.23.3
Recommended Action: Update the WordPress Forminator plugin to the latest available version (at least 1.23.3).

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Reflected XSS vulnerability
Patched Version: 2.1.1
Recommended Action: Update the WordPress Product Catalog Feed by PixelYourSite plugin to the latest available version (at least 2.1.1).

Plugin: Blog Navigator Chatbot by Xatkit

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 4.5.1
Recommended Action: Update the WordPress Blog Navigator Chatbot by Xatkit plugin to the latest available version (at least 4.5.1).

Plugin: Slimstat Analytics

Vulnerability: Subscriber+ SQL Injection vulnerability
Patched Version: 4.9.4
Recommended Action: Update the WordPress Slimstat Analytics plugin to the latest available version (at least 4.9.4).

Plugin: Site Reviews

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 6.7.1
Recommended Action: Update the WordPress Site Reviews plugin to the latest available version (at least 6.7.1).

Plugin: Redirection

Vulnerability:
Patched Version: 1.1.5
Recommended Action: Update the WordPress Redirect Redirection plugin to the latest available version (at least 1.1.5).

Plugin: Pricing Tables For WPBakery Page Builder

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.0
Recommended Action: Update the WordPress Pricing Tables For WPBakery Page Builder plugin to the latest available version (at least 3.0).

Plugin: WP VR

Vulnerability: Reflected XSS vulnerability
Patched Version: 8.2.9
Recommended Action: Update the WordPress WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin to the latest available version (at least 8.2.9).

Plugin: W4 Post List

Vulnerability: Reflected XSS vulnerability
Vulnerability: Subscriber+ Password Protected Post Content Disclosure vulnerability
Patched Version: 2.4.6
Recommended Action: Update the WordPress W4 Post List plugin to the latest available version (at least 2.4.6).

Plugin: Waiting: One-click countdowns

Vulnerability: Subscriber+ SQLi vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 19, 2022 and is not available for download. Reason: Security Issue.

Plugin: Events Made Easy

Vulnerability: Subscriber+ SQLi vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 19, 2022 and is not available for download. Reason: Security Issue.

Plugin: WordPress Meta Data and Taxonomies Filter (MDTF)

Vulnerability: Reflected XSS vulnerability
Patched Version: 1.3.1
Recommended Action: Update the WordPress WordPress Meta Data and Taxonomies Filter (MDTF) plugin to the latest available version (at least 1.3.1).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.