This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP EasyPay, Events Made Easy, Easy Appointments, and more!
Plugin: Quiz And Survey Master
Vulnerability: Unauthenticated SQL Injection vulnerability
Patched Version: 8.1.5
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 8.1.5).
Plugin: Educenter
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Motor Racing League
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Plugin is abandoned.
Plugin: WP Reroute Email
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of March 28, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Electric Studio Client Login
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Booqable Rental Plugin
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Custom Order Numbers for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Easy Appointments
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.11.1
Recommended Action: Update the WordPress Easy Appointments plugin to the latest available version (at least 3.11.1).
Plugin: External Videos
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Roles at Registration
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Article Directory Redux
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor. This plugin has been closed as of March 8, 2023 and is not available for download. This closure is permanent.
Plugin: Paytm Payment Donation
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Optima Express + MarketBoost IDX Plugin
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP EasyPay
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Affiliate Links Lite
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce
Vulnerability: Reflected XSS vulnerability
Patched Version: 2.124
Recommended Action: Update the WordPress MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce plugin to the latest available version (at least 2.124).
Plugin: Database Collation Fix
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Shortcodes
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Cyr to Lat
Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 3.7
Recommended Action: Update the WordPress Cyr to Lat plugin to the latest available version (at least 3.7).
Plugin: ShiftController Employee Shift Scheduling
Vulnerability: Reflected Cross-Site Scripting via Query String vulnerability
Patched Version: 4.9.26
Recommended Action: Update the WordPress ShiftController Employee Shift Scheduling plugin to the latest available version (at least 4.9.26).
Plugin: Square
Vulnerability: Broken Access Control
Patched Version: 2.0.1
Recommended Action: Update the WordPress Square theme to the latest available version (at least 2.0.1).
Plugin: Betheme
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 26.8
Recommended Action: Update the WordPress Betheme theme to the latest available version (at least 26.8).
Plugin: Featured Post Creative
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress Featured Post Creative plugin to the latest available version (at least 1.2.8).
Plugin: Email Subscription Popup
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.17
Recommended Action: Update the WordPress Email Subscription Popup plugin to the latest available version (at least 1.2.17).
Plugin: AFFILIATE Solution
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Simple Popup Images
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Landing Page Builder – Free Landing Page Templates
Vulnerability: Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Neshan Maps
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Shortlinks by Pretty Links
Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: 3.4.1
Recommended Action: Update the WordPress Shortlinks by Pretty Links plugin to the latest available version (at least 3.4.1).
Plugin: Enable Accessibility
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor. WordPress plugins review team notified on Feb 10, 2023.
Plugin: Fantastic Content Protector Free
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Download Manager
Vulnerability: Unauthenticated Sensitive Information Disclosure vulnerability
Patched Version: 6.3.0
Recommended Action: Update the WordPress Download Manager Pro plugin to the latest available version (at least 6.3.0).
Plugin: Stamped.io Product Reviews & UGC for WooCommerce
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: CoSchedule
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Newsletters
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Blogger Buzz
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: ReviewX
Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version available.
Plugin: Coupon Affiliates
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 5.4.6
Recommended Action: Update the WordPress Coupon Affiliates plugin to the latest available version (at least 5.4.6).
Plugin: FooGallery
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.2.41
Recommended Action: Update the WordPress FooGallery plugin to the latest available version (at least 2.2.41).
Plugin: a3 Portfolio
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.1
Recommended Action: Update the WordPress a3 Portfolio plugin to the latest available version (at least 3.1.1).
Plugin: Watu Quiz
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.3.9.3
Recommended Action: Update the WordPress Watu Quiz plugin to the latest available version (at least 3.3.9.3).
Plugin: Ultimate Noindex Nofollow Tool II
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.4
Recommended Action: Update the WordPress Ultimate Noindex Nofollow Tool II plugin to the latest available version (at least 1.3.4).
Plugin: SupportCandy
Vulnerability: Unauthenticated SQLi vulnerability
Patched Version: 3.1.5
Recommended Action: Update the WordPress SupportCandy plugin to the latest available version (at least 3.1.5).
Plugin: Forminator
Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 1.23.3
Recommended Action: Update the WordPress Forminator plugin to the latest available version (at least 1.23.3).
Plugin: Product Catalog Feed by PixelYourSite
Vulnerability: Reflected XSS vulnerability
Patched Version: 2.1.1
Recommended Action: Update the WordPress Product Catalog Feed by PixelYourSite plugin to the latest available version (at least 2.1.1).
Plugin: Blog Navigator Chatbot by Xatkit
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 4.5.1
Recommended Action: Update the WordPress Blog Navigator Chatbot by Xatkit plugin to the latest available version (at least 4.5.1).
Plugin: Slimstat Analytics
Vulnerability: Subscriber+ SQL Injection vulnerability
Patched Version: 4.9.4
Recommended Action: Update the WordPress Slimstat Analytics plugin to the latest available version (at least 4.9.4).
Plugin: Site Reviews
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 6.7.1
Recommended Action: Update the WordPress Site Reviews plugin to the latest available version (at least 6.7.1).
Plugin: Redirection
Vulnerability:
Patched Version: 1.1.5
Recommended Action: Update the WordPress Redirect Redirection plugin to the latest available version (at least 1.1.5).
Plugin: Pricing Tables For WPBakery Page Builder
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.0
Recommended Action: Update the WordPress Pricing Tables For WPBakery Page Builder plugin to the latest available version (at least 3.0).
Plugin: WP VR
Vulnerability: Reflected XSS vulnerability
Patched Version: 8.2.9
Recommended Action: Update the WordPress WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin to the latest available version (at least 8.2.9).
Plugin: W4 Post List
Vulnerability: Reflected XSS vulnerability
Vulnerability: Subscriber+ Password Protected Post Content Disclosure vulnerability
Patched Version: 2.4.6
Recommended Action: Update the WordPress W4 Post List plugin to the latest available version (at least 2.4.6).
Plugin: Waiting: One-click countdowns
Vulnerability: Subscriber+ SQLi vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 19, 2022 and is not available for download. Reason: Security Issue.
Plugin: Events Made Easy
Vulnerability: Subscriber+ SQLi vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 19, 2022 and is not available for download. Reason: Security Issue.
Plugin: WordPress Meta Data and Taxonomies Filter (MDTF)
Vulnerability: Reflected XSS vulnerability
Patched Version: 1.3.1
Recommended Action: Update the WordPress WordPress Meta Data and Taxonomies Filter (MDTF) plugin to the latest available version (at least 1.3.1).
0 Comments