This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Autoptimize, eRocket, Layer Slider and more!
Plugin: Autoptimize
Vulnerability: Admin+ Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.1.7
Recommended Action: Update the WordPress Autoptimize plugin to the latest available version (at least 3.1.7).
Plugin: Clock In Portal- Staff & Attendance Management
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Form Block
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.0.2
Recommended Action: Update the WordPress Form Block plugin to the latest available version (at least 1.0.2).
Plugin: GPS Plotter
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Dave’s WordPress Live Search
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Cab Grid
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Easy Slider Revolution
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: eRocket
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Woocommerce Email Report
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Redirect After Login
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WPJAM Basic
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 6.2.1.1
Recommended Action: Update the WordPress WPJAM Basic plugin to the latest available version (at least 6.2.1.1).
Plugin: Verified Reviews (Avis Vérifiés)
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Premmerce
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Mail Subscribe List
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Blog Navigator Chatbot by Xatkit
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 4.5.1
Recommended Action: Update the WordPress Chatbot plugin to the latest available version (at least 4.5.1).
Plugin: ChatBot
Vulnerability: Auth. OpenAI Settings Update to Stored XSS vulnerability
Vulnerability: Unauthenticated Stored XSS vulnerability
Vulnerability: Unauth. PHP Object Injection vulnerability
Vulnerability: Stored XSS via CSRF vulnerability
Patched Version: 4.4.5
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.4.5).
Plugin: Image Optimizer by 10web
Vulnerability: Directory Traversal to Information Exposure vulnerability
Patched Version: 1.0.26
Recommended Action: Update the WordPress Image Optimizer by 10web plugin to the latest available version (at least 1.0.26).
Plugin: Robokassa payment gateway for Woocommerce
Vulnerability: Auth. Stored Cross-Site Scripting vulnerability
Patched Version: 1.4.6
Recommended Action: Update the WordPress Robokassa payment gateway for Woocommerce plugin to the latest available version (at least 1.4.6).
Plugin: miniOrange’s Google Authenticator
Vulnerability: Missing Authorization to Plugin Settings Change vulnerability
Patched Version: 5.6.6
Recommended Action: Update the WordPress miniOrange’s Google Authenticator plugin to the latest available version (at least 5.6.6).
Plugin: WP Cerber Security
Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 9.2
Recommended Action: Update the WordPress WP Cerber Security plugin to the latest available version (at least 9.2).
Plugin: Uji Popup
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Live Chat by Formilla – Real-time Chat & Chatbots Plugin
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.1
Recommended Action: Update the WordPress Live Chat by Formilla – Real-time Chat & Chatbots Plugin plugin to the latest available version (at least 1.3.1).
Plugin: File Gallery
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.8.5.4
Recommended Action: Update the WordPress File Gallery plugin to the latest available version (at least 1.8.5.4).
Plugin: Layer Slider
Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: I Recommend This
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Album Gallery – WordPress Gallery
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: EZP Maintenance Mode
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 24, 2023 and is not available for download. This closure is permanent. Reason: Author Request.
Plugin: SparkPost
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: White Label Branding for Elementor Page Builder
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Original Media Path
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.4.1
Recommended Action: Update the WordPress WP Original Media Path plugin to the latest available version (at least 2.4.1).
Plugin: Social Share Boost
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WP Links Page
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Google Analytics Top Content Widget
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 1.5.6
Recommended Action: Update the WordPress Google Analytics Top Content Widget plugin to the latest available version (at least 1.5.6).
Plugin: ReviewX
Vulnerability: Authenticated (Subscriber+) SQL Injection vulnerability
Patched Version: None
Recommended Action: No fully patched version available. A partial fix is available in versions >= 1.6.9
Plugin: FormCraft
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: PropertyHive
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WCP Contact Form
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Ebook Store
Vulnerability: Broken Authentication vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Ebook Store
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Subscribers – Free Web Push Notifications
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Category Specific RSS feed Subscription
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: v2.3
Recommended Action: Update the WordPress Category Specific RSS feed Subscription plugin to the latest available version (at least v2.3).
Plugin: vSlider Multi Image Slider for WordPress
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. Reason: Security Issue.
Plugin: Shortcode IMDB
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version available.
Plugin: WP Docs
Vulnerability: Broken Access Control
Patched Version: 1.9.9
Recommended Action: Update the WordPress WP Docs plugin to the latest available version (at least 1.9.9).
Plugin: Stock Exporter for WooCommerce
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress Stock Exporter for WooCommerce plugin to the latest available version (at least 1.2.0).
Plugin: Query Wrangler
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.5.52
Recommended Action: Update the WordPress Query Wrangler plugin to the latest available version (at least 1.5.52).
Plugin: The School Management – Education & Learning Management
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Table & Contact Form 7 Database – Tablesome – Data Table & Contact Form 7 Database (CFDB7) Plugin
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 1.0.9
Recommended Action: Update the WordPress Table & Contact Form 7 Database – Tablesome – Data Table & Contact Form 7 Database (CFDB7) Plugin plugin to the latest available version (at least 1.0.9).
Plugin: Sloth Logo Customizer
Vulnerability: Stored XSS via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Accessibility Suite by Online ADA
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Login Box
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: TaxoPress
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.6.5
Recommended Action: Update the WordPress TaxoPress plugin to the latest available version (at least 3.6.5).
Plugin: OoohBoi Steroids for Elementor
Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Image Upload vulnerability
Patched Version: 2.1.5
Recommended Action: Update the WordPress OoohBoi Steroids for Elementor plugin to the latest available version (at least 2.1.5).
Plugin: Jetpack CRM
Vulnerability: Cross-Site Request Forgery to PHAR Deserialization vulnerability
Patched Version: 5.4.0
Recommended Action: Update the WordPress Jetpack CRM plugin to the latest available version (at least 5.4.0).
Plugin: WP-FormAssembly
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.0.8
Recommended Action: Update the WordPress WP-FormAssembly plugin to the latest available version (at least 2.0.8).
Plugin: Booking calendar, Appointment Booking System
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version available.
Plugin: CMP – Coming Soon & Maintenance
Vulnerability: Maintenance Mode Bypass vulnerability
Patched Version: 4.1.8
Recommended Action: Update the WordPress CMP – Coming Soon & Maintenance plugin to the latest available version (at least 4.1.8).
Plugin: WP-dTree
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Yatra
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Charitable
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Simple Share Buttons Adder
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Gallery Metabox
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Ninja Tables
Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.3.5
Recommended Action: Update the WordPress Ninja Tables plugin to the latest available version (at least 4.3.5).
Plugin: ARMember
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Woocommerce Product Designer
Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: SiteAlert (Formerly WP Health)
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Login Page Styler
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Kodex Posts likes
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Flyzoo Chat
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Email posts to subscribers
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Continuous announcement scroller
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: GDPR Compliance & Cookie Consent
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: ShopEngine
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Motors – Car Dealer & Classified Ads
Vulnerability: Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Patched Version: None
Recommended Action: No patched version available.
Plugin: Pearl
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Reservation.Studio widget
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Easy Ad Manager
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Simple Tooltips
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Update Image Tag Alt Attribute
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
0 Comments