Watch Out Wednesday – April 26, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Autoptimize, eRocket, Layer Slider and more!

Plugin: Autoptimize

Vulnerability: Admin+ Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.1.7
Recommended Action: Update the WordPress Autoptimize plugin to the latest available version (at least 3.1.7).

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Form Block

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.0.2
Recommended Action: Update the WordPress Form Block plugin to the latest available version (at least 1.0.2).

Plugin: GPS Plotter

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Dave’s WordPress Live Search

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Cab Grid

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Easy Slider Revolution

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: eRocket

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Woocommerce Email Report

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Redirect After Login

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WPJAM Basic

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 6.2.1.1
Recommended Action: Update the WordPress WPJAM Basic plugin to the latest available version (at least 6.2.1.1).

Plugin: Verified Reviews (Avis Vérifiés)

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Premmerce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Mail Subscribe List

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Blog Navigator Chatbot by Xatkit

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 4.5.1
Recommended Action: Update the WordPress Chatbot plugin to the latest available version (at least 4.5.1).

Plugin: ChatBot

Vulnerability: Auth. OpenAI Settings Update to Stored XSS vulnerability
Vulnerability: Unauthenticated Stored XSS vulnerability
Vulnerability: Unauth. PHP Object Injection vulnerability
Vulnerability: Stored XSS via CSRF vulnerability
Patched Version: 4.4.5
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.4.5).

Plugin: Image Optimizer by 10web

Vulnerability: Directory Traversal to Information Exposure vulnerability
Patched Version: 1.0.26
Recommended Action: Update the WordPress Image Optimizer by 10web plugin to the latest available version (at least 1.0.26).

Plugin: Robokassa payment gateway for Woocommerce

Vulnerability: Auth. Stored Cross-Site Scripting vulnerability
Patched Version: 1.4.6
Recommended Action: Update the WordPress Robokassa payment gateway for Woocommerce plugin to the latest available version (at least 1.4.6).

Plugin: miniOrange’s Google Authenticator

Vulnerability: Missing Authorization to Plugin Settings Change vulnerability
Patched Version: 5.6.6
Recommended Action: Update the WordPress miniOrange’s Google Authenticator plugin to the latest available version (at least 5.6.6).

Plugin: WP Cerber Security

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 9.2
Recommended Action: Update the WordPress WP Cerber Security plugin to the latest available version (at least 9.2).

Plugin: Uji Popup

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Live Chat by Formilla – Real-time Chat & Chatbots Plugin

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.1
Recommended Action: Update the WordPress Live Chat by Formilla – Real-time Chat & Chatbots Plugin plugin to the latest available version (at least 1.3.1).

Plugin: File Gallery

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.8.5.4
Recommended Action: Update the WordPress File Gallery plugin to the latest available version (at least 1.8.5.4).

Plugin: Layer Slider

Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: I Recommend This

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Album Gallery – WordPress Gallery

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: EZP Maintenance Mode

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 24, 2023 and is not available for download. This closure is permanent. Reason: Author Request.

Plugin: SparkPost

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: White Label Branding for Elementor Page Builder

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Original Media Path

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.4.1
Recommended Action: Update the WordPress WP Original Media Path plugin to the latest available version (at least 2.4.1).

Plugin: Social Share Boost

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP Links Page

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Google Analytics Top Content Widget

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 1.5.6
Recommended Action: Update the WordPress Google Analytics Top Content Widget plugin to the latest available version (at least 1.5.6).

Plugin: ReviewX

Vulnerability: Authenticated (Subscriber+) SQL Injection vulnerability
Patched Version: None
Recommended Action: No fully patched version available. A partial fix is available in versions >= 1.6.9

Plugin: FormCraft

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: PropertyHive

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WCP Contact Form

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Ebook Store

Vulnerability: Broken Authentication vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Ebook Store

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Subscribers – Free Web Push Notifications

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Category Specific RSS feed Subscription

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: v2.3
Recommended Action: Update the WordPress Category Specific RSS feed Subscription plugin to the latest available version (at least v2.3).

Plugin: vSlider Multi Image Slider for WordPress

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. Reason: Security Issue.

Plugin: Shortcode IMDB

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP Docs

Vulnerability: Broken Access Control
Patched Version: 1.9.9
Recommended Action: Update the WordPress WP Docs plugin to the latest available version (at least 1.9.9).

Plugin: Stock Exporter for WooCommerce

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress Stock Exporter for WooCommerce plugin to the latest available version (at least 1.2.0).

Plugin: Query Wrangler

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.5.52
Recommended Action: Update the WordPress Query Wrangler plugin to the latest available version (at least 1.5.52).

Plugin: The School Management – Education & Learning Management

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Table & Contact Form 7 Database – Tablesome – Data Table & Contact Form 7 Database (CFDB7) Plugin

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 1.0.9
Recommended Action: Update the WordPress Table & Contact Form 7 Database – Tablesome – Data Table & Contact Form 7 Database (CFDB7) Plugin plugin to the latest available version (at least 1.0.9).

Plugin: Sloth Logo Customizer

Vulnerability: Stored XSS via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Accessibility Suite by Online ADA

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Login Box

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: TaxoPress

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.6.5
Recommended Action: Update the WordPress TaxoPress plugin to the latest available version (at least 3.6.5).

Plugin: OoohBoi Steroids for Elementor

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Image Upload vulnerability
Patched Version: 2.1.5
Recommended Action: Update the WordPress OoohBoi Steroids for Elementor plugin to the latest available version (at least 2.1.5).

Plugin: Jetpack CRM

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization vulnerability
Patched Version: 5.4.0
Recommended Action: Update the WordPress Jetpack CRM plugin to the latest available version (at least 5.4.0).

Plugin: WP-FormAssembly

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.0.8
Recommended Action: Update the WordPress WP-FormAssembly plugin to the latest available version (at least 2.0.8).

Plugin: Booking calendar, Appointment Booking System

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version available.

Plugin: CMP – Coming Soon & Maintenance

Vulnerability: Maintenance Mode Bypass vulnerability
Patched Version: 4.1.8
Recommended Action: Update the WordPress CMP – Coming Soon & Maintenance plugin to the latest available version (at least 4.1.8).

Plugin: WP-dTree

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Yatra

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Charitable

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Simple Share Buttons Adder

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Gallery Metabox

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Ninja Tables

Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.3.5
Recommended Action: Update the WordPress Ninja Tables plugin to the latest available version (at least 4.3.5).

Plugin: ARMember

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Woocommerce Product Designer

Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: SiteAlert (Formerly WP Health)

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Login Page Styler

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kodex Posts likes

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Flyzoo Chat

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Email posts to subscribers

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Continuous announcement scroller

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: GDPR Compliance & Cookie Consent

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: ShopEngine

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Motors – Car Dealer & Classified Ads

Vulnerability: Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Patched Version: None
Recommended Action: No patched version available.

Plugin: Pearl

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Reservation.Studio widget

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Easy Ad Manager

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Simple Tooltips

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Update Image Tag Alt Attribute

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.