Watch Out Wednesday – April 4, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Newsletter, WishSuite, Zippy, and more!

Plugin: Enhanced WP Contact Form

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3
Recommended Action: Update the WordPress Enhanced WP Contact Form plugin to the latest available version (at least 2.3).

Plugin: Conditional extra fees for woocommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.97
Recommended Action: Update the WordPress Conditional extra fees for woocommerce plugin to the latest available version (at least 1.0.97).

Plugin: Order date time for WooCommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.0.20
Recommended Action: Update the WordPress Order date time for WooCommerce plugin to the latest available version (at least 3.0.20).

Plugin: Coupon Affiliates

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.4.4
Recommended Action: Update the WordPress Coupon Affiliates plugin to the latest available version (at least 5.4.4).

Plugin: Easy Quiz Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 2.0
Recommended Action: Update the WordPress Easy Quiz Maker plugin to the latest available version (at least 2.0).

Plugin: Slimstat Analytics

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode vulnerability
Patched Version: 4.9.3.4
Recommended Action: Update the WordPress Slimstat Analytics plugin to the latest available version (at least 4.9.3.4).

Plugin: Really Simple Google Tag Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WishSuite

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.4
Recommended Action: Update the WordPress WishSuite plugin to the latest available version (at least 1.3.4).

Plugin: HT Menu

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: JustTables – WooCommerce Product Table

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Swatchly – WooCommerce Variation Swatches for Products

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Premmerce Redirect Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: affiliate-toolkit – WordPress Affiliate Plugin

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.3.4
Recommended Action: Update the WordPress affiliate-toolkit – WordPress Affiliate Plugin plugin to the latest available version (at least 3.3.4).

Plugin: Custom More Link Complete

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Viral Mag

Vulnerability: Authenticated Arbitrary Plugin Activation Vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Viral Mag theme to the latest available version (at least 1.1.0).

Plugin: Zippy

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 1.6.2
Recommended Action: Update the WordPress Zippy plugin to the latest available version (at least 1.6.2).

Plugin: Configurable Tag Cloud

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 5.3
Recommended Action: Update the WordPress Configurable Tag Cloud plugin to the latest available version (at least 5.3).

Plugin: WPMobile.App

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 11.21
Recommended Action: Update the WordPress WPMobile.App plugin to the latest available version (at least 11.21).

Plugin: Direct checkout, Add to cart redirect for Woocommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.49
Recommended Action: Update the WordPress Direct checkout, Add to cart redirect for Woocommerce plugin to the latest available version (at least 2.1.49).

Plugin: Trending/Popular Post Slider and Widget

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.5.8
Recommended Action: Update the WordPress Trending/Popular Post Slider and Widget plugin to the latest available version (at least 1.5.8).

Plugin: ChatBot

Vulnerability: Missing Authorization on openai_settings_option_callback vulnerability
Patched Version: 4.4.8
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.4.8).

Plugin: WC Fields Factory

Vulnerability: Authenticated (ShopManager+) SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Custom Post Type UI

Vulnerability: Cross-Site Request Forgery to Sensitive Information Exposure vulnerability
Patched Version: 1.13.5
Recommended Action: Update the WordPress Custom Post Type UI plugin to the latest available version (at least 1.13.5).

Plugin: Gift Vouchers

Vulnerability: Unauthenticated SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Feed Them Social

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 4.0.8
Recommended Action: Update the WordPress Feed Them Social plugin to the latest available version (at least 4.0.8).

Plugin: Gallery

Vulnerability: Author+ Stored Cross-Site Scripting vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Gallery plugin to the latest available version (at least 4.7.0).

Plugin: TF Random Numbers

Vulnerability: Subscriber+ Arbitrary Option Update vulnerability
Patched Version: 2.0.1
Recommended Action: Update the WordPress TF Random Numbers plugin to the latest available version (at least 2.0.1).

Plugin: WP Meta SEO

Vulnerability: Author+ PHAR Deserialization vulnerability
Patched Version: 4.5.5
Recommended Action: Update the WordPress WP Meta SEO plugin to the latest available version (at least 4.5.5).

Plugin: PixFields

Vulnerability: Auth. Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Social Proof (Testimonial) Slider

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Happy Addons for Elementor

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.8.3
Recommended Action: Update the WordPress Happy Addons for Elementor plugin to the latest available version (at least 3.8.3).

Plugin: HappyFiles Pro

Vulnerability: Broken Access Control
Patched Version: 1.8.2
Recommended Action: Update the WordPress HappyFiles Pro plugin to the latest available version (at least 1.8.2).

Plugin: HappyFiles Pro

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.2
Recommended Action: Update the WordPress HappyFiles Pro plugin to the latest available version (at least 1.8.2).

Plugin: Wp Ultimate Review

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Wp Ultimate Review plugin to the latest available version (at least 2.1.0).

Plugin: Affiliates Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.9.21
Recommended Action: Update the WordPress Affiliates Manager plugin to the latest available version (at least 2.9.21).

Plugin: Wp Ultimate Review

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Wp Ultimate Review plugin to the latest available version (at least 2.1.0).

Plugin: Mobile Banner

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6
Recommended Action: Update the WordPress Mobile Banner plugin to the latest available version (at least 1.6).

Plugin: Simple Author Box

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.51
Recommended Action: Update the WordPress Simple Author Box plugin to the latest available version (at least 2.51).

Plugin: Newsletter

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 7.6.9
Recommended Action: Update the WordPress Email Newsletter plugin to the latest available version (at least 7.6.9).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Watch Out Wednesday – September 6, 2023

Watch Out Wednesday – September 6, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Better Elementor Addons, Maintenance Switch, All-in-One WP Migration Extensions, Responsive Gallery Grid and more!

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

The geeks at FocusWP are constantly on alert for new vulnerabilities and nefarious characters in the world of WordPress and we send out a list of our top concerns every Wednesday so you know what to "Watch Out" for, without doing any legwork.

You can also subscribe to our "Tips & Tricks" newsletter, which is a semi-regular email with cool tools, educational resources, and useful tips to make your digital life a little easier.