Watch Out Wednesday – April 4, 2023

by | Apr 3, 2023 | WoW Archive

woman with surprised expression looking through binoculars, captioned watch out wednesday
woman with surprised expression looking through binoculars, captioned watch out wednesday
Watch Out Wednesday – April 4, 2023

by | Apr 3, 2023 | WoW Archive

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Newsletter, WishSuite, Zippy, and more!

Plugin: Enhanced WP Contact Form

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3
Recommended Action: Update the WordPress Enhanced WP Contact Form plugin to the latest available version (at least 2.3).

Plugin: Conditional extra fees for woocommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.97
Recommended Action: Update the WordPress Conditional extra fees for woocommerce plugin to the latest available version (at least 1.0.97).

Plugin: Order date time for WooCommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.0.20
Recommended Action: Update the WordPress Order date time for WooCommerce plugin to the latest available version (at least 3.0.20).

Plugin: Coupon Affiliates

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.4.4
Recommended Action: Update the WordPress Coupon Affiliates plugin to the latest available version (at least 5.4.4).

Plugin: Easy Quiz Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 2.0
Recommended Action: Update the WordPress Easy Quiz Maker plugin to the latest available version (at least 2.0).

Plugin: Slimstat Analytics

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode vulnerability
Patched Version: 4.9.3.4
Recommended Action: Update the WordPress Slimstat Analytics plugin to the latest available version (at least 4.9.3.4).

Plugin: Really Simple Google Tag Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WishSuite

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.4
Recommended Action: Update the WordPress WishSuite plugin to the latest available version (at least 1.3.4).

Plugin: HT Menu

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: JustTables – WooCommerce Product Table

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Swatchly – WooCommerce Variation Swatches for Products

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Premmerce Redirect Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: affiliate-toolkit – WordPress Affiliate Plugin

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.3.4
Recommended Action: Update the WordPress affiliate-toolkit – WordPress Affiliate Plugin plugin to the latest available version (at least 3.3.4).

Plugin: Custom More Link Complete

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Viral Mag

Vulnerability: Authenticated Arbitrary Plugin Activation Vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Viral Mag theme to the latest available version (at least 1.1.0).

Plugin: Zippy

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 1.6.2
Recommended Action: Update the WordPress Zippy plugin to the latest available version (at least 1.6.2).

Plugin: Configurable Tag Cloud

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 5.3
Recommended Action: Update the WordPress Configurable Tag Cloud plugin to the latest available version (at least 5.3).

Plugin: WPMobile.App

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 11.21
Recommended Action: Update the WordPress WPMobile.App plugin to the latest available version (at least 11.21).

Plugin: Direct checkout, Add to cart redirect for Woocommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.49
Recommended Action: Update the WordPress Direct checkout, Add to cart redirect for Woocommerce plugin to the latest available version (at least 2.1.49).

Plugin: Trending/Popular Post Slider and Widget

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.5.8
Recommended Action: Update the WordPress Trending/Popular Post Slider and Widget plugin to the latest available version (at least 1.5.8).

Plugin: ChatBot

Vulnerability: Missing Authorization on openai_settings_option_callback vulnerability
Patched Version: 4.4.8
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.4.8).

Plugin: WC Fields Factory

Vulnerability: Authenticated (ShopManager+) SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Custom Post Type UI

Vulnerability: Cross-Site Request Forgery to Sensitive Information Exposure vulnerability
Patched Version: 1.13.5
Recommended Action: Update the WordPress Custom Post Type UI plugin to the latest available version (at least 1.13.5).

Plugin: Gift Vouchers

Vulnerability: Unauthenticated SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Feed Them Social

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 4.0.8
Recommended Action: Update the WordPress Feed Them Social plugin to the latest available version (at least 4.0.8).

Plugin: Gallery

Vulnerability: Author+ Stored Cross-Site Scripting vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Gallery plugin to the latest available version (at least 4.7.0).

Plugin: TF Random Numbers

Vulnerability: Subscriber+ Arbitrary Option Update vulnerability
Patched Version: 2.0.1
Recommended Action: Update the WordPress TF Random Numbers plugin to the latest available version (at least 2.0.1).

Plugin: WP Meta SEO

Vulnerability: Author+ PHAR Deserialization vulnerability
Patched Version: 4.5.5
Recommended Action: Update the WordPress WP Meta SEO plugin to the latest available version (at least 4.5.5).

Plugin: PixFields

Vulnerability: Auth. Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Social Proof (Testimonial) Slider

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Happy Addons for Elementor

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.8.3
Recommended Action: Update the WordPress Happy Addons for Elementor plugin to the latest available version (at least 3.8.3).

Plugin: HappyFiles Pro

Vulnerability: Broken Access Control
Patched Version: 1.8.2
Recommended Action: Update the WordPress HappyFiles Pro plugin to the latest available version (at least 1.8.2).

Plugin: HappyFiles Pro

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.2
Recommended Action: Update the WordPress HappyFiles Pro plugin to the latest available version (at least 1.8.2).

Plugin: Wp Ultimate Review

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Wp Ultimate Review plugin to the latest available version (at least 2.1.0).

Plugin: Affiliates Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.9.21
Recommended Action: Update the WordPress Affiliates Manager plugin to the latest available version (at least 2.9.21).

Plugin: Wp Ultimate Review

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Wp Ultimate Review plugin to the latest available version (at least 2.1.0).

Plugin: Mobile Banner

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6
Recommended Action: Update the WordPress Mobile Banner plugin to the latest available version (at least 1.6).

Plugin: Simple Author Box

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.51
Recommended Action: Update the WordPress Simple Author Box plugin to the latest available version (at least 2.51).

Plugin: Newsletter

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 7.6.9
Recommended Action: Update the WordPress Email Newsletter plugin to the latest available version (at least 7.6.9).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

Meet the Author: FocusWP
FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *