Watch Out Wednesday – August 16, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Duplicate Post, JetElements For Elementor and more!

Plugin: LINE Notify

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Password Reset with Code for WordPress REST API

Vulnerability: Privilege Escalation Due To Weak Pin Generation Vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WebLibrarian

Vulnerability: Multiple Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Make Paths Relative

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WooCommerce PDF Invoice Builder

Vulnerability: Authenticated (Subscriber+) SQL Injection via Export vulnerability
Patched Version: 1.2.90
Recommended Action: Update the WordPress WooCommerce PDF Invoice Builder plugin to the latest available version (at least 1.2.90).

Plugin: WooCommerce PDF Invoice Builder

Vulnerability: Cross-Site Request Forgery via Save vulnerability
Patched Version: 1.2.91
Recommended Action: Update the WordPress WooCommerce PDF Invoice Builder plugin to the latest available version (at least 1.2.91).

Plugin: Premium Packages

Vulnerability: Arbitrary User Meta Update to Authenticated (Subscriber+) Privilege Escalation vulnerability
Patched Version: 5.7.5
Recommended Action: Update the WordPress Premium Packages – Sell Digital Products Securely plugin to the latest available version (at least 5.7.5).

Plugin: JupiterX Core

Vulnerability: Multiple Auth. Broken Access Control vulnerability
Patched Version: 3.3.5
Recommended Action: Update the WordPress JupiterX Core plugin to the latest available version (at least 3.3.5).

Plugin: JupiterX Core

Vulnerability: Multiple Auth. Broken Access Control vulnerability
Patched Version: 3.3.5
Recommended Action: Update the WordPress JupiterX Core plugin to the latest available version (at least 3.3.5).

Plugin: ImageRecycle pdf & image compression

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.12
Recommended Action: Update the WordPress ImageRecycle pdf & image compression plugin to the latest available version (at least 3.1.12).

Plugin: Post Timeline

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.2.6
Recommended Action: Update the WordPress Post Timeline plugin to the latest available version (at least 2.2.6).

Plugin: WP Like Button

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: flowpaper

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Rejected by the vendor.

Plugin: Easy Cookie Law

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: SendPress Newsletters

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Kangu para WooCommerce

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Avartan Slider Lite

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Popup by Supsystic

Vulnerability: Broken Access Control Vulnerability
Patched Version: 1.10.20
Recommended Action: Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.20).

Plugin: Accordion and Accordion Slider

Vulnerability: Broken Access Control
Patched Version: 1.2.5
Recommended Action: Update the WordPress Accordion and Accordion Slider plugin to the latest available version (at least 1.2.5).

Plugin: Portfolio and Projects

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.3.8
Recommended Action: Update the WordPress Portfolio and Projects plugin to the latest available version (at least 1.3.8).

Plugin: ARMember Premium

Vulnerability: Broken Access Control
Patched Version: 5.9.3
Recommended Action: Update the WordPress ARMember Premium plugin to the latest available version (at least 5.9.3).

Plugin: Printful Integration for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Futurio Extra

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP HTML Mail

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: MailChimp Forms by MailMunch

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available.

Plugin: PixTypes

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP 404 Auto Redirect to Similar Post

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Donations Made Easy – Smart Donations

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Stock Ticker

Vulnerability: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.23.4
Recommended Action: Update the WordPress Stock Ticker plugin to the latest available version (at least 3.23.4).

Plugin: Highcompress Image Compressor

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: SB Child List

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Post Grid

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 2.2.51
Recommended Action: Update the WordPress Post Grid plugin to the latest available version (at least 2.2.51).

Plugin: WooCommerce Product Attachment

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Justified Gallery

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.0
Recommended Action: Update the WordPress Justified Gallery plugin to the latest available version (at least 1.8.0).

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 4.3.3
Recommended Action: Update the WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin to the latest available version (at least 4.3.3).

Plugin: Betheme

Vulnerability: Author+ Broken Access Control vulnerability
Patched Version: 27.1.2
Recommended Action: Update the WordPress Betheme theme to the latest available version (at least 27.1.2).

Plugin: Advanced Custom Fields PRO

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 6.1.8
Recommended Action: Update the WordPress Advanced Custom Fields PRO plugin to the latest available version (at least 6.1.8).

Plugin: Business Pro

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Demon image annotation

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to WP plugins review team on May 19, 2023.

Plugin: EmbedPress

Vulnerability: Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.8.3
Recommended Action: Update the WordPress EmbedPress plugin to the latest available version (at least 3.8.3).

Plugin: EmbedPress

Vulnerability: Subscriber+ Plugin Settings Delete vulnerability
Patched Version: 3.8.3
Recommended Action: Update the WordPress EmbedPress plugin to the latest available version (at least 3.8.3).

Plugin: ChatBot

Vulnerability: Admin+ Stored XSS in Language Settings vulnerability
Patched Version: 4.7.8
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.7.8).

Plugin: ChatBot

Vulnerability: Admin+ Stored XSS in FAQ Builder vulnerability
Patched Version: 4.7.8
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.7.8).

Plugin: Realia

Vulnerability: Cross-Site Request Forgery to User Email Change vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Absolute Privacy

Vulnerability: Cross-Site Request Forgery to User Email/Password Change vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Stock Ticker

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.23.3
Recommended Action: Update the WordPress Stock Ticker plugin to the latest available version (at least 3.23.3).

Plugin: ImageRecycle pdf & image compression

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.11
Recommended Action: Update the WordPress ImageRecycle pdf & image compression plugin to the latest available version (at least 3.1.11).

Plugin: WP Categories Widget

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WooCommerce One Page Checkout

Vulnerability: Local File Inclusion vulnerability
Patched Version: 2.4.0
Recommended Action: Update the WordPress WooCommerce One Page Checkout plugin to the latest available version (at least 2.4.0).

Plugin: WP Testimonials

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.3
Recommended Action: Update the WordPress WP Testimonials plugin to the latest available version (at least 1.4.3).

Plugin: Easy!Appointments

Vulnerability: Arbitrary File Deletion vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vendor was notified on May 8, 2023.

Plugin: YITH WooCommerce Waiting List

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Partially patched in versions >= 2.6.1. No fully patched version is available.

Plugin: Atarim

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.9.4
Recommended Action: Update the WordPress Atarim plugin to the latest available version (at least 3.9.4).

Plugin: Avada

Vulnerability: Authenticated Arbitrary File Upload vulnerability
Patched Version: 7.11.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.11.2).

Plugin: Avada

Vulnerability: Authenticated Server Side Request Forgery (SSRF) vulnerability
Patched Version: 7.11.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.11.2).

Plugin: Avada

Vulnerability: Authenticated (Author+) Unrestricted Zip Extraction vulnerability
Patched Version: 7.11.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.11.2).

Plugin: Fusion Builder

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.11.2
Recommended Action: Update the WordPress Fusion Builder plugin to the latest available version (at least 3.11.2).

Plugin: Fusion Builder

Vulnerability: Authenticated Broken Access Control vulnerability
Patched Version: 3.11.2
Recommended Action: Update the WordPress Fusion Builder plugin to the latest available version (at least 3.11.2).

Plugin: Fusion Builder

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.11.2
Recommended Action: Update the WordPress Fusion Builder plugin to the latest available version (at least 3.11.2).

Plugin: Fusion Builder

Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 3.11.2
Recommended Action: Update the WordPress Fusion Builder plugin to the latest available version (at least 3.11.2).

Plugin: Avada

Vulnerability: Authenticated Broken Access Control vulnerability
Patched Version: 7.11.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.11.2).

Plugin: BigBlueButton

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Project Manager

Vulnerability: Arbitrary Usermeta Update to Authenticated Privilege Escalation
Patched Version: 2.6.5
Recommended Action: Update the WordPress WP Project Manager plugin to the latest available version (at least 2.6.5).

Plugin: Canto

Vulnerability: Unauthenticated Remote File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Biometric Login for WooCommerce

Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress Biometric Login for WooCommerce plugin to the latest available version (at least 1.0.4).

Plugin: Paid Memberships Pro

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.4
Recommended Action: Update the WordPress Paid Memberships Pro – Courses for Membership Add On plugin to the latest available version (at least 1.2.4).

Plugin: FULL Customer

Vulnerability: Authenticated (Subscriber+) Information Disclosure via Health Check vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: FULL Customer

Vulnerability: Authenticated (Subscriber+) Improper Authorization to Arbitrary Plugin Installation vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Ultimate Member

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 2.6.9
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.6.9).

Plugin: Theme Demo Import

Vulnerability: Arbitrary File Upload vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Paid Memberships Pro

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.2.5
Recommended Action: Update the WordPress Paid Memberships Pro – Courses for Membership Add On plugin to the latest available version (at least 1.2.5).

Plugin: Profile Builder

Vulnerability: Missing Authorization to Initial Page Creation vulnerability
Patched Version: 3.9.8
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.9.8).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.