This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Duplicate Post, JetElements For Elementor and more!
Plugin: LINE Notify
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Password Reset with Code for WordPress REST API
Vulnerability: Privilege Escalation Due To Weak Pin Generation Vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WebLibrarian
Vulnerability: Multiple Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Make Paths Relative
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WooCommerce PDF Invoice Builder
Vulnerability: Authenticated (Subscriber+) SQL Injection via Export vulnerability
Patched Version: 1.2.90
Recommended Action: Update the WordPress WooCommerce PDF Invoice Builder plugin to the latest available version (at least 1.2.90).
Plugin: WooCommerce PDF Invoice Builder
Vulnerability: Cross-Site Request Forgery via Save vulnerability
Patched Version: 1.2.91
Recommended Action: Update the WordPress WooCommerce PDF Invoice Builder plugin to the latest available version (at least 1.2.91).
Plugin: Premium Packages
Vulnerability: Arbitrary User Meta Update to Authenticated (Subscriber+) Privilege Escalation vulnerability
Patched Version: 5.7.5
Recommended Action: Update the WordPress Premium Packages – Sell Digital Products Securely plugin to the latest available version (at least 5.7.5).
Plugin: JupiterX Core
Vulnerability: Multiple Auth. Broken Access Control vulnerability
Patched Version: 3.3.5
Recommended Action: Update the WordPress JupiterX Core plugin to the latest available version (at least 3.3.5).
Plugin: JupiterX Core
Vulnerability: Multiple Auth. Broken Access Control vulnerability
Patched Version: 3.3.5
Recommended Action: Update the WordPress JupiterX Core plugin to the latest available version (at least 3.3.5).
Plugin: ImageRecycle pdf & image compression
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.12
Recommended Action: Update the WordPress ImageRecycle pdf & image compression plugin to the latest available version (at least 3.1.12).
Plugin: Post Timeline
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.2.6
Recommended Action: Update the WordPress Post Timeline plugin to the latest available version (at least 2.2.6).
Plugin: WP Like Button
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: flowpaper
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Rejected by the vendor.
Plugin: Easy Cookie Law
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: SendPress Newsletters
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Kangu para WooCommerce
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Avartan Slider Lite
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Popup by Supsystic
Vulnerability: Broken Access Control Vulnerability
Patched Version: 1.10.20
Recommended Action: Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.20).
Plugin: Accordion and Accordion Slider
Vulnerability: Broken Access Control
Patched Version: 1.2.5
Recommended Action: Update the WordPress Accordion and Accordion Slider plugin to the latest available version (at least 1.2.5).
Plugin: Portfolio and Projects
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.3.8
Recommended Action: Update the WordPress Portfolio and Projects plugin to the latest available version (at least 1.3.8).
Plugin: ARMember Premium
Vulnerability: Broken Access Control
Patched Version: 5.9.3
Recommended Action: Update the WordPress ARMember Premium plugin to the latest available version (at least 5.9.3).
Plugin: Printful Integration for WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Futurio Extra
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP HTML Mail
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: MailChimp Forms by MailMunch
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available.
Plugin: PixTypes
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP 404 Auto Redirect to Similar Post
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Donations Made Easy – Smart Donations
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Stock Ticker
Vulnerability: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.23.4
Recommended Action: Update the WordPress Stock Ticker plugin to the latest available version (at least 3.23.4).
Plugin: Highcompress Image Compressor
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: SB Child List
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Post Grid
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 2.2.51
Recommended Action: Update the WordPress Post Grid plugin to the latest available version (at least 2.2.51).
Plugin: WooCommerce Product Attachment
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Justified Gallery
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.0
Recommended Action: Update the WordPress Justified Gallery plugin to the latest available version (at least 1.8.0).
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 4.3.3
Recommended Action: Update the WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin to the latest available version (at least 4.3.3).
Plugin: Betheme
Vulnerability: Author+ Broken Access Control vulnerability
Patched Version: 27.1.2
Recommended Action: Update the WordPress Betheme theme to the latest available version (at least 27.1.2).
Plugin: Advanced Custom Fields PRO
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 6.1.8
Recommended Action: Update the WordPress Advanced Custom Fields PRO plugin to the latest available version (at least 6.1.8).
Plugin: Business Pro
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Demon image annotation
Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to WP plugins review team on May 19, 2023.
Plugin: EmbedPress
Vulnerability: Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.8.3
Recommended Action: Update the WordPress EmbedPress plugin to the latest available version (at least 3.8.3).
Plugin: EmbedPress
Vulnerability: Subscriber+ Plugin Settings Delete vulnerability
Patched Version: 3.8.3
Recommended Action: Update the WordPress EmbedPress plugin to the latest available version (at least 3.8.3).
Plugin: ChatBot
Vulnerability: Admin+ Stored XSS in Language Settings vulnerability
Patched Version: 4.7.8
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.7.8).
Plugin: ChatBot
Vulnerability: Admin+ Stored XSS in FAQ Builder vulnerability
Patched Version: 4.7.8
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.7.8).
Plugin: Realia
Vulnerability: Cross-Site Request Forgery to User Email Change vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Absolute Privacy
Vulnerability: Cross-Site Request Forgery to User Email/Password Change vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Stock Ticker
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.23.3
Recommended Action: Update the WordPress Stock Ticker plugin to the latest available version (at least 3.23.3).
Plugin: ImageRecycle pdf & image compression
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.11
Recommended Action: Update the WordPress ImageRecycle pdf & image compression plugin to the latest available version (at least 3.1.11).
Plugin: WP Categories Widget
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WooCommerce One Page Checkout
Vulnerability: Local File Inclusion vulnerability
Patched Version: 2.4.0
Recommended Action: Update the WordPress WooCommerce One Page Checkout plugin to the latest available version (at least 2.4.0).
Plugin: WP Testimonials
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.3
Recommended Action: Update the WordPress WP Testimonials plugin to the latest available version (at least 1.4.3).
Plugin: Easy!Appointments
Vulnerability: Arbitrary File Deletion vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vendor was notified on May 8, 2023.
Plugin: YITH WooCommerce Waiting List
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Partially patched in versions >= 2.6.1. No fully patched version is available.
Plugin: Atarim
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.9.4
Recommended Action: Update the WordPress Atarim plugin to the latest available version (at least 3.9.4).
Plugin: Avada
Vulnerability: Authenticated Arbitrary File Upload vulnerability
Patched Version: 7.11.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.11.2).
Plugin: Avada
Vulnerability: Authenticated Server Side Request Forgery (SSRF) vulnerability
Patched Version: 7.11.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.11.2).
Plugin: Avada
Vulnerability: Authenticated (Author+) Unrestricted Zip Extraction vulnerability
Patched Version: 7.11.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.11.2).
Plugin: Fusion Builder
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.11.2
Recommended Action: Update the WordPress Fusion Builder plugin to the latest available version (at least 3.11.2).
Plugin: Fusion Builder
Vulnerability: Authenticated Broken Access Control vulnerability
Patched Version: 3.11.2
Recommended Action: Update the WordPress Fusion Builder plugin to the latest available version (at least 3.11.2).
Plugin: Fusion Builder
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.11.2
Recommended Action: Update the WordPress Fusion Builder plugin to the latest available version (at least 3.11.2).
Plugin: Fusion Builder
Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 3.11.2
Recommended Action: Update the WordPress Fusion Builder plugin to the latest available version (at least 3.11.2).
Plugin: Avada
Vulnerability: Authenticated Broken Access Control vulnerability
Patched Version: 7.11.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.11.2).
Plugin: BigBlueButton
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Project Manager
Vulnerability: Arbitrary Usermeta Update to Authenticated Privilege Escalation
Patched Version: 2.6.5
Recommended Action: Update the WordPress WP Project Manager plugin to the latest available version (at least 2.6.5).
Plugin: Canto
Vulnerability: Unauthenticated Remote File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Biometric Login for WooCommerce
Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress Biometric Login for WooCommerce plugin to the latest available version (at least 1.0.4).
Plugin: Paid Memberships Pro
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.4
Recommended Action: Update the WordPress Paid Memberships Pro – Courses for Membership Add On plugin to the latest available version (at least 1.2.4).
Plugin: FULL Customer
Vulnerability: Authenticated (Subscriber+) Information Disclosure via Health Check vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: FULL Customer
Vulnerability: Authenticated (Subscriber+) Improper Authorization to Arbitrary Plugin Installation vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Ultimate Member
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 2.6.9
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.6.9).
Plugin: Theme Demo Import
Vulnerability: Arbitrary File Upload vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Paid Memberships Pro
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.2.5
Recommended Action: Update the WordPress Paid Memberships Pro – Courses for Membership Add On plugin to the latest available version (at least 1.2.5).
Plugin: Profile Builder
Vulnerability: Missing Authorization to Initial Page Creation vulnerability
Patched Version: 3.9.8
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.9.8).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments