This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Code Snippets, iQ Block Country, User Meta and more!

Plugin: Broken Link Checker

Vulnerability: Deserialization of untrusted data
Patched Version: 1.11.17
Recommended Action: Update the WordPress Broken Link Checker plugin to the latest available version (at least 1.11.17).

Plugin: Affiliates Manager

Vulnerability: CSV Injection
Patched Version: 2.9.14
Recommended Action: Update the WordPress Affiliates Manager plugin to the latest available version (at least 2.9.14).

Plugin: Affiliates Manager

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.9.14
Recommended Action: Update the WordPress Affiliates Manager plugin to the latest available version (at least 2.9.14).

Plugin: Affiliates Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.9.14
Recommended Action: Update the WordPress Affiliates Manager plugin to the latest available version (at least 2.9.14).

Plugin: Affiliates Manager

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.9.14
Recommended Action: Update the WordPress Affiliates Manager plugin to the latest available version (at least 2.9.14).

Plugin: WP Database Backup

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 5.9
Recommended Action: Update the WordPress WP Database Backup plugin to the latest available version (at least 5.9).

Plugin: WC Marketplace

Vulnerability: Local File Inclusion
Patched Version: 3.8.12
Recommended Action: Update the WordPress WC Marketplace plugin to the latest available version (at least 3.8.12).

Plugin: WC Marketplace

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.18.2
Recommended Action: Update the WordPress WC Marketplace plugin to the latest available version (at least 3.18.2).

Plugin: WC Marketplace

Vulnerability: Broken Authentication
Patched Version: 3.8.12
Recommended Action: Update the WordPress WC Marketplace plugin to the latest available version (at least 3.8.12).

Plugin: Visual Portfolio, Photo Gallery & Post Grid

Vulnerability: Arbitrary File Download
Patched Version: 2.19.0
Recommended Action: Update the WordPress Visual Portfolio, Photo Gallery & Post Grid plugin to the latest available version (at least 2.19.0).

Plugin: Visual Portfolio, Photo Gallery & Post Grid

Vulnerability: Other Vulnerability Type
Patched Version: 2.18.0
Recommended Action: Update the WordPress Visual Portfolio, Photo Gallery & Post Grid plugin to the latest available version (at least 1.18.0).

Plugin: Fast Flow

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.12
Recommended Action: Update the WordPress Fast Flow plugin to the latest available version (at least 1.2.12).

Plugin: Uploading SVG, WEBP and ICO files

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: Uploading SVG, WEBP and ICO files

Vulnerability: Arbitrary File Upload
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor.

Plugin: Notification Bar for WordPress

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: THE Leads Management System: 59sec LITE

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Alpine PhotoTile for Pinterest

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 10, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Gallery PhotoBlocks

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 10, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Photo Gallery by 10Web

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.7.1
Recommended Action: Update the WordPress Photo Gallery by 10Web plugin to the latest available version (at least 1.7.1).

Plugin: AS – Create Pinterest Pinboard Pages

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No fix is available.

Plugin: SP Project & Document Manager

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.62
Recommended Action: Update the WordPress SP Project & Document Manager plugin to the latest available version (at least 4.62).

Plugin: Easy Digital Downloads

Vulnerability: PHP Object Injection
Patched Version: 3.0.2
Recommended Action: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.0.2).

Plugin: Best Payments Plugin for WP

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.2.1
Recommended Action: Update the WordPress Best Payments Plugin for WP plugin to the latest available version (at least 4.2.1).

Plugin: Best Payments Plugin for WP

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.2.1
Recommended Action: Update the WordPress Best Payments Plugin for WP plugin to the latest available version (at least 4.2.1).

Plugin: Directorist

Vulnerability: Other Vulnerability Type
Patched Version: 7.3.1
Recommended Action: Update the WordPress Directorist plugin to the latest available version (at least 7.3.1).

***
Check out the WoW Archive for past Watch Out Wednesday posts.