This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Ultimate Addons for Contact Form 7, Maintenance Switch, Elements kit Elementor addons and more!
Plugin: Forminator
Vulnerability: Remote Code Execution (RCE) vulnerability
Patched Version: 1.25.0
Recommended Action: Update the Forminator plugin to the latest available version (at least 1.25.0).
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: URL Shortener by MyThemeShop
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP users media
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Search Analytics
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: LuckyWP Scripts Control
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Maintenance Switch
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Olive One Click Demo Import
Vulnerability: Arbitrary File Upload vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Super Minify
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: GuruWalk Affiliates
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Sitekit
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.4
Recommended Action: Update the WordPress Sitekit plugin to the latest available version (at least 1.4).
Plugin: MakeStories (for Google Web Stories)
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Easy Coming Soon
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Social Share Boost
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Folders
Vulnerability: Arbitrary File Upload vulnerability
Patched Version: 2.9.3
Recommended Action: Update the WordPress Folders plugin to the latest available version (at least 2.9.3).
Plugin: iThemes Sync
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.1.14
Recommended Action: Update the WordPress iThemes Sync plugin to the latest available version (at least 2.1.14).
Plugin: FV Flowplayer Video Player
Vulnerability: Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update vulnerability
Patched Version: 7.5.39.7212
Recommended Action: Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.5.39.7212).
Plugin: URL Shortify
Vulnerability: Unauthenticated Stored XSS via referer header vulnerability
Patched Version: 1.7.6
Recommended Action: Update the WordPress URL Shortify plugin to the latest available version (at least 1.7.6).
Plugin: Herd Effects
Vulnerability: Effect Deletion via CSRF vulnerability
Patched Version: 5.2.4
Recommended Action: Update the WordPress Herd Effects plugin to the latest available version (at least 5.2.4).
Plugin: WP Adminify – Powerhouse Toolkit for WordPress Dashboard
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 3.1.6
Recommended Action: Update the WordPress WP Adminify – Powerhouse Toolkit for WordPress Dashboard plugin to the latest available version (at least 3.1.6).
Plugin: WP VK
Vulnerability: Cross-Site Request Forgery via AJAX actions vulnerability
Patched Version: 1.3.4
Recommended Action: Update the WordPress WP VK plugin to the latest available version (at least 1.3.4).
Plugin: Secure Admin IP
Vulnerability: IP Spoofing vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Category Slider for WooCommerce
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.4.16
Recommended Action: Update the WordPress Category Slider for WooCommerce plugin to the latest available version (at least 1.4.16).
Plugin: Premmerce User Roles
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.0.13
Recommended Action: Update the WordPress Premmerce User Roles plugin to the latest available version (at least 1.0.13).
Plugin: Elements kit Elementor addons
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.9.1
Recommended Action: Update the WordPress Elements kit Elementor addons plugin to the latest available version (at least 2.9.1).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments