This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Alt Manager, Custom Login, System Dashboard and more!
Plugin: Alt Manager
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Custom Post Type Page Template
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Advanced Page Visit Counter
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Livemesh Addons for WPBakery Page Builder
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.6
Recommended Action: Update the WordPress Livemesh Addons for WPBakery Page Builder plugin to the latest available version (at least 3.6).
Plugin: Alma – Pay in installments or later for WooCommerce
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of December 7, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Social Media Feather
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Login With Ajax
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Project Manager
Vulnerability: Broken Access Control vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Custom Login
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: BC Menu Bar Cart Icon For WooCommerce By Binary Carpenter
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Awesome Support
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Smart Forms
Vulnerability: Authenticated Arbitrary Options Change Vulnerability
Patched Version: 2.6.85
Recommended Action: Update the WordPress Smart Forms plugin to the latest available version (at least 2.6.85).
Plugin: Caddy
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.8
Recommended Action: Update the WordPress Caddy plugin to the latest available version (at least 1.9.8).
Plugin: PayTR Taksit Tablosu
Vulnerability: Broken Authentication vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of November 17, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Responsive Slick Slider WordPress
Vulnerability: Content Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Square Thumbnails
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Simple HTML Sitemap
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: System Dashboard
Vulnerability: Missing Authorization to Information Disclosure (sd_option_value) vulnerability
Vulnerability: Missing Authorization to Information Disclosure (sd_php_info) vulnerability
Vulnerability: Missing Authorization to Information Disclosure (sd_global_value) vulnerability
Vulnerability: Missing Authorization to Information Disclosure (sd_db_specs) vulnerability
Patched Version: 2.8.8
Recommended Action: Update the WordPress System Dashboard plugin to the latest available version (at least 2.8.8).
Plugin: Elementor Website Builder
Vulnerability: Arbitrary File Upload vulnerability
Patched Version: 3.18.2
Recommended Action: Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.18.2).
Plugin: Shortcoder
Vulnerability: Broken Access Control vulnerability
Patched Version: 6.3.1
Recommended Action: Update the WordPress Shortcoder plugin to the latest available version (at least 6.3.1).
Plugin: Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Annual Archive
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Author Avatars List/Block
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Redirects
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WPPerformanceTester
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: First Order Discount Woocommerce
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Rocket Maintenance Mode & Coming Soon Page
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Optin Forms
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 1, 2023 and is not available for download. Reason: Licensing/Trademark Violation.
Plugin: Multi Currency For WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Partdo Core
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Bacola Core
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Medibazar Core
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Furnob Core
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Cosmetsy Core
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Clotya Core
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Clotya
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Cosmetsy
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Furnob
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Bacola
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Partdo
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Medibazar
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
Plugin: Machic
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments