This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including AMP for WP, WP Google Maps, SendPress Newsletters and more!
Plugin: WP Google Maps
Vulnerability: Unauthenticated Stored XSS vulnerability
Patched Version: 9.0.28
Recommended Action: Update the WordPress WP Google Maps plugin to the latest available version (at least 9.0.28).
Plugin: AMP for WP
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) Via Shortcode vulnerability
Patched Version: 1.0.92.1
Recommended Action: Update the WordPress Accelerated Mobile Pages plugin to the latest available version (at least 1.0.92.1).
Plugin: MW WP Form
Vulnerability: Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion vulnerability
Patched Version: 5.0.4
Recommended Action: Update the WordPress MW WP Form plugin to the latest available version (at least 5.0.4).
Plugin: Slick Social Share Buttons
Vulnerability: Authenticated Arbitrary Option Update vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: GG Woo Feed for WooCommerce
Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Backuply – Backup, Restore, Migrate and Clone
Vulnerability: Authenticated Plugin Settings Change vulnerability
Patched Version: 1.2.2
Recommended Action: Update the WordPress Backuply – Backup, Restore, Migrate and Clone plugin to the latest available version (at least 1.2.2).
Plugin: SpeedyCache
Vulnerability: Subscriber+ Plugin Settings Change vulnerability
Patched Version: 1.1.4
Recommended Action: Update the WordPress SpeedyCache plugin to the latest available version (at least 1.1.4).
Plugin: Post Grid
Vulnerability: Authenticated Cross-Site Scripting vulnerability
Patched Version: 2.2.65
Recommended Action: Update the WordPress Post Grid plugin to the latest available version (at least 2.2.65).
Plugin: e2pdf
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload vulnerability
Patched Version: 1.20.26
Recommended Action: Update the WordPress E2Pdf plugin to the latest available version (at least 1.20.26).
Plugin: Essential Real Estate
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload vulnerability
Patched Version: 4.4.0
Recommended Action: Update the WordPress Essential Real Estate plugin to the latest available version (at least 4.4.0).
Plugin: Featured Image from URL
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text vulnerability
Patched Version: 4.5.4
Recommended Action: Update the WordPress Featured Image from URL plugin to the latest available version (at least 4.5.4).
Plugin: Enable Media Replace
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 4.1.5
Recommended Action: Update the WordPress Enable Media Replace plugin to the latest available version (at least 4.1.5).
Plugin: Google Language Translator
Vulnerability: Broken Access Control vulnerability
Patched Version: 6.0.20
Recommended Action: Update the WordPress Google Language Translator plugin to the latest available version (at least 6.0.20).
Plugin: Greenshift – animation and page builder blocks
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload vulnerability
Patched Version: 7.6.3
Recommended Action: Update the WordPress Greenshift – animation and page builder blocks plugin to the latest available version (at least 7.6.3).
Plugin: Advanced iFrame
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2023.9
Recommended Action: Update the WordPress Advanced iFrame plugin to the latest available version (at least 2023.9).
Plugin: SendPress Newsletters
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.23.11.6
Recommended Action: Update the WordPress SendPress Newsletters plugin to the latest available version (at least 1.23.11.6).
Plugin: Spice Post Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.1
Recommended Action: Update the WordPress Spice Post Slider plugin to the latest available version (at least 2.1).
Plugin: Interact: Embed A Quiz On Your Site
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.1
Recommended Action: Update the WordPress Interact: Embed A Quiz On Your Site plugin to the latest available version (at least 3.1).
Plugin: Sponsors
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments