This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Social, ProfilePress, and more!

Plugin: WP CSV to Database

Vulnerability: CrossSite Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 15, 2022 and is not available for download. This closure is permanent.

Plugin: GS Insever Portfolio

Vulnerability: Auth. Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Social

Vulnerability: Auth. Sensitive Information Disclosure vulnerability
Patched Version: least 2.0
Recommended Action: Update the WordPress Wp Social plugin to the latest available version (at least 2.0).

Plugin: Robo Gallery

Vulnerability: Auth. Broken Access Control vulnerability
Patched Version: 3.2.11
Recommended Action: Update the WordPress Robo Gallery plugin to the latest available version (at least 3.2.11).

Plugin: ProfilePress

Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 4.4.0
Recommended Action: Update the WordPress ProfilePress plugin to the latest available version (at least 4.4.0).

Plugin: Sunshine Photo Cart

Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP Table Reloaded

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP Custom Admin Interface

Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 7.29
Recommended Action: Update the WordPress WP Custom Admin Interface plugin to the latest available version (at least 7.29).

***
Check out the WoW Archive for past Watch Out Wednesday posts.