Watch Out Wednesday – December 27, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Amelia, BookingPress, Paid Memberships Pro and more!

Plugin: Sensei LMS

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.18.0
Recommended Action: Update the WordPress Sensei LMS plugin to the latest available version (at least 4.18.0).

Plugin: Ajax Load More

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 6.2.0
Recommended Action: Update the WordPress Ajax Load More plugin to the latest available version (at least 6.2.0).

Plugin: Add Any Extension to Pages

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.5
Recommended Action: Update the WordPress Add Any Extension to Pages plugin to the latest available version (at least 1.5).

Plugin: HUSKY – Products Filter for WooCommerce (formerly WOOF)

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.4.4
Recommended Action: Update the WordPress HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin to the latest available version (at least 1.3.4.4).

Plugin: Amelia

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.86
Recommended Action: Update the WordPress Amelia plugin to the latest available version (at least 1.0.86).

Plugin: WP Crowdfunding

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.7
Recommended Action: Update the WordPress WP Crowdfunding plugin to the latest available version (at least 2.1.7).

Plugin: Anti Hacker

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.35
Recommended Action: Update the WordPress Anti Hacker plugin to the latest available version (at least 4.35).

Plugin: Uncode Core

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Arbitrary File Deletion vulnerability
Vulnerability: Privilege Escalation vulnerability
Patched Version: 2.8.9
Recommended Action: Update the WordPress Uncode Core plugin to the latest available version (at least 2.8.9).

Plugin: Automation By Autonami

Vulnerability: SQL Injection vulnerability
Patched Version: 2.7.0
Recommended Action: Update the WordPress Automation By Autonami plugin to the latest available version (at least 2.7.0).

Plugin: Funnel Builder for WordPress by FunnelKit

Vulnerability: SQL Injection vulnerability
Patched Version: 2.14.4
Recommended Action: Update the WordPress Funnel Builder for WordPress by FunnelKit plugin to the latest available version (at least 2.14.4).

Plugin: Pre* Party Resource Hints

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Photo Gallery by 10Web

Vulnerability: Authenticated Stored Cross-Site Scripting via Widget vulnerability
Patched Version: 1.8.19
Recommended Action: Update the WordPress Photo Gallery by 10Web plugin to the latest available version (at least 1.8.19).

Plugin: Squirrly SEO – Advanced Pack

Vulnerability: WordPress Squirrly SEO – Advanced Pack plugin <= 2.3.8 – SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration

Vulnerability: SQL Injection vulnerability
Patched Version: 1.76.0
Recommended Action: Update the WordPress Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration plugin to the latest available version (at least 1.76.0).

Plugin: BookIt

Vulnerability: SQL Injection vulnerability
Patched Version: 2.4.4
Recommended Action: Update the WordPress BookIt plugin to the latest available version (at least 2.4.4).

Plugin: Simply Schedule Appointments

Vulnerability: SQL Injection vulnerability
Patched Version: 1.6.6.1
Recommended Action: Update the WordPress Simply Schedule Appointments plugin to the latest available version (at least 1.6.6.1).

Plugin: e2pdf

Vulnerability: SQL Injection vulnerability
Patched Version: 1.20.24
Recommended Action: Update the WordPress e2pdf plugin to the latest available version (at least 1.20.24).

Plugin: 404 Solution

Vulnerability: SQL Injection vulnerability
Patched Version: 2.35.0
Recommended Action: Update the WordPress 404 Solution plugin to the latest available version (at least 2.35.0).

Plugin: Welcart e-Commerce

Vulnerability: SQL Injection vulnerability
Patched Version: 2.9.4
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.9.4).

Plugin: RegistrationMagic

Vulnerability: SQL Injection vulnerability
Patched Version: 5.2.4.6
Recommended Action: Update the WordPress RegistrationMagic plugin to the latest available version (at least 5.2.4.6).

Plugin: GeoDirectory

Vulnerability: SQL Injection vulnerability
Patched Version: 2.3.29
Recommended Action: Update the WordPress GeoDirectory plugin to the latest available version (at least 2.3.29).

Plugin: WP Mail Catcher

Vulnerability: SQL Injection vulnerability
Patched Version: 2.1.4
Recommended Action: Update the WordPress WP Mail Catcher plugin to the latest available version (at least 2.1.4).

Plugin: Clockwork SMS Notfications

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: MF Gig Calendar

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: BookingPress

Vulnerability: SQL Injection vulnerability
Patched Version: 1.0.73
Recommended Action: Update the WordPress BookingPress plugin to the latest available version (at least 1.0.73).

Plugin: Booking Manager

Vulnerability: SQL Injection vulnerability
Patched Version: 2.1.6
Recommended Action: Update the WordPress Booking Manager plugin to the latest available version (at least 2.1.6).

Plugin: JS Help Desk – Best Help Desk & Support Plugin

Vulnerability: Unauthenticated SQL Injection vulnerability
Patched Version: 2.8.2
Recommended Action: Update the WordPress JS Help Desk – Best Help Desk & Support Plugin plugin to the latest available version (at least 2.8.2).

Plugin: NEX-Forms – Ultimate Form Builder

Vulnerability: SQL Injection vulnerability
Patched Version: 8.5.6
Recommended Action: Update the WordPress NEX-Forms – Ultimate Form Builder plugin to the latest available version (at least 8.5.6).

Plugin: Login Lockdown

Vulnerability: SQL Injection vulnerability
Patched Version: 2.07
Recommended Action: Update the WordPress Login Lockdown plugin to the latest available version (at least 2.07).

Plugin: HTML Forms

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Paid Memberships Pro

Vulnerability: Missing Authorization via API vulnerability
Patched Version: 2.12.6
Recommended Action: Update the WordPress Paid Memberships Pro plugin to the latest available version (at least 2.12.6).

Plugin: Limit Login Attempts Reloaded

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.25.27
Recommended Action: Update the WordPress Limit Login Attempts Reloaded plugin to the latest available version (at least 2.25.27).

Plugin: Clone

Vulnerability: Sensitive Information Exposure vulnerability
Patched Version: 2.4.3
Recommended Action: Update the WordPress Clone plugin to the latest available version (at least 2.4.3).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.