This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Real Testimonials, FontAwesome, and more!
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
Vulnerability: Authenticated (Administrator+) CSV Injection vulnerability
Patched Version: 1.2.3.10).
Recommended Action: Update the WordPress UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin to the latest available version (at least 1.2.3.10).
Plugin: Survey Maker
Vulnerability: Authenticated (Admin+) Stored CrossSite Scripting vulnerability
Patched Version: 3.1.2
Recommended Action: Update the WordPress Survey Maker plugin to the latest available version (at least 3.1.2).
Plugin: Carousel, Slider, Gallery by WP Carousel
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 2.5.3
Recommended Action: Update the WordPress Carousel, Slider, Gallery by WP Carousel plugin to the latest available version (at least 2.5.3).
Plugin: Video Conferencing with Zoom
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 4.0.10
Recommended Action: Update the WordPress Video Conferencing with Zoom plugin to the latest available version (at least 4.0.10).
Plugin: Anti-Malware Security and Brute-Force Firewall
Vulnerability: Admin+ PHP Object Injection vulnerability
Patched Version: 4.21.86
Recommended Action: Update the WordPress Anti-Malware Security and Brute-Force Firewall plugin to the latest available version (at least 4.21.86).
Plugin: Font Awesome
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 4.3.2
Recommended Action: Update the WordPress Font Awesome plugin to the latest available version (at least 4.3.2).
Plugin: Real Testimonials
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 2.6.0
Recommended Action: Update the WordPress Real Testimonials plugin to the latest available version (at least 2.6.0).
Plugin: 3D FlipBook – PDF Flipbook Viewer, Flipbook Image Gallery
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Subscribe2
Vulnerability: User Deletion via CSRF vulnerability
Patched Version: 10.38
Recommended Action: Update the WordPress Subscribe2 plugin to the latest available version (at least 10.38).
Plugin: WP Video Lightbox
Vulnerability: Authenticated (Contributor+) Stored CrossSite Scripting (XSS) vulnerability
Patched Version: 1.9.7
Recommended Action: Update the WordPress WP Video Lightbox plugin to the latest available version (at least 1.9.7).
Plugin: Click to Chat
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.18.1
Recommended Action: Update the WordPress Click to Chat plugin to the latest available version (at least 3.18.1).
Plugin: Fontsy
Vulnerability: Multiple Unauthenticated SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 13, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Sidebar Widgets by CodeLights
Vulnerability: Authenticated ( Contributor+) Stored CrossSite Scripting vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 13, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: GeoDirectory
Vulnerability: CSV Injection vulnerability
Patched Version: 2.2.20
Recommended Action: Update the WordPress GeoDirectory plugin to the latest available version (at least 2.2.20).
Plugin: Sidebar Widgets by CodeLights
Vulnerability: Authenticated (Administrator+) Stored CrossSite Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Formidable Forms
Vulnerability: CrossSite Request Forgery vulnerability
Vulnerability: Authenticated (Admin+) ServerSide Request Forgery vulnerability
Patched Version: 5.5.5
Recommended Action: Update the WordPress Formidable Form Builder plugin to the latest available version (at least 5.5.5).
Plugin: Insert Pages
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.7.5
Recommended Action: Update the WordPress Insert Pages plugin to the latest available version (at least 3.7.5).
Plugin: Page scroll to id
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.7.6
Recommended Action: Update the WordPress Page scroll to id plugin to the latest available version (at least 1.7.6).
Plugin: Seriously Simple Podcasting
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 2.19.1
Recommended Action: Update the WordPress Seriously Simple Podcasting plugin to the latest available version (at least 2.19.1).
Plugin: Custom Post Types and Custom Fields creator – WCK
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress Custom Post Types and Custom Fields creator – WCK plugin to the latest available version (at least 2.3.3).
Plugin: Sassy Social Share
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.3.45
Recommended Action: Update the WordPress Sassy Social Share plugin to the latest available version (at least 3.3.45).
Plugin: Images Optimize and Upload CF7
Vulnerability: Unauthenticated Arbitrary File Deletion vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WP Attachments
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Meteor Slides
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Simple Membership
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 4.2.2
Recommended Action: Update the WordPress Simple Membership plugin to the latest available version (at least 4.2.2).
Plugin: Bg Bible References
Vulnerability: Reflected XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 16, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Multi Step Form
Vulnerability: Admin+ Stored XSS vulnerabilities
Patched Version: 1.7.8
Recommended Action: Update the WordPress Multi Step Form plugin to the latest available version (at least 1.7.8).
Plugin: WP Shamsi
Vulnerability: Unauthenticated Arbitrary Plugin Deactivation vulnerability
Patched Version: 4.1.1
Recommended Action: Update the WordPress WP Shamsi plugin to the latest available version (at least 4.1.1).
Plugin: Starter Templates by Kadence WP
Vulnerability: Admin+ PHP Object Injection vulnerability
Patched Version: 1.2.17
Recommended Action: Update the WordPress Starter Templates by Kadence WP plugin to the latest available version (at least 1.2.17).
Plugin: Download iPanorama 360 WordPress Virtual Tour Builder
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.6.30
Recommended Action: Update the WordPress Download iPanorama 360 WordPress Virtual Tour Builder plugin to the latest available version (at least 1.6.30).
Plugin: ImageLinks Interactive Image Builder
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.5.4
Recommended Action: Update the WordPress ImageLinks Interactive Image Builder plugin to the latest available version (at least 1.5.4).
Plugin: iPages Flipbook
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.4.7
Recommended Action: Update the WordPress iPages Flipbook plugin to the latest available version (at least 1.4.7).
Plugin: Vision Interactive
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.5.4
Recommended Action: Update the WordPress Vision Interactive plugin to the latest available version (at least 1.5.4).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments