This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Real Testimonials, FontAwesome, and more!

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress

Vulnerability: Authenticated (Administrator+) CSV Injection vulnerability
Patched Version: 1.2.3.10).
Recommended Action: Update the WordPress UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin to the latest available version (at least 1.2.3.10).

Plugin: Survey Maker

Vulnerability: Authenticated (Admin+) Stored CrossSite Scripting vulnerability
Patched Version: 3.1.2
Recommended Action: Update the WordPress Survey Maker plugin to the latest available version (at least 3.1.2).

Plugin: Carousel, Slider, Gallery by WP Carousel

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 2.5.3
Recommended Action: Update the WordPress Carousel, Slider, Gallery by WP Carousel plugin to the latest available version (at least 2.5.3).

Plugin: Video Conferencing with Zoom

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 4.0.10
Recommended Action: Update the WordPress Video Conferencing with Zoom plugin to the latest available version (at least 4.0.10).

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Admin+ PHP Object Injection vulnerability
Patched Version: 4.21.86
Recommended Action: Update the WordPress Anti-Malware Security and Brute-Force Firewall plugin to the latest available version (at least 4.21.86).

Plugin: Font Awesome

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 4.3.2
Recommended Action: Update the WordPress Font Awesome plugin to the latest available version (at least 4.3.2).

Plugin: Real Testimonials

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 2.6.0
Recommended Action: Update the WordPress Real Testimonials plugin to the latest available version (at least 2.6.0).

Plugin: 3D FlipBook – PDF Flipbook Viewer, Flipbook Image Gallery

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Subscribe2

Vulnerability: User Deletion via CSRF vulnerability
Patched Version: 10.38
Recommended Action: Update the WordPress Subscribe2 plugin to the latest available version (at least 10.38).

Plugin: WP Video Lightbox

Vulnerability: Authenticated (Contributor+) Stored CrossSite Scripting (XSS) vulnerability
Patched Version: 1.9.7
Recommended Action: Update the WordPress WP Video Lightbox plugin to the latest available version (at least 1.9.7).

Plugin: Click to Chat

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.18.1
Recommended Action: Update the WordPress Click to Chat plugin to the latest available version (at least 3.18.1).

Plugin: Fontsy

Vulnerability: Multiple Unauthenticated SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 13, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Sidebar Widgets by CodeLights

Vulnerability: Authenticated ( Contributor+) Stored CrossSite Scripting vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 13, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: GeoDirectory

Vulnerability: CSV Injection vulnerability
Patched Version: 2.2.20
Recommended Action: Update the WordPress GeoDirectory plugin to the latest available version (at least 2.2.20).

Plugin: Sidebar Widgets by CodeLights

Vulnerability: Authenticated (Administrator+) Stored CrossSite Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Formidable Forms

Vulnerability: CrossSite Request Forgery vulnerability
Vulnerability: Authenticated (Admin+) ServerSide Request Forgery vulnerability
Patched Version: 5.5.5
Recommended Action: Update the WordPress Formidable Form Builder plugin to the latest available version (at least 5.5.5).

Plugin: Insert Pages

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.7.5
Recommended Action: Update the WordPress Insert Pages plugin to the latest available version (at least 3.7.5).

Plugin: Page scroll to id

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.7.6
Recommended Action: Update the WordPress Page scroll to id plugin to the latest available version (at least 1.7.6).

Plugin: Seriously Simple Podcasting

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 2.19.1
Recommended Action: Update the WordPress Seriously Simple Podcasting plugin to the latest available version (at least 2.19.1).

Plugin: Custom Post Types and Custom Fields creator – WCK

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress Custom Post Types and Custom Fields creator – WCK plugin to the latest available version (at least 2.3.3).

Plugin: Sassy Social Share

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.3.45
Recommended Action: Update the WordPress Sassy Social Share plugin to the latest available version (at least 3.3.45).

Plugin: Images Optimize and Upload CF7

Vulnerability: Unauthenticated Arbitrary File Deletion vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP Attachments

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Meteor Slides

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Simple Membership

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 4.2.2
Recommended Action: Update the WordPress Simple Membership plugin to the latest available version (at least 4.2.2).

Plugin: Bg Bible References

Vulnerability: Reflected XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 16, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Multi Step Form

Vulnerability: Admin+ Stored XSS vulnerabilities
Patched Version: 1.7.8
Recommended Action: Update the WordPress Multi Step Form plugin to the latest available version (at least 1.7.8).

Plugin: WP Shamsi

Vulnerability: Unauthenticated Arbitrary Plugin Deactivation vulnerability
Patched Version: 4.1.1
Recommended Action: Update the WordPress WP Shamsi plugin to the latest available version (at least 4.1.1).

Plugin: Starter Templates by Kadence WP

Vulnerability: Admin+ PHP Object Injection vulnerability
Patched Version: 1.2.17
Recommended Action: Update the WordPress Starter Templates by Kadence WP plugin to the latest available version (at least 1.2.17).

Plugin: Download iPanorama 360 WordPress Virtual Tour Builder

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.6.30
Recommended Action: Update the WordPress Download iPanorama 360 WordPress Virtual Tour Builder plugin to the latest available version (at least 1.6.30).

Plugin: ImageLinks Interactive Image Builder

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.5.4
Recommended Action: Update the WordPress ImageLinks Interactive Image Builder plugin to the latest available version (at least 1.5.4).

Plugin: iPages Flipbook

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.4.7
Recommended Action: Update the WordPress iPages Flipbook plugin to the latest available version (at least 1.4.7).

Plugin: Vision Interactive

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 1.5.4
Recommended Action: Update the WordPress Vision Interactive plugin to the latest available version (at least 1.5.4).

***
Check out the WoW Archive for past Watch Out Wednesday posts.