This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including PageLayer, Responsive Lightbox, SchedulePress and more!
Plugin: Coming soon and Maintenance mode
Vulnerability: IP Filtering Bypass vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Seraphinite Accelerator
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.20.29
Recommended Action: Update the WordPress Seraphinite Accelerator plugin to the latest available version (at least 2.20.29).
Plugin: PowerPack Pro for Elementor
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.9.24
Recommended Action: Update the WordPress PowerPack Pro for Elementor plugin to the latest available version (at least 2.9.24).
Plugin: DoFollow Case by Case
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.5.0
Recommended Action: Update the WordPress DoFollow Case by Case plugin to the latest available version (at least 3.5.0).
Plugin: PageLayer
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.7.8
Recommended Action: Update the WordPress PageLayer plugin to the latest available version (at least 1.7.8).
Plugin: Nested Pages
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Importify (Dropshipping WooCommerce)
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Social Pug
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Enhanced Text Widget
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Contact Form 7
Vulnerability: Authenticated (Editor+) Arbitrary File Upload vulnerability
Patched Version: 5.8.4
Recommended Action: Update the WordPress Add-on SweetAlert Contact Form 7 plugin to the latest available version (at least 5.8.4).
Plugin: Backup Migration
Vulnerability: Unauthenticated Arbitrary File Download to Sensitive Information Exposure vulnerability
Patched Version: 1.3.7
Recommended Action: Update the WordPress Backup Migration plugin to the latest available version (at least 1.3.7).
Plugin: CF7 Google Sheets Connector
Vulnerability: Sensitive Data Exposure via Debug Log vulnerability
Patched Version: 5.0.6
Recommended Action: Update the WordPress CF7 Google Sheets Connector plugin to the latest available version (at least 5.0.6).
Plugin: Debug Log Manager
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 2.2.2
Recommended Action: Update the WordPress Debug Log Manager plugin to the latest available version (at least 2.2.2).
Plugin: Chartify
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.9.7
Recommended Action: Update the WordPress Chartify plugin to the latest available version (at least 1.9.7).
Plugin: GDPR Cookie Consent by Supsystic
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Site Offline
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Social Share Buttons & Analytics Plugin – GetSocial.io
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Track Geolocation Of Users Using Contact Form 7
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Adifier (Premium Theme)
Vulnerability: WordPress Adifier – Classified Ads WordPress Theme theme <= 3.9.3 – Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Machic Core
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Doofinder for WooCommerce
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Parallax Slider Block
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: NextScripts
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 4.4.3
Recommended Action: Update the WordPress NextScripts plugin to the latest available version (at least 4.4.3).
Plugin: List all posts by Authors, nested Categories and Title
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Event Manager
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Automatic Youtube Video Posts Plugin
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Event post
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: HDW Player Plugin (Video Player & Video Gallery)
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: which template file
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Pocket URLs
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Incomplete patch.
Plugin: KP Fastest Tawk.to Chat
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Responsive Lightbox
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.4.6
Recommended Action: Update the WordPress Responsive Lightbox plugin to the latest available version (at least 2.4.6).
Plugin: 10to8 Online Appointment Booking System
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: BrainCert – HTML5 Virtual Classroom
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Innovs HR
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Forms by CaptainForm
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Ads by datafeedr.com
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: BP Better Messages
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.4.1
Recommended Action: Update the WordPress BP Better Messages plugin to the latest available version (at least 2.4.1).
Plugin: Database for CF7
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: MSync
Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Client Dash
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Ocean Extra
Vulnerability: CSRF Leading to Arbitrary Plugin Activation vulnerability
Patched Version: 2.2.3
Recommended Action: Update the WordPress Ocean Extra plugin to the latest available version (at least 2.2.3).
Plugin: Email Address Encoder
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.23
Recommended Action: Update the WordPress Email Address Encoder plugin to the latest available version (at least 1.0.23).
Plugin: teachPress
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 9.0.6
Recommended Action: Update the WordPress teachPress plugin to the latest available version (at least 9.0.6).
Plugin: BSK Forms Blacklist
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.7
Recommended Action: Update the WordPress BSK Forms Blacklist plugin to the latest available version (at least 3.7).
Plugin: Export WP Page to Static HTML/CSS
Vulnerability: Missing Authorization via Multiple AJAX Actions vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress Export WP Page to Static HTML/CSS plugin to the latest available version (at least 2.2.0).
Plugin: SchedulePress
Vulnerability: Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications vulnerability
Patched Version: 5.0.5
Recommended Action: Update the WordPress SchedulePress plugin to the latest available version (at least 5.0.5).
Plugin: WCMultiShipping
Vulnerability: Incorrect Authorization vulnerability
Patched Version: 2.3.8
Recommended Action: Update the WordPress WCMultiShipping plugin to the latest available version (at least 2.3.8).
Plugin: SiteOrigin Widgets Bundle
Vulnerability: Authenticated (Admin+) Local File Inclusion vulnerability
Patched Version: 1.51.0
Recommended Action: Update the WordPress SiteOrigin Widgets Bundle plugin to the latest available version (at least 1.51.0).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments