This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Advanced Booking Calendar, ARMember, Easy WP SMTP, and more!
Plugin: Custom Content by Country (by Shield Security)
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Mail Log
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability
Patched Version: 1.0.2
Recommended Action: Update the WordPress WP Mail Log plugin to the latest available version (at least 1.0.2).
Plugin: Advanced Booking Calendar
Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Chained Quiz
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via datef
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability leading to Arbitrary Quiz Deletion and Copying
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability leading to Submitted Response Deletion
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability leading to Question Deletion
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via date
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via ip
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via dn
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via ipf
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via emailf
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via dnf
Vulnerability: Reflected CrossSite Scripting (XSS) via pointsf
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability via Facebook App ID
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability via Mailchimp API Key
Patched Version: 1.3.2.3
Recommended Action: Update the WordPress Chained Quiz plugin to the latest available version (at least 1.3.2.3).
Plugin: Post Teaser
Vulnerability: Auth. Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Advanced Booking Calendar
Vulnerability: Multiple CrossSite Scripting (CSRF) vulnerabilities
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Afterpay Gateway for WooCommerce
Vulnerability: Unauth. Reflected CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No response from the vendor.
Plugin: Attorney
Vulnerability: Unauth. Arbitrary Content Deletion vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: ARMember
Vulnerability: Unauth. Privilege Escalation vulnerability
Patched Version: 5.6
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 5.6).
Plugin: Sunshine Photo Cart
Vulnerability: Auth. Broken Access Control vulnerability
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability
Patched Version: 2.9.14
Recommended Action: Update the WordPress Sunshine Photo Cart plugin to the latest available version (at least 2.9.14).
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 22, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Slider by 10Web
Vulnerability: Auth. Stored Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.53
Recommended Action: Update the WordPress Slider by 10Web plugin to the latest available version (at least 1.2.53).
Plugin: WP Tools
Vulnerability: Auth. Broken Access Control vulnerability
Patched Version: 3.43
Recommended Action: Update the WordPress WP Tools plugin to the latest available version (at least 3.43).
Plugin: IWS – Geo Form Fields
Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 22, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: All in One Time Clock Lite
Vulnerability: Auth. Stored Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Apptivo Business Site CRM
Vulnerability: Auth. Stored Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: 1app Business Forms
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Easy WP SMTP
Vulnerability: Auth. Arbitrary File Deletion vulnerability
Vulnerability: Auth. Arbitrary File Read vulnerability
Vulnerability: Auth. Remote Code Execution (RCE) vulnerability
Patched Version: 1.5.2
Recommended Action: Update the WordPress Easy WP SMTP plugin to the latest available version (at least 1.5.2).
Plugin: Export Users Data CSV
Vulnerability: Auth. CSV Injection vulnerability
Patched Version: 2.2
Recommended Action: Update the WordPress Export Users Data CSV plugin to the latest available version (at least 2.2).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments