This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Advanced Booking Calendar, ARMember, Easy WP SMTP, and more!

Plugin: Custom Content by Country (by Shield Security)

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Mail Log

Vulnerability: CrossSite Request Forgery (CSRF) vulnerability
Patched Version: 1.0.2
Recommended Action: Update the WordPress WP Mail Log plugin to the latest available version (at least 1.0.2).

Plugin: Advanced Booking Calendar

Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Chained Quiz

Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via datef
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability leading to Arbitrary Quiz Deletion and Copying
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability leading to Submitted Response Deletion
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability leading to Question Deletion
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via date
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via ip
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via dn
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via ipf
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via emailf
Vulnerability: Reflected CrossSite Scripting (XSS) vulnerability via dnf
Vulnerability: Reflected CrossSite Scripting (XSS) via pointsf
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability via Facebook App ID
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability via Mailchimp API Key
Patched Version: 1.3.2.3
Recommended Action: Update the WordPress Chained Quiz plugin to the latest available version (at least 1.3.2.3).

Plugin: Post Teaser

Vulnerability: Auth. Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Advanced Booking Calendar

Vulnerability: Multiple CrossSite Scripting (CSRF) vulnerabilities
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Afterpay Gateway for WooCommerce

Vulnerability: Unauth. Reflected CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No response from the vendor.

Plugin: Attorney

Vulnerability: Unauth. Arbitrary Content Deletion vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: ARMember

Vulnerability: Unauth. Privilege Escalation vulnerability
Patched Version: 5.6
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 5.6).

Plugin: Sunshine Photo Cart

Vulnerability: Auth. Broken Access Control vulnerability
Vulnerability: CrossSite Request Forgery (CSRF) vulnerability
Patched Version: 2.9.14
Recommended Action: Update the WordPress Sunshine Photo Cart plugin to the latest available version (at least 2.9.14).

Plugin: Paytium: Mollie payment forms & donations

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 22, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Slider by 10Web

Vulnerability: Auth. Stored Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.53
Recommended Action: Update the WordPress Slider by 10Web plugin to the latest available version (at least 1.2.53).

Plugin: WP Tools

Vulnerability: Auth. Broken Access Control vulnerability
Patched Version: 3.43
Recommended Action: Update the WordPress WP Tools plugin to the latest available version (at least 3.43).

Plugin: IWS – Geo Form Fields

Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 22, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: All in One Time Clock Lite

Vulnerability: Auth. Stored Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Apptivo Business Site CRM

Vulnerability: Auth. Stored Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: 1app Business Forms

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Easy WP SMTP

Vulnerability: Auth. Arbitrary File Deletion vulnerability
Vulnerability: Auth. Arbitrary File Read vulnerability
Vulnerability: Auth. Remote Code Execution (RCE) vulnerability
Patched Version: 1.5.2
Recommended Action: Update the WordPress Easy WP SMTP plugin to the latest available version (at least 1.5.2).

Plugin: Export Users Data CSV

Vulnerability: Auth. CSV Injection vulnerability
Patched Version: 2.2
Recommended Action: Update the WordPress Export Users Data CSV plugin to the latest available version (at least 2.2).

***
Check out the WoW Archive for past Watch Out Wednesday posts.