This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including ContentStudio, Quick Restaurant Menu, Booking Calendar, and more!
Plugin: AI Contact Us Form
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Limit Login Attempts Plus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting Vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Limit Login Attempts Plus plugin to the latest available version (at least 1.1.0).
Plugin: ContentStudio
Vulnerability: Unauthorised Function Calls Vulnerability
Vulnerability: Nonce Disclosure Vulnerability
Vulnerability: Authorisation Bypass Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WooLentor
Vulnerability: Contributor+ Stored XSS Vulnerability
Vulnerability: PHP Object Injection Vulnerability
Patched Version: 2.5.4
Recommended Action: Update the WordPress WooLentor plugin to the latest available version (at least 2.5.4).
Plugin: Greenshift – animation and page builder blocks
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 5.0
Recommended Action: Update the WordPress Greenshift – animation and page builder blocks plugin to the latest available version (at least 5.0).
Plugin: Quick Restaurant Menu
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting Vulnerability
Vulnerability: Cross-Site Request Forgery Vulnerability
Vulnerability: Missing Authorization Vulnerability
Vulnerability: Insecure Direct Object Reference Vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Quick Restaurant Menu plugin to the latest available version (at least 2.1.0).
Plugin: Conditional Shipping for WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.3.2
Recommended Action: Update the WordPress Conditional Shipping for WooCommerce plugin to the latest available version (at least 2.3.2).
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.5.49
Recommended Action: Update the WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin to the latest available version (at least 1.5.49).
Plugin: ProfilePress
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.5.4
Recommended Action: Update the WordPress ProfilePress plugin to the latest available version (at least 4.5.4).
Plugin: Ecwid Shopping Cart
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.11.4
Recommended Action: Update the WordPress Ecwid Shopping Cart plugin to the latest available version (at least 6.11.4).
Plugin: WooCommerce PDF Invoices & Packing Slips
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.2.6
Recommended Action: Update the WordPress WooCommerce PDF Invoices & Packing Slips plugin to the latest available version (at least 3.2.6).
Plugin: Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.63.0
Recommended Action: Update the WordPress Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration plugin to the latest available version (at least 1.63.0).
Plugin: Greenshift – animation and page builder blocks
Vulnerability: SVG upload to Cross Site Scripting (XSS) vulnerability
Patched Version: 5.0
Recommended Action: Update the WordPress Greenshift – animation and page builder blocks plugin to the latest available version (at least 5.0).
Plugin: Advanced Social Pixel
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: JS Help Desk – Best Help Desk & Support Plugin
Vulnerability: Broken Access Control
Vulnerability: Arbitrary File Upload Vulnerability
Vulnerability: Unauthenticated Settings Change Vulnerability
Vulnerability: Multiple Cross Site Request Forgery (CSRF) Vulnerabilities
Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: 2.7.2
Recommended Action: Update the WordPress JS Help Desk – Best Help Desk & Support Plugin plugin to the latest available version (at least 2.7.2).
Plugin: JobBoardWP – Job Board Listings and Submissions
Vulnerability: IDOR Leading To Job Removal Vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress JobBoardWP – Job Board Listings and Submissions plugin to the latest available version (at least 1.2.3).
Plugin: Welcart e-Commerce
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.8.11
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.8.11).
Plugin: DH – Anti AdBlocker
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 37
Recommended Action: Update the WordPress DH – Anti AdBlocker plugin to the latest available version (at least 37).
Plugin: Glossary
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.28
Recommended Action: Update the WordPress Glossary plugin to the latest available version (at least 2.1.28).
Plugin: Material Design Icons for Page Builders
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.4.3
Recommended Action: Update the WordPress Material Design Icons for Page Builders plugin to the latest available version (at least 1.4.3).
Plugin: Noptin
Vulnerability: Unauth. CSV Injection vulnerability
Patched Version: 1.10.0
Recommended Action: Update the WordPress Noptin plugin to the latest available version (at least 1.10.0).
Plugin: Site Reviews
Vulnerability: Unauth. CSV Injection vulnerability
Patched Version: 6.4.0
Recommended Action: Update the WordPress Site Reviews plugin to the latest available version (at least 6.4.0).
Plugin: Exclusive Addons Elementor
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.6.2
Recommended Action: Update the WordPress Exclusive Addons Elementor plugin to the latest available version (at least 2.6.2).
Plugin: WPComplete
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.9.5
Recommended Action: Update the WordPress WPComplete plugin to the latest available version (at least 2.9.5).
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.5.12
Recommended Action: Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version (at least 1.5.12).
Plugin: Booking calendar, Appointment Booking System
Vulnerability: Bypass vulnerability
Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Broken Access Control
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.2.4
Recommended Action: Update the WordPress Booking calendar, Appointment Booking System plugin to the latest available version (at least 3.2.4).
Plugin: Organization chart
Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.5
Recommended Action: Update the WordPress Organization chart plugin to the latest available version (at least 1.4.5).
Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Broken Access Control
Patched Version: 7.6.0
Recommended Action: Update the WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin to the latest available version (at least 7.6.0).
Plugin: BNE Testimonials
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.8
Recommended Action: Update the WordPress BNE Testimonials plugin to the latest available version (at least 2.0.8).
Plugin: bbPress Voting
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.11.1
Recommended Action: Update the WordPress bbPress Voting plugin to the latest available version (at least 2.1.11.1).
Plugin: Survey Maker
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.2.1
Recommended Action: Update the WordPress Survey Maker plugin to the latest available version (at least 3.2.1).
Plugin: Simple Image Popup
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.0
Recommended Action: Update the WordPress Simple Image Popup plugin to the latest available version (at least 2.0.0).
Plugin: Namaste! LMS
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.5.9.2
Recommended Action: Update the WordPress Namaste! LMS plugin to the latest available version (at least 2.5.9.2).
Plugin: WP Table Manager
Vulnerability: Broken Access Control
Patched Version: 3.5.3
Recommended Action: Update the WordPress WP Table Manager plugin to the latest available version (at least 3.5.3).
Plugin: Client Logo Carousel
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.0.1
Recommended Action: Update the WordPress Client Logo Carousel plugin to the latest available version (at least 3.0.1).
Plugin: WP Table Manager
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.5.3
Recommended Action: Update the WordPress WP Table Manager plugin to the latest available version (at least 3.5.3).
Plugin: eVision Responsive Column Layout Shortcodes
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: OAuth Server
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Gerencianet Oficial
Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 2.0.0
Recommended Action: Update the WordPress Gerencianet Oficial plugin to the latest available version (at least 2.0.0).
Plugin: Olevmedia Shortcodes
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: ChatBot
Vulnerability: Multiple Cross Site Scripting (XSS)
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.2.9
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.2.9).
Plugin: Simple Photo Gallery
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of 10-01-2023 and is not available for download. Reason: Security Issue.
Plugin: Blocksy Companion
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.8.68
Recommended Action: Update the WordPress Blocksy Companion plugin to the latest available version (at least 1.8.68).
Plugin: Hueman Addons
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Bootstrap Shortcodes
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed and is not available for download. Reason: Security Issue.
Plugin: Intuitive Custom Post Order
Vulnerability: Authenticated (Admin+) SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 2.12.23
Recommended Action: Update the WordPress 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin to the latest available version (at least 2.12.23).
Plugin: Juicer
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: GetResponse for WordPress
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 5.5.32
Recommended Action: Update the WordPress GetResponse for WordPress plugin to the latest available version (at least 5.5.32).
Plugin: Post Views Count (Support caching plugins!)
Vulnerability: Contributor+ Stored XSS in Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. Reason: Security Issue.
Plugin: Easy Social Box / Page Plugin
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. Reason: Security Issue.
Plugin: Opening Hours
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. Reason: Security Issue.
Plugin: WP Responsive Testimonials Slider And Widget
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. Reason: Security Issue.
Plugin: Loan Comparison
Vulnerability: Reflected XSS Vulnerability
Patched Version: 1.5.3
Recommended Action: Update the WordPress Loan Comparison plugin to the latest available version (at least 1.5.3).
Plugin: Loan Comparison
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 1.5.3
Recommended Action: Update the WordPress Loan Comparison plugin to the latest available version (at least 1.5.3).
Plugin: Mercado Pago payments for WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.7.0
Recommended Action: Update the WordPress Mercado Pago payments for WooCommerce plugin to the latest available version (at least 6.7.0).
Plugin: WP Helper Premium
Vulnerability: Reflected Cross-Site Scripting Vulnerability
Patched Version: 4.3
Recommended Action: Update the WordPress WP Helper Premium plugin to the latest available version (at least 4.3).
Plugin: Spectra
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 1.15.0
Recommended Action: Update the WordPress Spectra plugin to the latest available version (at least 1.15.0).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments