This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including ContentStudio, Quick Restaurant Menu, Booking Calendar, and more!

Plugin: AI Contact Us Form

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Limit Login Attempts Plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting Vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Limit Login Attempts Plus plugin to the latest available version (at least 1.1.0).

Plugin: ContentStudio

Vulnerability: Unauthorised Function Calls Vulnerability
Vulnerability: Nonce Disclosure Vulnerability
Vulnerability: Authorisation Bypass Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WooLentor

Vulnerability: Contributor+ Stored XSS Vulnerability
Vulnerability: PHP Object Injection Vulnerability
Patched Version: 2.5.4
Recommended Action: Update the WordPress WooLentor plugin to the latest available version (at least 2.5.4).

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 5.0
Recommended Action: Update the WordPress Greenshift – animation and page builder blocks plugin to the latest available version (at least 5.0).

Plugin: Quick Restaurant Menu

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting Vulnerability
Vulnerability: Cross-Site Request Forgery Vulnerability
Vulnerability: Missing Authorization Vulnerability
Vulnerability: Insecure Direct Object Reference Vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Quick Restaurant Menu plugin to the latest available version (at least 2.1.0).

Plugin: Conditional Shipping for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.3.2
Recommended Action: Update the WordPress Conditional Shipping for WooCommerce plugin to the latest available version (at least 2.3.2).

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.5.49
Recommended Action: Update the WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin to the latest available version (at least 1.5.49).

Plugin: ProfilePress

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.5.4
Recommended Action: Update the WordPress ProfilePress plugin to the latest available version (at least 4.5.4).

Plugin: Ecwid Shopping Cart

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.11.4
Recommended Action: Update the WordPress Ecwid Shopping Cart plugin to the latest available version (at least 6.11.4).

Plugin: WooCommerce PDF Invoices & Packing Slips

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.2.6
Recommended Action: Update the WordPress WooCommerce PDF Invoices & Packing Slips plugin to the latest available version (at least 3.2.6).

Plugin: Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.63.0
Recommended Action: Update the WordPress Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration plugin to the latest available version (at least 1.63.0).

Plugin: Greenshift – animation and page builder blocks

Vulnerability: SVG upload to Cross Site Scripting (XSS) vulnerability
Patched Version: 5.0
Recommended Action: Update the WordPress Greenshift – animation and page builder blocks plugin to the latest available version (at least 5.0).

Plugin: Advanced Social Pixel

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: JS Help Desk – Best Help Desk & Support Plugin

Vulnerability: Broken Access Control
Vulnerability: Arbitrary File Upload Vulnerability
Vulnerability: Unauthenticated Settings Change Vulnerability
Vulnerability: Multiple Cross Site Request Forgery (CSRF) Vulnerabilities
Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: 2.7.2
Recommended Action: Update the WordPress JS Help Desk – Best Help Desk & Support Plugin plugin to the latest available version (at least 2.7.2).

Plugin: JobBoardWP – Job Board Listings and Submissions

Vulnerability: IDOR Leading To Job Removal Vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress JobBoardWP – Job Board Listings and Submissions plugin to the latest available version (at least 1.2.3).

Plugin: Welcart e-Commerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.8.11
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.8.11).

Plugin: DH – Anti AdBlocker

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 37
Recommended Action: Update the WordPress DH – Anti AdBlocker plugin to the latest available version (at least 37).

Plugin: Glossary

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.28
Recommended Action: Update the WordPress Glossary plugin to the latest available version (at least 2.1.28).

Plugin: Material Design Icons for Page Builders

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.4.3
Recommended Action: Update the WordPress Material Design Icons for Page Builders plugin to the latest available version (at least 1.4.3).

Plugin: Noptin

Vulnerability: Unauth. CSV Injection vulnerability
Patched Version: 1.10.0
Recommended Action: Update the WordPress Noptin plugin to the latest available version (at least 1.10.0).

Plugin: Site Reviews

Vulnerability: Unauth. CSV Injection vulnerability
Patched Version: 6.4.0
Recommended Action: Update the WordPress Site Reviews plugin to the latest available version (at least 6.4.0).

Plugin: Exclusive Addons Elementor

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.6.2
Recommended Action: Update the WordPress Exclusive Addons Elementor plugin to the latest available version (at least 2.6.2).

Plugin: WPComplete

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.9.5
Recommended Action: Update the WordPress WPComplete plugin to the latest available version (at least 2.9.5).

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.5.12
Recommended Action: Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version (at least 1.5.12).

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Bypass vulnerability
Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Broken Access Control
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.2.4
Recommended Action: Update the WordPress Booking calendar, Appointment Booking System plugin to the latest available version (at least 3.2.4).

Plugin: Organization chart

Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.5
Recommended Action: Update the WordPress Organization chart plugin to the latest available version (at least 1.4.5).

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Broken Access Control
Patched Version: 7.6.0
Recommended Action: Update the WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin to the latest available version (at least 7.6.0).

Plugin: BNE Testimonials

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.8
Recommended Action: Update the WordPress BNE Testimonials plugin to the latest available version (at least 2.0.8).

Plugin: bbPress Voting

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.11.1
Recommended Action: Update the WordPress bbPress Voting plugin to the latest available version (at least 2.1.11.1).

Plugin: Survey Maker

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.2.1
Recommended Action: Update the WordPress Survey Maker plugin to the latest available version (at least 3.2.1).

Plugin: Simple Image Popup

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.0
Recommended Action: Update the WordPress Simple Image Popup plugin to the latest available version (at least 2.0.0).

Plugin: Namaste! LMS

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.5.9.2
Recommended Action: Update the WordPress Namaste! LMS plugin to the latest available version (at least 2.5.9.2).

Plugin: WP Table Manager

Vulnerability: Broken Access Control
Patched Version: 3.5.3
Recommended Action: Update the WordPress WP Table Manager plugin to the latest available version (at least 3.5.3).

Plugin: Client Logo Carousel

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.0.1
Recommended Action: Update the WordPress Client Logo Carousel plugin to the latest available version (at least 3.0.1).

Plugin: WP Table Manager

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.5.3
Recommended Action: Update the WordPress WP Table Manager plugin to the latest available version (at least 3.5.3).

Plugin: eVision Responsive Column Layout Shortcodes

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: OAuth Server

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Gerencianet Oficial

Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 2.0.0
Recommended Action: Update the WordPress Gerencianet Oficial plugin to the latest available version (at least 2.0.0).

Plugin: Olevmedia Shortcodes

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: ChatBot

Vulnerability: Multiple Cross Site Scripting (XSS)
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.2.9
Recommended Action: Update the WordPress ChatBot plugin to the latest available version (at least 4.2.9).

Plugin: Simple Photo Gallery

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of 10-01-2023 and is not available for download. Reason: Security Issue.

Plugin: Blocksy Companion

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.8.68
Recommended Action: Update the WordPress Blocksy Companion plugin to the latest available version (at least 1.8.68).

Plugin: Hueman Addons

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Bootstrap Shortcodes

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed and is not available for download. Reason: Security Issue.

Plugin: Intuitive Custom Post Order

Vulnerability: Authenticated (Admin+) SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 2.12.23
Recommended Action: Update the WordPress 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin to the latest available version (at least 2.12.23).

Plugin: Juicer

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: GetResponse for WordPress

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 5.5.32
Recommended Action: Update the WordPress GetResponse for WordPress plugin to the latest available version (at least 5.5.32).

Plugin: Post Views Count (Support caching plugins!)

Vulnerability: Contributor+ Stored XSS in Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. Reason: Security Issue.

Plugin: Easy Social Box / Page Plugin

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. Reason: Security Issue.

Plugin: Opening Hours

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. Reason: Security Issue.

Plugin: WP Responsive Testimonials Slider And Widget

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. Reason: Security Issue.

Plugin: Loan Comparison

Vulnerability: Reflected XSS Vulnerability
Patched Version: 1.5.3
Recommended Action: Update the WordPress Loan Comparison plugin to the latest available version (at least 1.5.3).

Plugin: Loan Comparison

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 1.5.3
Recommended Action: Update the WordPress Loan Comparison plugin to the latest available version (at least 1.5.3).

Plugin: Mercado Pago payments for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.7.0
Recommended Action: Update the WordPress Mercado Pago payments for WooCommerce plugin to the latest available version (at least 6.7.0).

Plugin: WP Helper Premium

Vulnerability: Reflected Cross-Site Scripting Vulnerability
Patched Version: 4.3
Recommended Action: Update the WordPress WP Helper Premium plugin to the latest available version (at least 4.3).

Plugin: Spectra

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 1.15.0
Recommended Action: Update the WordPress Spectra plugin to the latest available version (at least 1.15.0).

***
Check out the WoW Archive for past Watch Out Wednesday posts.