This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Shortcodes Ultimate, Rank Math SEO, Wicked Folders, and more!

Plugin: Void Contact Form 7 Widget For Elementor Page Builder

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.2
Recommended Action: Update the WordPress Void Contact Form 7 Widget For Elementor Page Builder plugin to the latest available version (at least 2.2).

Plugin: Quiz And Survey Master

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 8.0.8
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 8.0.8).

Plugin: Shortcodes Ultimate

Vulnerability: Server Side Request Forgery (SSRF) vulnerability
Vulnerability: Arbitrary File Download vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.12.7
Recommended Action: Update the WordPress Shortcodes Ultimate plugin to the latest available version (at least 5.12.7).

Plugin: Under Construction

Vulnerability: Multiple CSRF Vulnerabilities
Patched Version: 3.97
Recommended Action: Update the WordPress Under Construction plugin to the latest available version (at least 3.97).

Plugin: Rank Math SEO

Vulnerability: Local File Inclusion vulnerability
Patched Version: 1.0.107.3
Recommended Action: Update the Rank Math SEO plugin to the latest available version (at least 1.0.107.3).

Plugin: All-in-one Floating Contact Form

Vulnerability: Authenticated (Admin+) SQL Injection vulnerability
Patched Version: 2.0.9
Recommended Action: Update the WordPress All-in-one Floating Contact Form plugin to the latest available version (at least 2.0.9).

Plugin: ColorWay

Vulnerability: CSRF Leading to Arbitrary Plugin Activation
Patched Version: None
Recommended Action: No patched version available.

Plugin: Plugin for Google Reviews

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 2.2.4
Recommended Action: Update the WordPress Plugin for Google Reviews plugin to the latest available version (at least 2.2.4).

Plugin: Wicked Folders

Vulnerability: Missing Authorization via ajax_save_state vulnerability
Vulnerability: Missing Authorization on ajax_clone_folder vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_save_sort_order vulnerability
Vulnerability: Missing Authorization on ajax_save_folder_order vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_clone_folder vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_edit_folder vulnerability
Vulnerability: Missing Authorization on ajax_edit_folder vulnerability
Vulnerability: Missing Authorization via ajax_delete_folder vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_save_state vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_add_folder vulnerability
Vulnerability: Missing Authorization on ajax_save_folder vulnerability
Vulnerability: Cross-Site Request Forgery on ajax_move_object vulnerability
Vulnerability: Missing Authorization on ajax_save_sort_order vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_delete_folder vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_save_folder_order vulnerability
Vulnerability: Missing Authorization on ajax_move_object vulnerability
Vulnerability: Cross-Site Request Forgery on ajax_save_folder vulnerability
Vulnerability: Missing Authorization on ajax_add_folder vulnerability
Patched Version: 2.18.17
Recommended Action: Update the WordPress Wicked Folders plugin to the latest available version (at least 2.18.17).

Plugin: Interactive Geo Maps

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.5.11
Recommended Action: Update the WordPress Interactive Geo Maps plugin to the latest available version (at least 1.5.11).

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Authenticated(Admin+) Remote File Download vulnerability
Patched Version: 3.9.16
Recommended Action: Update the WordPress Auto Featured Image (Auto Post Thumbnail) plugin to the latest available version (at least 3.9.16).

***
Check out the WoW Archive for past Watch Out Wednesday posts.