This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Shortcodes Ultimate, Rank Math SEO, Wicked Folders, and more!
Plugin: Void Contact Form 7 Widget For Elementor Page Builder
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.2
Recommended Action: Update the WordPress Void Contact Form 7 Widget For Elementor Page Builder plugin to the latest available version (at least 2.2).
Plugin: Quiz And Survey Master
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 8.0.8
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 8.0.8).
Plugin: Shortcodes Ultimate
Vulnerability: Server Side Request Forgery (SSRF) vulnerability
Vulnerability: Arbitrary File Download vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.12.7
Recommended Action: Update the WordPress Shortcodes Ultimate plugin to the latest available version (at least 5.12.7).
Plugin: Under Construction
Vulnerability: Multiple CSRF Vulnerabilities
Patched Version: 3.97
Recommended Action: Update the WordPress Under Construction plugin to the latest available version (at least 3.97).
Plugin: Rank Math SEO
Vulnerability: Local File Inclusion vulnerability
Patched Version: 1.0.107.3
Recommended Action: Update the Rank Math SEO plugin to the latest available version (at least 1.0.107.3).
Plugin: All-in-one Floating Contact Form
Vulnerability: Authenticated (Admin+) SQL Injection vulnerability
Patched Version: 2.0.9
Recommended Action: Update the WordPress All-in-one Floating Contact Form plugin to the latest available version (at least 2.0.9).
Plugin: ColorWay
Vulnerability: CSRF Leading to Arbitrary Plugin Activation
Patched Version: None
Recommended Action: No patched version available.
Plugin: Plugin for Google Reviews
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 2.2.4
Recommended Action: Update the WordPress Plugin for Google Reviews plugin to the latest available version (at least 2.2.4).
Plugin: Wicked Folders
Vulnerability: Missing Authorization via ajax_save_state vulnerability
Vulnerability: Missing Authorization on ajax_clone_folder vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_save_sort_order vulnerability
Vulnerability: Missing Authorization on ajax_save_folder_order vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_clone_folder vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_edit_folder vulnerability
Vulnerability: Missing Authorization on ajax_edit_folder vulnerability
Vulnerability: Missing Authorization via ajax_delete_folder vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_save_state vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_add_folder vulnerability
Vulnerability: Missing Authorization on ajax_save_folder vulnerability
Vulnerability: Cross-Site Request Forgery on ajax_move_object vulnerability
Vulnerability: Missing Authorization on ajax_save_sort_order vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_delete_folder vulnerability
Vulnerability: Cross-Site Request Forgery via ajax_save_folder_order vulnerability
Vulnerability: Missing Authorization on ajax_move_object vulnerability
Vulnerability: Cross-Site Request Forgery on ajax_save_folder vulnerability
Vulnerability: Missing Authorization on ajax_add_folder vulnerability
Patched Version: 2.18.17
Recommended Action: Update the WordPress Wicked Folders plugin to the latest available version (at least 2.18.17).
Plugin: Interactive Geo Maps
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.5.11
Recommended Action: Update the WordPress Interactive Geo Maps plugin to the latest available version (at least 1.5.11).
Plugin: Auto Featured Image (Auto Post Thumbnail)
Vulnerability: Authenticated(Admin+) Remote File Download vulnerability
Patched Version: 3.9.16
Recommended Action: Update the WordPress Auto Featured Image (Auto Post Thumbnail) plugin to the latest available version (at least 3.9.16).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments