This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Shortcodes Ultimate, Rank Math SEO, Wicked Folders, and more!
Plugin: Uncanny Toolkit for LearnDash
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.6.4.2
Recommended Action: Update the WordPress Uncanny Toolkit for LearnDash plugin to the latest available version (at least 3.6.4.2).
Plugin: Protected Posts Logout Button
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.4.6
Recommended Action: Update the WordPress Protected Posts Logout Button plugin to the latest available version (at least 1.4.6).
Plugin: Protected Posts Logout Button
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.4.6
Recommended Action: Update the WordPress Protected Posts Logout Button plugin to the latest available version (at least 1.4.6).
Plugin: Top 10
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.2.4
Recommended Action: Update the WordPress Top 10 plugin to the latest available version (at least 3.2.4).
Plugin: WP Coder
Vulnerability: Admin+ SQL Injection vulnerability
Patched Version: 2.5.4
Recommended Action: Update the WordPress WP Coder plugin to the latest available version (at least 2.5.4).
Plugin: RegistrationMagic
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched Version: 5.1.9.3
Recommended Action: Update the WordPress RegistrationMagic plugin to the latest available version (at least 5.1.9.3).
Plugin: Zeno Font Resizer
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.8.0
Recommended Action: Update the WordPress Zeno Font Resizer plugin to the latest available version (at least 1.8.0).
Plugin: Simple PDF Viewer
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Vulnerability reported to the WordPress plugins team.
Plugin: Google Maps v3 Shortcode
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Vulnerability reported to the WordPress plugins team.
Plugin: Portfolio Slideshow
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available, no easy way to contact the vendor. Vulnerability reported to the WordPress plugins team.
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 4.1.6
Recommended Action: Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the latest available version (at least 4.1.6).
Plugin: Campaign URL Builder
Vulnerability: Contributor+ Stored XSS via shortcode vulnerability
Patched Version: 1.8.2
Recommended Action: Update the WordPress Campaign URL Builder plugin to the latest available version (at least 1.8.2).
Plugin: Quiz And Survey Master
Vulnerability: Unauthenticated Arbitrary Media Deletion vulnerability
Patched Version: 8.0.9
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 8.0.9).
Plugin: WoodMart
Vulnerability: Unauth Arbitrary Shortcodes Injection
Patched Version: 7.1.1
Recommended Action: Update the WordPress WoodMart theme to the latest available version (at least 7.1.1).
Plugin: OAuth Single Sign On – SSO (OAuth Client)
Vulnerability: SSO (OAuth Client) plugin <= 6.24.1- Cross-Site Request Forgery vulnerability
Patched Version: 6.24.2
Recommended Action: Update the WordPress OAuth Single Sign On – SSO (OAuth Client) plugin to the latest available version (at least 6.24.2).
Plugin: Campaign URL Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Create Link vulnerability
Patched Version: 1.8.2
Recommended Action: Update the WordPress Campaign URL Builder plugin to the latest available version (at least 1.8.2).
Plugin: Scriptless Social Sharing
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.2.2
Recommended Action: Update the WordPress Scriptless Social Sharing plugin to the latest available version (at least 3.2.2).
Plugin: Get URL Cron
Vulnerability: Broken Access Control via geturlcron_action_handle vulnerability
Patched Version: 1.4.8
Recommended Action: Update the WordPress Get URL Cron plugin to the latest available version (at least 1.4.8).
Plugin: TeraWallet – For WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.0
Recommended Action: Update the WordPress TeraWallet – For WooCommerce plugin to the latest available version (at least 1.4.0).
Plugin: WP BaiDu Submit
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Olevmedia Shortcodes
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Eyes Only: User Access Shortcode
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Tapfiliate
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Peadig’s Like & Share Button
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Service Area Postcode Checker
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Upload File Type Settings Plugin
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Post Rating
Vulnerability: Vote Manipulation Vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Sticky Ad Bar Plugin
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Open Social
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Fontiran
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: vSlider Multi Image Slider for WordPress
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Ultimate WP Query Search Filter
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. The vulnerability was reported to the WordPress plugins team on Jan 18, 2023.
Plugin: Feed Changer
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Nooz
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Product Reviews Import Export for WooCommerce
Vulnerability: Unauth. CSV Injection vulnerability
Patched Version: 1.4.9
Recommended Action: Update the WordPress Product Reviews Import Export for WooCommerce plugin to the latest available version (at least 1.4.9).
Plugin: WordPress Email Marketing Plugin – WP Email Capture
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.10
Recommended Action: Update the WordPress WordPress Email Marketing Plugin – WP Email Capture plugin to the latest available version (at least 3.10).
Plugin: Inline Tweet Sharer – Twitter Sharing Plugin
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.6
Recommended Action: Update the WordPress Inline Tweet Sharer – Twitter Sharing Plugin plugin to the latest available version (at least 2.6).
Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 7.6.0
Recommended Action: Update the WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin to the latest available version (at least 7.6.0).
Plugin: Interactive Geo Maps
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.5.9
Recommended Action: Update the WordPress Interactive Geo Maps plugin to the latest available version (at least 1.5.9).
Plugin: Quick Paypal Payments
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.7.26
Recommended Action: Update the WordPress Quick Paypal Payments plugin to the latest available version (at least 5.7.26).
Plugin: TinyMCE Custom Styles
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.1.3
Recommended Action: Update the WordPress TinyMCE Custom Styles plugin to the latest available version (at least 1.1.3).
Plugin: Wp-Insert
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.5.1
Recommended Action: Update the WordPress Wp-Insert plugin to the latest available version (at least 2.5.1).
Plugin: Link Juice Keeper
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.0.3
Recommended Action: Update the WordPress Link Juice Keeper plugin to the latest available version (at least 2.0.3).
Plugin: JSON Content Importer
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.16
Recommended Action: Update the WordPress JSON Content Importer plugin to the latest available version (at least 1.3.16).
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.0
Recommended Action: Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version (at least 1.6.0).
Plugin: Ocean Extra
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.3
Recommended Action: Update the WordPress Ocean Extra plugin to the latest available version (at least 2.1.3).
Plugin: Quick Contact Form
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 8.0.4
Recommended Action: Update the WordPress Quick Contact Form plugin to the latest available version (at least 8.0.4).
Plugin: Easy Panorama
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.1.5
Recommended Action: Update the WordPress Easy Panorama plugin to the latest available version (at least 1.1.5).
Plugin: Simple Yearly Archive
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.9
Recommended Action: Update the WordPress Simple Yearly Archive plugin to the latest available version (at least 2.1.9).
Plugin: Podlove Subscribe button
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Podlove Subscribe button plugin to the latest available version (at least 1.3.9).
Plugin: Podlove Podcast Publisher
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.8.4
Recommended Action: Update the WordPress Podlove Podcast Publisher plugin to the latest available version (at least 3.8.4).
Plugin: Archivist – Custom Archive Templates
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.7.5
Recommended Action: Update the WordPress Archivist – Custom Archive Templates plugin to the latest available version (at least 1.7.5).
Plugin: Archivist – Custom Archive Templates
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.7.5
Recommended Action: Update the WordPress Archivist – Custom Archive Templates plugin to the latest available version (at least 1.7.5).
Plugin: Click to Call or Chat Buttons
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.5.0
Recommended Action: Update the WordPress Click to Call or Chat Buttons plugin to the latest available version (at least 1.5.0).
Plugin: Meta slider and carousel with lightbox
Vulnerability: Broken Access Control
Patched Version: 1.7
Recommended Action: Update the WordPress Meta slider and carousel with lightbox plugin to the latest available version (at least 1.7).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments