Watch Out Wednesday – February 8, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, IP Vault, Ocean Extra, and more!

Plugin: Similar Posts

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Responsive Image Gallery, Gallery Album

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.2
Recommended Action: Update the WordPress Responsive Image Gallery, Gallery Album plugin to the latest available version (at least 2.0.2).

Plugin: Formidable Forms

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.5.5
Recommended Action: Update the WordPress Formidable Form Builder plugin to the latest available version (at least 5.5.5).

Plugin: Watu Quiz

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.3.8.1
Recommended Action: Update the WordPress Watu Quiz plugin to the latest available version (at least 3.3.8.1).

Plugin: WebinarIgnition

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.14.3
Recommended Action: Update the WordPress WebinarIgnition | WordPress Webinar plugin to run live and instant/evergreen/automated/recorded webinars plugin to the latest available version (at least 2.14.3).

Plugin: Podlove Podcast Publisher

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.8.3
Recommended Action: Update the WordPress Podlove Podcast Publisher plugin to the latest available version (at least 3.8.3).

Plugin: Cost Calculator

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Kraken.io Image Optimizer

Vulnerability: Broken Access Control Vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Opening Hours

Vulnerability: Admin+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Metform Elementor Contact Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.2.0).

Plugin: CC Custom Taxonomy

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: IP Vault – WP Firewall

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version available.

Plugin: Album and Image Gallery plus Lightbox

Vulnerability: Broken Access Control
Patched Version: 1.6.3
Recommended Action: Update the WordPress Album and Image Gallery plus Lightbox plugin to the latest available version (at least 1.6.3).

Plugin: Commenter Emails

Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version available.

Plugin: 1003 Mortgage Application

Vulnerability: CSV Injection
Vulnerability: Local File Inclusion
Patched Version: None
Recommended Action: No reply from the vendor.

Plugin: Print Invoice & Delivery Notes for WooCommerce

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 4.7.2
Recommended Action: Update the WordPress Print Invoice & Delivery Notes for WooCommerce plugin to the latest available version (at least 4.7.2).

Plugin: Simple History

Vulnerability: CSV Injection vulnerability
Patched Version: 3.4.0
Recommended Action: Update the WordPress Simple History plugin to the latest available version (at least 3.4.0).

Plugin: 0mk Shortener

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version available.

Plugin: Flexible Elementor Panel

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.3.9
Recommended Action: Update the WordPress Flexible Elementor Panel plugin to the latest available version (at least 2.3.9).

Plugin: Side Cart Woocommerce (Ajax)

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No reply from the vendor since 2022 Nov 14.

Plugin: Posts and Users Stats

Vulnerability: CSV Injection vulnerability
Patched Version: None
Recommended Action: No reply from the vendor.

Plugin: Jobs for WordPress

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Multi Rating

Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Unauth. Arbitrary Vote Increase/Decrease
Patched Version: None
Recommended Action: Deactivate and delete.

Plugin: Pinpoint Booking System

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.9.9.2.9
Recommended Action: Update the WordPress Booking System plugin to the latest available version (at least 2.9.9.2.9).

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.7.1.2
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.1.2).

Plugin: avalex

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0.4
Recommended Action: Update the WordPress avalex plugin to the latest available version (at least 3.0.4).

Plugin: Auto Affiliate Links

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.3.0.1
Recommended Action: Update the WordPress Auto Affiliate Links plugin to the latest available version (at least 6.3.0.1).

Plugin: FV Flowplayer Video Player

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 7.5.31.7212
Recommended Action: Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.5.31.7212).

Plugin: Image Hover Effects – Caption Hover with Carousel

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0
Recommended Action: Update the WordPress Image Hover Effects – Caption Hover with Carousel plugin to the latest available version (at least 3.0).

Plugin: WP Tabs

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.1.15
Recommended Action: Update the WordPress WP Tabs plugin to the latest available version (at least 2.1.15).

Plugin: Usersnap

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.17
Recommended Action: Update the WordPress Usersnap plugin to the latest available version (at least 4.17).

Plugin: Multi-column Tag Map

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 17.0.25
Recommended Action: Update the WordPress Multi-column Tag Map plugin to the latest available version (at least 17.0.25).

Plugin: PHP Execution

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP htpasswd

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Marketing Performance

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Magazine Edge

Vulnerability: Authenticated Arbitrary Plugin Activation
Patched Version: None
Recommended Action: No patched version available.

Plugin: EZP Coming Soon Page

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.7.4
Recommended Action: Update the WordPress EZP Coming Soon Page plugin to the latest available version (at least 1.0.7.4).

Plugin: WP Booking System

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.0.18.1
Recommended Action: Update the WordPress WP Booking System plugin to the latest available version (at least 2.0.18.1).

Plugin: We’re Open!

Vulnerability: Broken Access Control
Patched Version: 1.46
Recommended Action: Update the WordPress We’re Open! plugin to the latest available version (at least 1.46).

Plugin: Robo Gallery

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.2.11
Recommended Action: Update the WordPress Robo Gallery plugin to the latest available version (at least 3.2.11).

Plugin: Formidable Forms

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.5.7
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 5.5.7).

Plugin: Ocean Extra

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.2
Recommended Action: Update the WordPress Ocean Extra plugin to the latest available version (at least 2.1.2).

Plugin: GeoDirectory

Vulnerability: Admin+ SQLi vulnerability
Patched Version: 2.2.24
Recommended Action: Update the WordPress GeoDirectory plugin to the latest available version (at least 2.2.24).

Plugin: Wufoo Shortcode

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: 1.52
Recommended Action: Update the WordPress Wufoo Shortcode plugin to the latest available version (at least 1.52).

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.7.1.2
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.1.2).

Plugin: ShortPixel Adaptive Images

Vulnerability: Reflected XSS vulnerability
Patched Version: 3.6.2
Recommended Action: Update the WordPress ShortPixel Adaptive Images plugin to the latest available version (at least 3.6.2).

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Missing Authorization to Settings Update vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress Beautiful Cookie Consent Banner plugin to the latest available version (at least 2.10.1).

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress Beautiful Cookie Consent Banner plugin to the latest available version (at least 2.10.1).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.