This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, IP Vault, Ocean Extra, and more!
Plugin: Similar Posts
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Responsive Image Gallery, Gallery Album
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.2
Recommended Action: Update the WordPress Responsive Image Gallery, Gallery Album plugin to the latest available version (at least 2.0.2).
Plugin: Formidable Forms
Vulnerability: Broken Access Control vulnerability
Patched Version: 5.5.5
Recommended Action: Update the WordPress Formidable Form Builder plugin to the latest available version (at least 5.5.5).
Plugin: Watu Quiz
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.3.8.1
Recommended Action: Update the WordPress Watu Quiz plugin to the latest available version (at least 3.3.8.1).
Plugin: WebinarIgnition
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.14.3
Recommended Action: Update the WordPress WebinarIgnition | WordPress Webinar plugin to run live and instant/evergreen/automated/recorded webinars plugin to the latest available version (at least 2.14.3).
Plugin: Podlove Podcast Publisher
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.8.3
Recommended Action: Update the WordPress Podlove Podcast Publisher plugin to the latest available version (at least 3.8.3).
Plugin: Cost Calculator
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Kraken.io Image Optimizer
Vulnerability: Broken Access Control Vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Opening Hours
Vulnerability: Admin+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Metform Elementor Contact Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.2.0).
Plugin: CC Custom Taxonomy
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: IP Vault – WP Firewall
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version available.
Plugin: Album and Image Gallery plus Lightbox
Vulnerability: Broken Access Control
Patched Version: 1.6.3
Recommended Action: Update the WordPress Album and Image Gallery plus Lightbox plugin to the latest available version (at least 1.6.3).
Plugin: Commenter Emails
Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version available.
Plugin: 1003 Mortgage Application
Vulnerability: CSV Injection
Vulnerability: Local File Inclusion
Patched Version: None
Recommended Action: No reply from the vendor.
Plugin: Print Invoice & Delivery Notes for WooCommerce
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 4.7.2
Recommended Action: Update the WordPress Print Invoice & Delivery Notes for WooCommerce plugin to the latest available version (at least 4.7.2).
Plugin: Simple History
Vulnerability: CSV Injection vulnerability
Patched Version: 3.4.0
Recommended Action: Update the WordPress Simple History plugin to the latest available version (at least 3.4.0).
Plugin: 0mk Shortener
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version available.
Plugin: Flexible Elementor Panel
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.3.9
Recommended Action: Update the WordPress Flexible Elementor Panel plugin to the latest available version (at least 2.3.9).
Plugin: Side Cart Woocommerce (Ajax)
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No reply from the vendor since 2022 Nov 14.
Plugin: Posts and Users Stats
Vulnerability: CSV Injection vulnerability
Patched Version: None
Recommended Action: No reply from the vendor.
Plugin: Jobs for WordPress
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Multi Rating
Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Unauth. Arbitrary Vote Increase/Decrease
Patched Version: None
Recommended Action: Deactivate and delete.
Plugin: Pinpoint Booking System
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.9.9.2.9
Recommended Action: Update the WordPress Booking System plugin to the latest available version (at least 2.9.9.2.9).
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.7.1.2
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.1.2).
Plugin: avalex
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0.4
Recommended Action: Update the WordPress avalex plugin to the latest available version (at least 3.0.4).
Plugin: Auto Affiliate Links
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.3.0.1
Recommended Action: Update the WordPress Auto Affiliate Links plugin to the latest available version (at least 6.3.0.1).
Plugin: FV Flowplayer Video Player
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 7.5.31.7212
Recommended Action: Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.5.31.7212).
Plugin: Image Hover Effects – Caption Hover with Carousel
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0
Recommended Action: Update the WordPress Image Hover Effects – Caption Hover with Carousel plugin to the latest available version (at least 3.0).
Plugin: WP Tabs
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.1.15
Recommended Action: Update the WordPress WP Tabs plugin to the latest available version (at least 2.1.15).
Plugin: Usersnap
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.17
Recommended Action: Update the WordPress Usersnap plugin to the latest available version (at least 4.17).
Plugin: Multi-column Tag Map
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 17.0.25
Recommended Action: Update the WordPress Multi-column Tag Map plugin to the latest available version (at least 17.0.25).
Plugin: PHP Execution
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WP htpasswd
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Marketing Performance
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Magazine Edge
Vulnerability: Authenticated Arbitrary Plugin Activation
Patched Version: None
Recommended Action: No patched version available.
Plugin: EZP Coming Soon Page
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.7.4
Recommended Action: Update the WordPress EZP Coming Soon Page plugin to the latest available version (at least 1.0.7.4).
Plugin: WP Booking System
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.0.18.1
Recommended Action: Update the WordPress WP Booking System plugin to the latest available version (at least 2.0.18.1).
Plugin: We’re Open!
Vulnerability: Broken Access Control
Patched Version: 1.46
Recommended Action: Update the WordPress We’re Open! plugin to the latest available version (at least 1.46).
Plugin: Robo Gallery
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.2.11
Recommended Action: Update the WordPress Robo Gallery plugin to the latest available version (at least 3.2.11).
Plugin: Formidable Forms
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.5.7
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 5.5.7).
Plugin: Ocean Extra
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.2
Recommended Action: Update the WordPress Ocean Extra plugin to the latest available version (at least 2.1.2).
Plugin: GeoDirectory
Vulnerability: Admin+ SQLi vulnerability
Patched Version: 2.2.24
Recommended Action: Update the WordPress GeoDirectory plugin to the latest available version (at least 2.2.24).
Plugin: Wufoo Shortcode
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: 1.52
Recommended Action: Update the WordPress Wufoo Shortcode plugin to the latest available version (at least 1.52).
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.7.1.2
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.1.2).
Plugin: ShortPixel Adaptive Images
Vulnerability: Reflected XSS vulnerability
Patched Version: 3.6.2
Recommended Action: Update the WordPress ShortPixel Adaptive Images plugin to the latest available version (at least 3.6.2).
Plugin: Beautiful Cookie Consent Banner
Vulnerability: Missing Authorization to Settings Update vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress Beautiful Cookie Consent Banner plugin to the latest available version (at least 2.10.1).
Plugin: Beautiful Cookie Consent Banner
Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress Beautiful Cookie Consent Banner plugin to the latest available version (at least 2.10.1).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments