This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, IP Vault, Ocean Extra, and more!

Plugin: Similar Posts

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Responsive Image Gallery, Gallery Album

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.2
Recommended Action: Update the WordPress Responsive Image Gallery, Gallery Album plugin to the latest available version (at least 2.0.2).

Plugin: Formidable Forms

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.5.5
Recommended Action: Update the WordPress Formidable Form Builder plugin to the latest available version (at least 5.5.5).

Plugin: Watu Quiz

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.3.8.1
Recommended Action: Update the WordPress Watu Quiz plugin to the latest available version (at least 3.3.8.1).

Plugin: WebinarIgnition

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.14.3
Recommended Action: Update the WordPress WebinarIgnition | WordPress Webinar plugin to run live and instant/evergreen/automated/recorded webinars plugin to the latest available version (at least 2.14.3).

Plugin: Podlove Podcast Publisher

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.8.3
Recommended Action: Update the WordPress Podlove Podcast Publisher plugin to the latest available version (at least 3.8.3).

Plugin: Cost Calculator

Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Kraken.io Image Optimizer

Vulnerability: Broken Access Control Vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Opening Hours

Vulnerability: Admin+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 27, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Metform Elementor Contact Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.2.0).

Plugin: CC Custom Taxonomy

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: IP Vault – WP Firewall

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version available.

Plugin: Album and Image Gallery plus Lightbox

Vulnerability: Broken Access Control
Patched Version: 1.6.3
Recommended Action: Update the WordPress Album and Image Gallery plus Lightbox plugin to the latest available version (at least 1.6.3).

Plugin: Commenter Emails

Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version available.

Plugin: 1003 Mortgage Application

Vulnerability: CSV Injection
Vulnerability: Local File Inclusion
Patched Version: None
Recommended Action: No reply from the vendor.

Plugin: Print Invoice & Delivery Notes for WooCommerce

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 4.7.2
Recommended Action: Update the WordPress Print Invoice & Delivery Notes for WooCommerce plugin to the latest available version (at least 4.7.2).

Plugin: Simple History

Vulnerability: CSV Injection vulnerability
Patched Version: 3.4.0
Recommended Action: Update the WordPress Simple History plugin to the latest available version (at least 3.4.0).

Plugin: 0mk Shortener

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version available.

Plugin: Flexible Elementor Panel

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.3.9
Recommended Action: Update the WordPress Flexible Elementor Panel plugin to the latest available version (at least 2.3.9).

Plugin: Side Cart Woocommerce (Ajax)

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No reply from the vendor since 2022 Nov 14.

Plugin: Posts and Users Stats

Vulnerability: CSV Injection vulnerability
Patched Version: None
Recommended Action: No reply from the vendor.

Plugin: Jobs for WordPress

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Multi Rating

Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Unauth. Arbitrary Vote Increase/Decrease
Patched Version: None
Recommended Action: Deactivate and delete.

Plugin: Pinpoint Booking System

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.9.9.2.9
Recommended Action: Update the WordPress Booking System plugin to the latest available version (at least 2.9.9.2.9).

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.7.1.2
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.1.2).

Plugin: avalex

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0.4
Recommended Action: Update the WordPress avalex plugin to the latest available version (at least 3.0.4).

Plugin: Auto Affiliate Links

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.3.0.1
Recommended Action: Update the WordPress Auto Affiliate Links plugin to the latest available version (at least 6.3.0.1).

Plugin: FV Flowplayer Video Player

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 7.5.31.7212
Recommended Action: Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.5.31.7212).

Plugin: Image Hover Effects – Caption Hover with Carousel

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0
Recommended Action: Update the WordPress Image Hover Effects – Caption Hover with Carousel plugin to the latest available version (at least 3.0).

Plugin: WP Tabs

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.1.15
Recommended Action: Update the WordPress WP Tabs plugin to the latest available version (at least 2.1.15).

Plugin: Usersnap

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.17
Recommended Action: Update the WordPress Usersnap plugin to the latest available version (at least 4.17).

Plugin: Multi-column Tag Map

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 17.0.25
Recommended Action: Update the WordPress Multi-column Tag Map plugin to the latest available version (at least 17.0.25).

Plugin: PHP Execution

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP htpasswd

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Marketing Performance

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Magazine Edge

Vulnerability: Authenticated Arbitrary Plugin Activation
Patched Version: None
Recommended Action: No patched version available.

Plugin: EZP Coming Soon Page

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.7.4
Recommended Action: Update the WordPress EZP Coming Soon Page plugin to the latest available version (at least 1.0.7.4).

Plugin: WP Booking System

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.0.18.1
Recommended Action: Update the WordPress WP Booking System plugin to the latest available version (at least 2.0.18.1).

Plugin: We’re Open!

Vulnerability: Broken Access Control
Patched Version: 1.46
Recommended Action: Update the WordPress We’re Open! plugin to the latest available version (at least 1.46).

Plugin: Robo Gallery

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.2.11
Recommended Action: Update the WordPress Robo Gallery plugin to the latest available version (at least 3.2.11).

Plugin: Formidable Forms

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.5.7
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 5.5.7).

Plugin: Ocean Extra

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.2
Recommended Action: Update the WordPress Ocean Extra plugin to the latest available version (at least 2.1.2).

Plugin: GeoDirectory

Vulnerability: Admin+ SQLi vulnerability
Patched Version: 2.2.24
Recommended Action: Update the WordPress GeoDirectory plugin to the latest available version (at least 2.2.24).

Plugin: Wufoo Shortcode

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: 1.52
Recommended Action: Update the WordPress Wufoo Shortcode plugin to the latest available version (at least 1.52).

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.7.1.2
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.1.2).

Plugin: ShortPixel Adaptive Images

Vulnerability: Reflected XSS vulnerability
Patched Version: 3.6.2
Recommended Action: Update the WordPress ShortPixel Adaptive Images plugin to the latest available version (at least 3.6.2).

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Missing Authorization to Settings Update vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress Beautiful Cookie Consent Banner plugin to the latest available version (at least 2.10.1).

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 2.10.1
Recommended Action: Update the WordPress Beautiful Cookie Consent Banner plugin to the latest available version (at least 2.10.1).

***
Check out the WoW Archive for past Watch Out Wednesday posts.