This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Tabs, Video.js, Post Grid, and more!
Plugin: Stream
Vulnerability: Subscriber+ Alert Creation vulnerability
Patched Version: Update the WordPress Stream plugin to the latest available version (at least 3.9.2).
Recommended Action: Update the WordPress Stream plugin to the latest available version (at least 3.9.2).
Plugin: PDF Generator for WordPress – Create & Customize PDF for Post, Pages and WooCommerce Products
Vulnerability: Reflected XSS vulnerability
Patched Version: Update the WordPress PDF Generator for WordPress – Create & Customize PDF for Post, Pages and WooCommerce Products plugin to the latest available version (at least 1.1.2).
Recommended Action: Update the WordPress PDF Generator for WordPress – Create & Customize PDF for Post, Pages and WooCommerce Products plugin to the latest available version (at least 1.1.2).
Plugin: YourChannel: Everything you want in a YouTube
Vulnerability: Subscriber+ Stored XSS vulnerability
Patched Version: Update the WordPress YourChannel: Everything you want in a YouTube plugin to the latest available version (at least 1.2.2).
Recommended Action: Update the WordPress YourChannel: Everything you want in a YouTube plugin to the latest available version (at least 1.2.2).
Plugin: Freesoul Deactivate Plugins – Plugin manager and cleanup
Vulnerability: Content Spoofing
Patched Version: Update the WordPress Freesoul Deactivate Plugins – Plugin manager and cleanup plugin to the latest available version (at least 1.9.4.1).
Recommended Action: Update the WordPress Freesoul Deactivate Plugins – Plugin manager and cleanup plugin to the latest available version (at least 1.9.4.1).
Plugin: Custom 404 Pro
Vulnerability: Admin+ SQL Injection Vulnerability
Patched Version: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.1).
Recommended Action: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.1).
Plugin: GamiPress – Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Vulnerability
Patched Version: Update the WordPress GamiPress – Button plugin to the latest available version (at least 1.0.5).
Recommended Action: Update the WordPress GamiPress – Button plugin to the latest available version (at least 1.0.5).
Plugin: GamiPress
Vulnerability: Cross-Site Request Forgery Vulnerability
Patched Version: Update the WordPress GamiPress plugin to the latest available version (at least 2.5.1).
Recommended Action: Update the WordPress GamiPress plugin to the latest available version (at least 2.5.1).
Plugin: Survey Maker
Vulnerability: Authenticated SQL Injection Vulnerability
Patched Version: Update the WordPress Survey Maker plugin to the latest available version (at least 3.1.2).
Recommended Action: Update the WordPress Survey Maker plugin to the latest available version (at least 3.1.2).
Plugin: Paid Memberships Pro
Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: Update the WordPress Paid Memberships Pro plugin to the latest available version (at least 2.9.8).
Recommended Action: Update the WordPress Paid Memberships Pro plugin to the latest available version (at least 2.9.8).
Plugin: Easy Digital Downloads
Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.0.4).
Recommended Action: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.0.4).
Plugin: Launchpad – Coming Soon & Maintenance Mode Plugin
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 9, 2022 and is not available for download.
Plugin: Advanced Custom Fields: Image Crop Add-on
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Dashicons + Custom Post Types
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Superior FAQ
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Booklet
Vulnerability: Remote Code Execution (RCE)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Online Exam Software : eExamhall
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Hover Image
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: DNUI
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: No API Amazon Affiliate
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Better Emails
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Super Popup
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 10, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP-OliveCart
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 16, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: ipBlockList
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 14, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Map Multi Marker
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: ExactMetrics
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress ExactMetrics plugin to the latest available version (at least 7.12.1).
Recommended Action: Update the WordPress ExactMetrics plugin to the latest available version (at least 7.12.1).
Plugin: Google Analytics by Monster Insights
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Google Analytics by Monster Insights plugin to the latest available version (at least 8.12.1).
Recommended Action: Update the WordPress Google Analytics by Monster Insights plugin to the latest available version (at least 8.12.1).
Plugin: Happyforms
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Happyforms plugin to the latest available version (at least 1.22.0).
Recommended Action: Update the WordPress Happyforms plugin to the latest available version (at least 1.22.0).
Plugin: Materialis Companion
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Materialis Companion plugin to the latest available version (at least 1.3.40).
Recommended Action: Update the WordPress Materialis Companion plugin to the latest available version (at least 1.3.40).
Plugin: SiteGround Security
Vulnerability: Admin+ SQLi vulnerability
Patched Version: Update the WordPress SiteGround Security plugin to the latest available version (at least 1.3.1).
Recommended Action: Update the WordPress SiteGround Security plugin to the latest available version (at least 1.3.1).
Plugin: MagicForm
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: alfred24 Click & Collect
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 14, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Mediamatic – Media Library Folders
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 12, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Extra Block Design, Style, CSS for ANY Gutenberg Blocks
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 12, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Universal Star Rating
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 9, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Crayon Syntax Highlighter
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 13, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Tutor LMS
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: Update the WordPress Tutor LMS plugin to the latest available version (at least 2.0.10).
Recommended Action: Update the WordPress Tutor LMS plugin to the latest available version (at least 2.0.10).
Plugin: Mega Main Menu
Vulnerability: Plugin Settings Information Disclosure Vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Simple Membership WP user Import
Vulnerability: Authenticated (Admin+) SQL Injection Vulnerability
Patched Version: Update the WordPress Simple Membership WP user Import plugin to the latest available version (at least 1.8).
Recommended Action: Update the WordPress Simple Membership WP user Import plugin to the latest available version (at least 1.8).
Plugin: WP Blog and Widget
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress WP Blog and Widget plugin to the latest available version (at least 2.3.1).
Recommended Action: Update the WordPress WP Blog and Widget plugin to the latest available version (at least 2.3.1).
Plugin: Leaflet Maps Marker
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Leaflet Maps Marker plugin to the latest available version (at least 3.12.7).
Recommended Action: Update the WordPress Leaflet Maps Marker plugin to the latest available version (at least 3.12.7).
Plugin: Giveaways and Contests by RafflePress
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Giveaways and Contests by RafflePress plugin to the latest available version (at least 1.11.3).
Recommended Action: Update the WordPress Giveaways and Contests by RafflePress plugin to the latest available version (at least 1.11.3).
Plugin: Html5 Audio Player
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Html5 Audio Player plugin to the latest available version (at least 2.1.12).
Recommended Action: Update the WordPress Html5 Audio Player plugin to the latest available version (at least 2.1.12).
Plugin: jQuery T(-) Countdown Widget
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress jQuery T(-) Countdown Widget plugin to the latest available version (at least 2.3.24).
Recommended Action: Update the WordPress jQuery T(-) Countdown Widget plugin to the latest available version (at least 2.3.24).
Plugin: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin to the latest available version (at least 8.2.7).
Recommended Action: Update the WordPress WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin to the latest available version (at least 8.2.7).
Plugin: Annual Archive
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: Update the WordPress Annual Archive plugin to the latest available version (at least 1.6.0).
Recommended Action: Update the WordPress Annual Archive plugin to the latest available version (at least 1.6.0).
Plugin: Send PDF for Contact Form 7
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: Update the WordPress Send PDF for Contact Form 7 plugin to the latest available version (at least 0.9.9.2).
Recommended Action: Update the WordPress Send PDF for Contact Form 7 plugin to the latest available version (at least 0.9.9.2).
Plugin: HUSKY – Products Filter for WooCommerce (formerly WOOF)
Vulnerability: WordPress WOOF – Products Filter for WooCommerce plugin < 1.3.2 - Admin+ PHP Object Injection vulnerability Patched Version: Update the WordPress HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin to the latest available version (at least 1.3.2). Recommended Action: Update the WordPress HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin to the latest available version (at least 1.3.2).
Plugin: ResponsiveVoice Text To Speech
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Vimeo Video Autoplay Automute
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Cloak Front End Email
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WordPrezi
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments