This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including LearnPress, Automator WP, Booking Calendar, and more!
Plugin: ProfilePress
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.5.4
Recommended Action: Update the WordPress ProfilePress plugin to the latest available version (at least 4.5.4).
Plugin: AutomatorWP
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.5.1
Recommended Action: Update the WordPress AutomatorWP plugin to the latest available version (at least 2.5.1).
Plugin: Booking Calendar
Vulnerability: SQL Injection
Patched Version: 9.4.3.1
Recommended Action: Update the WordPress Booking Calendar plugin to the latest available version (at least 9.4.3.1).
Plugin: VikRentCar
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3.1
Recommended Action: Update the WordPress VikRentCar plugin to the latest available version (at least 1.3.1).
Plugin: LearnPress
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Vulnerability: Unauthenticated SQL Injection Vulnerability
Vulnerability: Local File Inclusion
Patched Version: 4.2.0
Recommended Action: Update the WordPress LearnPress plugin to the latest available version (at least 4.2.0).
Plugin: MailOptin
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.54.1
Recommended Action: Update the WordPress MailOptin plugin to the latest available version (at least 1.2.54.1).
Plugin: Media Library Categories
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.0
Recommended Action: Update the WordPress Media Library Categories plugin to the latest available version (at least 2.0.0).
Plugin: ARMember
Vulnerability: Broken Access Control
Patched Version: 3.4.11
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 3.4.11).
Plugin: WP Google Maps
Vulnerability: Directory Traversal
Patched Version: 9.0.16
Recommended Action: Update the WordPress WP Google Maps plugin to the latest available version (at least 9.0.16).
Plugin: Essential Blocks for Gutenberg
Vulnerability: Broken Access Control
Patched Version: 3.8.6
Recommended Action: Update the WordPress Essential Blocks for Gutenberg plugin to the latest available version (at least 3.8.6).
Plugin: Amazon JS
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download.
Plugin: WP Pipes
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.4.0
Recommended Action: Update the WordPress WP Pipes plugin to the latest available version (at least 1.4.0).
Plugin: FL3R FeelBox
Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 13, 2022 and is not available for download.
Plugin: Social Like Box and Page by WpDevArt
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 0.8.40
Recommended Action: Update the WordPress Social Like Box and Page by WpDevArt plugin to the latest available version (at least 0.8.40).
Plugin: RegistrationMagic
Vulnerability: Arbitrary Price Change
Vulnerability: Content Injection
Patched Version: 5.1.9.3
Recommended Action: Update the WordPress RegistrationMagic plugin to the latest available version (at least 5.1.9.3).
Plugin: User Registration
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.3.1
Recommended Action: Update the WordPress User Registration plugin to the latest available version (at least 2.3.1).
Plugin: Quick Event Manager
Vulnerability: Broken Access Control
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.7.5
Recommended Action: Update the WordPress Quick Event Manager plugin to the latest available version (at least 9.7.5).
Plugin: WP Client Reports
Vulnerability: Subscriber+ Sensitive Data Exposure
Patched Version: 1.0.17
Recommended Action: Update the WordPress WP Client Reports plugin to the latest available version (at least 1.0.17).
Plugin: Quick Event Manager
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 9.7.5
Recommended Action: Update the WordPress Quick Event Manager plugin to the latest available version (at least 9.7.5).
Plugin: My Tickets
Vulnerability: Payment Bypass Vulnerability
Patched Version: 1.9.12
Recommended Action: Update the WordPress My Tickets plugin to the latest available version (at least 1.9.12).
Plugin: Quiz Maker
Vulnerability: Content Spoofing
Patched Version: 6.3.9.5
Recommended Action: Update the WordPress Quiz Maker plugin to the latest available version (at least 6.3.9.5).
Plugin: Reviews and Rating – Google My Business
Vulnerability: Broken Access Control
Patched Version: 4.15
Recommended Action: Update the WordPress Reviews and Rating – Google My Business plugin to the latest available version (at least 4.15).
Plugin: Bubble Menu – circle floating menu
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.0.2
Recommended Action: Update the WordPress Bubble Menu – circle floating menu plugin to the latest available version (at least 3.0.2).
Plugin: WP Time Slots Booking Form
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.82
Recommended Action: Update the WordPress WP Time Slots Booking Form plugin to the latest available version (at least 1.1.82).
Plugin: Contact Us page – Contact people LITE
Vulnerability: Cross Site Request Forgery (CSRF) Leading To Contact Creation Vulnerability
Patched Version: 3.7.1
Recommended Action: Update the WordPress Contact Us page – Contact people LITE plugin to the latest available version (at least 3.7.1).
Plugin: CTT Expresso para WooCommerce
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.2.12
Recommended Action: Update the WordPress CTT Expresso para WooCommerce plugin to the latest available version (at least 3.2.12).
Plugin: Participants Database
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.4.6
Recommended Action: Update the WordPress Participants Database plugin to the latest available version (at least 2.4.6).
Plugin: Responsive Vertical Icon Menu
Vulnerability: Cross Site Request Forgery (CSRF) Leading To Settings Change Vulnerability
Patched Version: 1.5.9
Recommended Action: Update the WordPress Responsive Vertical Icon Menu plugin to the latest available version (at least 1.5.9).
Plugin: WPFrom Email
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.8.9
Recommended Action: Update the WordPress WPFrom Email plugin to the latest available version (at least 1.8.9).
Plugin: GPT3 AI Content Writer
Vulnerability: Subscriber+ Arbitrary Post Content Update Vulnerability
Patched Version: 1.4.38
Recommended Action: Update the WordPress GPT3 AI Content Writer plugin to the latest available version (at least 1.4.38).
Plugin: Conversational Forms for ChatBot
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.7
Recommended Action: Update the WordPress Conversational Forms for ChatBot plugin to the latest available version (at least 1.1.7).
Plugin: Heateor Social Comments
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.6.2
Recommended Action: Update the WordPress Heateor Social Comments plugin to the latest available version (at least 1.6.2).
Plugin: WP Airbnb Review Slider
Vulnerability: Cross Site Request Forgery (CSRF) Leading To Reviews Removal Vulnerability
Patched Version: 3.3
Recommended Action: Update the WordPress WP Airbnb Review Slider plugin to the latest available version (at least 3.3).
Plugin: RapidLoad Power-Up for Autoptimize
Vulnerability: SQL Injection
Patched Version: 1.6.36
Recommended Action: Update the WordPress RapidLoad Power-Up for Autoptimize plugin to the latest available version (at least 1.6.36).
Plugin: Responsive Vertical Icon Menu
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.5.9
Recommended Action: Update the WordPress Responsive Vertical Icon Menu plugin to the latest available version (at least 1.5.9).
Plugin: Extensions For CF7
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.9
Recommended Action: Update the WordPress Extensions For CF7 plugin to the latest available version (at least 2.0.9).
Plugin: PixelYourSite – Your smart PIXEL (TAG) Manager
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 9.3.1
Recommended Action: Update the WordPress PixelYourSite – Your smart PIXEL (TAG) Manager plugin to the latest available version (at least 9.3.1).
Plugin: WP Google Map Plugin
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.4.0
Recommended Action: Update the WordPress WP Google Map Plugin plugin to the latest available version (at least 4.4.0).
Plugin: Pods
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.9.11
Recommended Action: Update the WordPress Pods plugin to the latest available version (at least 2.9.11).
Plugin: WP Time Slots Booking Form
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.1.83
Recommended Action: Update the WordPress WP Time Slots Booking Form plugin to the latest available version (at least 1.1.83).
Plugin: Interactive Polish Map
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.1
Recommended Action: Update the WordPress Interactive Polish Map plugin to the latest available version (at least 1.2.1).
Plugin: Quick Event Manager
Vulnerability: Reflected Cross-Site Scripting Vulnerability
Patched Version: 9.7.5
Recommended Action: Update the WordPress Quick Event Manager plugin to the latest available version (at least 9.7.5).
Plugin: Login with phone number
Vulnerability: Reflected Cross-Site Scripting Vulnerability
Patched Version: 1.4.2
Recommended Action: Update the WordPress Login with phone number plugin to the latest available version (at least 1.4.2).
Plugin: My Calendar
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.4.4
Recommended Action: Update the WordPress My Calendar plugin to the latest available version (at least 3.4.4).
Plugin: WP Smart Preloader
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.15.1
Recommended Action: Update the WordPress WP Smart Preloader plugin to the latest available version (at least 1.15.1).
Plugin: Image Hover Effects For WPBakery Page Builder
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.0
Recommended Action: Update the WordPress Image Hover Effects For WPBakery Page Builder plugin to the latest available version (at least 5.0).
Plugin: Simple Staff List
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.2.3
Recommended Action: Update the WordPress Simple Staff List plugin to the latest available version (at least 2.2.3).
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 11.14
Recommended Action: Update the WordPress WPMobile.App — Android and iOS Mobile Application plugin to the latest available version (at least 11.14).
Plugin: Category Specific RSS feed Subscription
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.2
Recommended Action: Update the WordPress Category Specific RSS feed Subscription plugin to the latest available version (at least v2.2).
Plugin: WP eBay Product Feeds
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.4
Recommended Action: Update the WordPress WP eBay Product Feeds plugin to the latest available version (at least 3.4).
Plugin: WP Flipclock
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.8
Recommended Action: Update the WordPress WP Flipclock plugin to the latest available version (at least 1.8).
Plugin: Very Simple Google Maps
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.9
Recommended Action: Update the WordPress Very Simple Google Maps plugin to the latest available version (at least 2.9).
Plugin: Contact Form 7 Dynamic Text Extension
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.0.0
Recommended Action: Update the WordPress Contact Form 7 Dynamic Text Extension plugin to the latest available version (at least 3.0.0).
Plugin: WP Helper Premium
Vulnerability: Authenticated (Contributor+) SQL Injection vulnerability
Patched Version: 4.4.4
Recommended Action: Update the WordPress WP Helper Premium plugin to the latest available version (at least 4.4.4).
Plugin: URL Shortener by MyThemeShop
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: M Chart
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: GPT AI Power
Vulnerability: Subscriber+ Arbitrary Post Content Update Vulnerability
Patched Version: 1.4.38
Recommended Action: Update the WordPress GPT AI Power plugin to the latest available version (at least 1.4.38).
Plugin: YARPP
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Easy PayPal Buy Now Button
Vulnerability: CSRF to Stored Cross-Site Scripting vulnerability
Patched Version: 1.7.3
Recommended Action: Update the WordPress Easy PayPal Buy Now Button plugin to the latest available version (at least 1.7.3).
Plugin: Easy PayPal Buy Now Button
Vulnerability: Contributor+ Stored XSS in Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Mapwiz
Vulnerability: Admin+ SQLi vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Amr Shortcode Any Widget
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Themify Portfolio Post
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 1.2.2
Recommended Action: Update the WordPress Themify Portfolio Post plugin to the latest available version (at least 1.2.2).
Plugin: Lightbox Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 0.9.5
Recommended Action: Update the WordPress Lightbox Gallery plugin to the latest available version (at least 0.9.5).
Plugin: JetWidgets For Elementor
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 3, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Oi Yandex.Maps for WordPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Coming Soon by Supsystic
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Youtube shortcode
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP TopBar
Vulnerability: SQL Injection
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Admin Log
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Page Loading Effects
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Theme Blvd Responsive Google Maps
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Camera slideshow
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Nice PayPal Button Lite
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Tabs Slides
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: SRS Simple Hits Counter
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Fast Cache
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: User Meta Manager
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.5.0
Recommended Action: Update the WordPress User Meta Manager plugin to the latest available version (at least 3.5.0).
Plugin: User Meta Manager
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: GiveWP
Vulnerability: Unauthenticated SQL Injection Vulnerability
Patched Version: 2.24.0
Recommended Action: Update the WordPress GiveWP plugin to the latest available version (at least 2.24.0).
Plugin: Custom 404 Pro
Vulnerability: Cross-Site Request Forgery Vulnerability
Patched Version: 3.7.2
Recommended Action: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.2).
Plugin: WP Customer Area
Vulnerability: RCE via CSRF vulnerability
Patched Version: 8.1.4
Recommended Action: Update the WordPress WP Customer Area plugin to the latest available version (at least 8.1.4).
Plugin: TemplatesNext ToolKit
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 3.2.9
Recommended Action: Update the WordPress TemplatesNext ToolKit plugin to the latest available version (at least 3.2.9).
Plugin: Better Font Awesome
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 2.0.4
Recommended Action: Update the WordPress Better Font Awesome plugin to the latest available version (at least 2.0.4).
Plugin: Location Weather
Vulnerability: Contributor+ Stored XSS Vulnerability
Patched Version: 1.3.4
Recommended Action: Update the WordPress Location Weather plugin to the latest available version (at least 1.3.4).
Plugin: Enable Media Replace
Vulnerability: Author+ Arbitrary File Upload Vulnerability
Patched Version: 4.0.2
Recommended Action: Update the WordPress Enable Media Replace plugin to the latest available version (at least 4.0.2).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments