Watch Out Wednesday – July 12, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Premium Addons PRO, Forminator, BuddyPress and more!

Plugin: HTTP Headers

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.19.0
Recommended Action: Update the WordPress HTTP Headers plugin to the latest available version (at least 1.19.0).

Plugin: WooCommerce Ship to Multiple Addresses

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.8.6
Recommended Action: Update the WordPress WooCommerce Ship to Multiple Addresses plugin to the latest available version (at least 3.8.6).

Plugin: WooCommerce GoCardless Gateway

Vulnerability: Unauth. Insecure Direct Object References (IDOR) vulnerability
Patched Version: 2.5.7
Recommended Action: Update the WordPress WooCommerce GoCardless Gateway plugin to the latest available version (at least 2.5.7).

Plugin: WooCommerce Warranty Requests

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress WooCommerce Warranty Requests plugin to the latest available version (at least 2.2.0).

Plugin: Premium Addons PRO

Vulnerability: Broken Access Control vulnerability
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: BuddyPress Builder for Elementor – BuddyBuilder

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 1.7.4
Recommended Action: Update the WordPress BuddyPress Builder for Elementor – BuddyBuilder plugin to the latest available version (at least 1.7.4).

Plugin: ARMember

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.0.6
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 4.0.6).

Plugin: Yet Another Stars Rating

Vulnerability: Race Condition vulnerability
Patched Version: 3.3.9
Recommended Action: Update the WordPress Yet Another Stars Rating plugin to the latest available version (at least 3.3.9).

Plugin: JetFormBuilder

Vulnerability: Authenticated Privilege Escalation vulnerability
Patched Version: 3.0.9
Recommended Action: Update the WordPress JetFormBuilder plugin to the latest available version (at least 3.0.9).

Plugin: Download IP2Location Country Blocker

Vulnerability: IP Bypass Vulnerability vulnerability
Patched Version: 2.29.2
Recommended Action: Update the WordPress Download IP2Location Country Blocker plugin to the latest available version (at least 2.29.2).

Plugin: Booking Package

Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 1.5.99
Recommended Action: Update the WordPress Booking Package plugin to the latest available version (at least 1.5.99).

Plugin: Buy Me a Coffee

Vulnerability: Cross-Site Request Forgery vulnerability
Vulnerability: Missing Authorization vulnerability
Patched Version: 3.8
Recommended Action: Update the WordPress Buy Me a Coffee plugin to the latest available version (at least 3.8).

Plugin: Social Media Icons Widget

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Default Feature Image

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Getnet Argentina para Woocommerce

Vulnerability: Authorization Bypass via webhook vulnerability
Patched Version: 0.0.5
Recommended Action: Update the WordPress Getnet Argentina para Woocommerce plugin to the latest available version (at least 0.0.5).

Plugin: Social Share Boost

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: oAuth Twitter Feed for Developers

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Image Social Feed Plugin

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Video Gallery

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Ninja Forms

Vulnerability: Denial of Service Attack vulnerability
Patched Version: 3.6.26
Recommended Action: Update the WordPress Ninja Forms plugin to the latest available version (at least 3.6.26).

Plugin: Buy Me a Coffee

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.8
Recommended Action: Update the WordPress Buy Me a Coffee plugin to the latest available version (at least 3.8).

Plugin: WP Dummy Content Generator

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.0.0
Recommended Action: Update the WordPress WP Dummy Content Generator plugin to the latest available version (at least 3.0.0).

Plugin: WordPress Mobile Pack

Vulnerability: Broken Access Control Vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 7, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Auto Location for WP Job Manager via Google

Vulnerability: Admin+ Cross Site Scripting vulnerability
Patched Version: 1.1
Recommended Action: Update the WordPress Auto Location for WP Job Manager via Google plugin to the latest available version (at least 1.1).

Plugin: WP Reroute Email

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: 1.5.0
Recommended Action: Update the WordPress WP Reroute Email plugin to the latest available version (at least 1.5.0).

Plugin: WP Mail Log

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email vulnerability
Patched Version: 1.1.2
Recommended Action: Update the WordPress WP Mail Log plugin to the latest available version (at least 1.1.2).

Plugin: wpForo Forum

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 2.1.9
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.1.9).

Plugin: SMTP Mail

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: All-in-one Floating Contact Form – My Sticky Elements

Vulnerability: Admin+ Stored Cross-Site Scripting vulnerability
Patched Version: 2.1.2
Recommended Action: Update the WordPress All-in-one Floating Contact Form – My Sticky Elements plugin to the latest available version (at least 2.1.2).

Plugin: Masteriyo – LMS

Vulnerability: WordPress Masteriyo – LMS plugin <= 1.6.7 - Sensitive Information Exposure vulnerability Patched Version: 1.6.8 Recommended Action: Update the WordPress Masteriyo - LMS plugin to the latest available version (at least 1.6.8).

Plugin: BadgeOS

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite vulnerability
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion vulnerability
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Terms descriptions

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.4.5
Recommended Action: Update the WordPress Terms descriptions plugin to the latest available version (at least 3.4.5).

Plugin: Secondary Title

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Full Stripe Free

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Product Category Tree

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: RSVPMarker

Vulnerability: SQL Injection vulnerability
Patched Version: 10.5.5
Recommended Action: Update the WordPress RSVPMarker plugin to the latest available version (at least 10.5.5).

Plugin: Livestream Notice

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Coming Soon

Vulnerability: SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Classified Listing

Vulnerability: Cross Site Request Forgery (CSRF) Leading To Thumbnail Removal Vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vendor was notified on 2023 Jan 13.

Plugin: WooLentor

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.6.3
Recommended Action: Update the WordPress WooLentor plugin to the latest available version (at least 2.6.3).

Plugin: Visibility Logic for Elementor

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.3.5
Recommended Action: Update the WordPress Visibility Logic for Elementor plugin to the latest available version (at least 2.3.5).

Plugin: Media Library Helper by Codexin

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Consulting

Vulnerability: Local File Inclusion
Patched Version: None
Recommended Action: No patched version was provided by the vendor.

Plugin: WPLMS

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 4.900
Recommended Action: Update the WordPress WPLMS theme to the latest available version (at least 4.900).

Plugin: Forminator

Vulnerability: Unauth. Race Condition vulnerability
Patched Version: 1.24.1
Recommended Action: Update the WordPress Forminator plugin to the latest available version (at least 1.24.1).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.