This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Premium Addons PRO, Forminator, BuddyPress and more!
Plugin: HTTP Headers
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.19.0
Recommended Action: Update the WordPress HTTP Headers plugin to the latest available version (at least 1.19.0).
Plugin: WooCommerce Ship to Multiple Addresses
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.8.6
Recommended Action: Update the WordPress WooCommerce Ship to Multiple Addresses plugin to the latest available version (at least 3.8.6).
Plugin: WooCommerce GoCardless Gateway
Vulnerability: Unauth. Insecure Direct Object References (IDOR) vulnerability
Patched Version: 2.5.7
Recommended Action: Update the WordPress WooCommerce GoCardless Gateway plugin to the latest available version (at least 2.5.7).
Plugin: WooCommerce Warranty Requests
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress WooCommerce Warranty Requests plugin to the latest available version (at least 2.2.0).
Plugin: Premium Addons PRO
Vulnerability: Broken Access Control vulnerability
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: BuddyPress Builder for Elementor – BuddyBuilder
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 1.7.4
Recommended Action: Update the WordPress BuddyPress Builder for Elementor – BuddyBuilder plugin to the latest available version (at least 1.7.4).
Plugin: ARMember
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.0.6
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 4.0.6).
Plugin: Yet Another Stars Rating
Vulnerability: Race Condition vulnerability
Patched Version: 3.3.9
Recommended Action: Update the WordPress Yet Another Stars Rating plugin to the latest available version (at least 3.3.9).
Plugin: JetFormBuilder
Vulnerability: Authenticated Privilege Escalation vulnerability
Patched Version: 3.0.9
Recommended Action: Update the WordPress JetFormBuilder plugin to the latest available version (at least 3.0.9).
Plugin: Download IP2Location Country Blocker
Vulnerability: IP Bypass Vulnerability vulnerability
Patched Version: 2.29.2
Recommended Action: Update the WordPress Download IP2Location Country Blocker plugin to the latest available version (at least 2.29.2).
Plugin: Booking Package
Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 1.5.99
Recommended Action: Update the WordPress Booking Package plugin to the latest available version (at least 1.5.99).
Plugin: Buy Me a Coffee
Vulnerability: Cross-Site Request Forgery vulnerability
Vulnerability: Missing Authorization vulnerability
Patched Version: 3.8
Recommended Action: Update the WordPress Buy Me a Coffee plugin to the latest available version (at least 3.8).
Plugin: Social Media Icons Widget
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Default Feature Image
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Getnet Argentina para Woocommerce
Vulnerability: Authorization Bypass via webhook vulnerability
Patched Version: 0.0.5
Recommended Action: Update the WordPress Getnet Argentina para Woocommerce plugin to the latest available version (at least 0.0.5).
Plugin: Social Share Boost
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: oAuth Twitter Feed for Developers
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Image Social Feed Plugin
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Video Gallery
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Ninja Forms
Vulnerability: Denial of Service Attack vulnerability
Patched Version: 3.6.26
Recommended Action: Update the WordPress Ninja Forms plugin to the latest available version (at least 3.6.26).
Plugin: Buy Me a Coffee
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.8
Recommended Action: Update the WordPress Buy Me a Coffee plugin to the latest available version (at least 3.8).
Plugin: WP Dummy Content Generator
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.0.0
Recommended Action: Update the WordPress WP Dummy Content Generator plugin to the latest available version (at least 3.0.0).
Plugin: WordPress Mobile Pack
Vulnerability: Broken Access Control Vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 7, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Auto Location for WP Job Manager via Google
Vulnerability: Admin+ Cross Site Scripting vulnerability
Patched Version: 1.1
Recommended Action: Update the WordPress Auto Location for WP Job Manager via Google plugin to the latest available version (at least 1.1).
Plugin: WP Reroute Email
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: 1.5.0
Recommended Action: Update the WordPress WP Reroute Email plugin to the latest available version (at least 1.5.0).
Plugin: WP Mail Log
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email vulnerability
Patched Version: 1.1.2
Recommended Action: Update the WordPress WP Mail Log plugin to the latest available version (at least 1.1.2).
Plugin: wpForo Forum
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 2.1.9
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.1.9).
Plugin: SMTP Mail
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: All-in-one Floating Contact Form – My Sticky Elements
Vulnerability: Admin+ Stored Cross-Site Scripting vulnerability
Patched Version: 2.1.2
Recommended Action: Update the WordPress All-in-one Floating Contact Form – My Sticky Elements plugin to the latest available version (at least 2.1.2).
Plugin: Masteriyo – LMS
Vulnerability: WordPress Masteriyo – LMS plugin <= 1.6.7 - Sensitive Information Exposure vulnerability Patched Version: 1.6.8 Recommended Action: Update the WordPress Masteriyo - LMS plugin to the latest available version (at least 1.6.8).
Plugin: BadgeOS
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite vulnerability
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion vulnerability
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Terms descriptions
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.4.5
Recommended Action: Update the WordPress Terms descriptions plugin to the latest available version (at least 3.4.5).
Plugin: Secondary Title
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Full Stripe Free
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Product Category Tree
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: RSVPMarker
Vulnerability: SQL Injection vulnerability
Patched Version: 10.5.5
Recommended Action: Update the WordPress RSVPMarker plugin to the latest available version (at least 10.5.5).
Plugin: Livestream Notice
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Coming Soon
Vulnerability: SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Classified Listing
Vulnerability: Cross Site Request Forgery (CSRF) Leading To Thumbnail Removal Vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vendor was notified on 2023 Jan 13.
Plugin: WooLentor
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.6.3
Recommended Action: Update the WordPress WooLentor plugin to the latest available version (at least 2.6.3).
Plugin: Visibility Logic for Elementor
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.3.5
Recommended Action: Update the WordPress Visibility Logic for Elementor plugin to the latest available version (at least 2.3.5).
Plugin: Media Library Helper by Codexin
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Consulting
Vulnerability: Local File Inclusion
Patched Version: None
Recommended Action: No patched version was provided by the vendor.
Plugin: WPLMS
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 4.900
Recommended Action: Update the WordPress WPLMS theme to the latest available version (at least 4.900).
Plugin: Forminator
Vulnerability: Unauth. Race Condition vulnerability
Patched Version: 1.24.1
Recommended Action: Update the WordPress Forminator plugin to the latest available version (at least 1.24.1).
0 Comments