This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WPFunnels, BookingPress, FluentForm and more!
Plugin: CartFlows Pro
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.11.12
Recommended Action: Update the WordPress CartFlows Pro plugin to the latest available version (at least 1.11.12).
Plugin: HT Mega
Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 2.2.1
Recommended Action: Update the WordPress HT Mega plugin to the latest available version (at least 2.2.1).
Plugin: Spectra
Vulnerability: Server Side Request Forgery (SSRF) vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.6.7
Recommended Action: Update the WordPress Spectra plugin to the latest available version (at least 2.6.7).
Plugin: BookingPress
Vulnerability: Unauth. Server Information Disclosure vulnerability
Patched Version: 1.0.65
Recommended Action: Update the WordPress BookingPress plugin to the latest available version (at least 1.0.65).
Plugin: Integration for Contact Form 7 and Salesforce
Vulnerability: Open Redirection vulnerability
Patched Version: 1.3.4
Recommended Action: Update the WordPress Integration for Contact Form 7 and Salesforce plugin to the latest available version (at least 1.3.4).
Plugin: Authors List
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.0.3
Recommended Action: Update the WordPress Authors List plugin to the latest available version (at least 2.0.3).
Plugin: Custom Field For WP Job Manager
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2
Recommended Action: Update the WordPress Custom Field For WP Job Manager plugin to the latest available version (at least 1.2).
Plugin: HTTP Headers
Vulnerability: Server Side Request Forgery (SSRF) vulnerability
Patched Version: 1.19.0
Recommended Action: Update the WordPress HTTP Headers plugin to the latest available version (at least 1.19.0).
Plugin: WPFunnels
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7.17
Recommended Action: Update the WordPress Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin to the latest available version (at least 2.7.17).
Plugin: Dovetail
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: MailArchiver
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: 2.11.0
Recommended Action: Update the WordPress MailArchiver plugin to the latest available version (at least 2.11.0).
Plugin: Grid Kit Premium
Vulnerability: Multiple Reflected Cross-Site Scripting vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress Grid Kit Premium plugin to the latest available version (at least 2.2.0).
Plugin: Art Direction
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Replace Word
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Short URL
Vulnerability: Admin+ Cross Site Scripting vulnerability
Patched Version: 1.6.5
Recommended Action: Update the WordPress Short URL plugin to the latest available version (at least 1.6.5).
Plugin: Radio Forge Muses Player with Skins
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Variation Swatches for WooCommerce
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3.8
Recommended Action: Update the WordPress Variation Swatches for WooCommerce plugin to the latest available version (at least 2.3.8).
Plugin: WP-FB-AutoConnect
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.6.2
Recommended Action: Update the WordPress WP-FB-AutoConnect plugin to the latest available version (at least 4.6.2).
Plugin: WooCommerce Product Stock Alert
Vulnerability: Sensitive Data Exposure vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.0.2
Recommended Action: Update the WordPress WooCommerce Product Stock Alert plugin to the latest available version (at least 2.0.2).
Plugin: MF Gig Calendar
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.1
Recommended Action: Update the WordPress MF Gig Calendar plugin to the latest available version (at least 1.2.1).
Plugin: Checkout with Zelle on Woocommerce
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.1.1
Recommended Action: Update the WordPress Checkout with Zelle on Woocommerce plugin to the latest available version (at least 3.1.1).
Plugin: Falang multilanguage
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.40
Recommended Action: Update the WordPress Falang multilanguage plugin to the latest available version (at least 1.3.40).
Plugin: DirectoryPress
Vulnerability: Unauthenticated Broken Access Control Vulnerability
Patched Version: 3.6.3
Recommended Action: Update the WordPress DirectoryPress plugin to the latest available version (at least 3.6.3).
Plugin: Zippy
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.6.3
Recommended Action: Update the WordPress Zippy plugin to the latest available version (at least 1.6.3).
Plugin: Media Library Assistant
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.0.8
Recommended Action: Update the WordPress Media Library Assistant plugin to the latest available version (at least 3.0.8).
Plugin: User Activity Log
Vulnerability: SQL Injection vulnerability
Patched Version: 1.6.3
Recommended Action: Update the WordPress User Activity Log plugin to the latest available version (at least 1.6.3).
Plugin: Integrate Google Drive
Vulnerability: Unauthenticated Broken Access Control vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress Integrate Google Drive plugin to the latest available version (at least 1.2.0).
Plugin: Variation Images Gallery for WooCommerce
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3.4
Recommended Action: Update the WordPress Variation Images Gallery for WooCommerce plugin to the latest available version (at least 2.3.4).
Plugin: Advanced AJAX Product Filters
Vulnerability: Broken Access Control + CSRF
Patched Version: 1.6.3.4
Recommended Action: Update the WordPress Advanced AJAX Product Filters plugin to the latest available version (at least 1.6.3.4).
Plugin: FluentForm
Vulnerability: SQL Injection vulnerability
Patched Version: 5.0.0
Recommended Action: Update the WordPress FluentForm plugin to the latest available version (at least 5.0.0).
Plugin: AnsPress – Question and answer
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.3.2
Recommended Action: Update the WordPress AnsPress – Question and answer plugin to the latest available version (at least 4.3.2).
Plugin: Coming Soon Chop Chop
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
0 Comments