This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Code Snippets, iQ Block Country, User Meta and more!
Plugin: E Unlocked – Student Result
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 11, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Easy Student Results
Vulnerability: Sensitive Data Exposure
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 11, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Easy Student Results
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 11, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Elementor Contact Form DB
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 18, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: User Online
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.88.0
Recommended Action: Update the WordPress User Online plugin to the latest available version (at least 2.88.0).
Plugin: Homepage Product Organizer for WooCommerce
Vulnerability: SQL Injection
Patched Version: N/A
Recommended Action: No patched version is available. We were unable to contact the vendor.
Plugin: Testimonials
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No way to contact the vendor.
Plugin: Feed Them Social
Vulnerability: Other Vulnerability Type
Patched Version: 2.9.8.6
Recommended Action: Update the WordPress Feed Them Social plugin to the latest available version (at least 2.9.8.6).
Plugin: mTouch Quiz
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 14, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: YaySMTP
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.2.1
Recommended Action: Update the WordPress YaySMTP plugin to the latest available version (at least 2.2.1).
Plugin: Thinkific Uploader
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Website File Changes Monitor
Vulnerability: SQL Injection
Patched Version: 1.8.3
Recommended Action: Update the WordPress Website File Changes Monitor plugin to the latest available version (at least 1.8.3).
Plugin: WP OAuth2 Server
Vulnerability: Bypass Vulnerability
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of June 23, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Dating
Vulnerability: SQL Injection
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: Inspiro
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 7.2.3
Recommended Action: Update the WordPress Inspiro premium theme to the latest available version (at least 7.2.3).
Plugin: Easy Username Updater
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.0.5
Recommended Action: Update the WordPress Easy Username Updater plugin to the latest available version (at least 1.0.5).
Plugin: WP DS Blog Map
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Google Maps Anywhere
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: DW Promobar
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Better Tag Cloud
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 14, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Name Directory
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.25.5
Recommended Action: Update the WordPress Name Directory plugin to the latest available version (at least 1.25.5).
Plugin: Polldaddy Polls & Ratings
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0.8
Recommended Action: Update the WordPress Polldaddy Polls & Ratings plugin to the latest available version (at least 3.0.8).
Plugin: Directorist
Vulnerability: Arbitrary File Upload
Patched Version: 7.2.3
Recommended Action: Update the WordPress Directorist plugin to the latest available version (at least 7.2.3).
Plugin: Rough Chart
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 14, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Auto More Tag
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 14, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: YaySMTP
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.2.2
Recommended Action: Update the WordPress YaySMTP plugin to the latest available version (at least 2.2.2).
Plugin: WordPress Comments Fields
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.1
Recommended Action: Update the WordPress WordPress Comments Fields plugin to the latest available version (at least 4.1).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments