This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Ultimate Member, TrustProfile, Post Hit Counter and more!
Plugin: TrustProfile
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.25
Recommended Action: Update the WordPress TrustProfile plugin to the latest available version (at least 3.25).
Plugin: Easy Accordion FAQ and Knowledge Base Software for WordPress
Vulnerability: Authenticated Cross-Site Scripting vulnerability
Patched Version: 2.8
Recommended Action: Update the WordPress Easy Accordion FAQ and Knowledge Base Software for WordPress plugin to the latest available version (at least 2.8).
Plugin: Request a Quote
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 2.3.11
Recommended Action: Update the WordPress Request a Quote plugin to the latest available version (at least 2.3.11).
Plugin: Web3 – Crypto wallet Login & NFT token gating
Vulnerability: Authentication Bypass vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of June 29, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: SP Project & Document Manager
Vulnerability: Auth. Insecure Direct Object Reference vulnerability
Vulnerability: SQL Injection
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of June 29, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Ultimate Member
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.6.7
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.6.7).
Plugin: LiquidPoll – Advanced Polls for Creators and Brands
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.3.69
Recommended Action: Update the WordPress LiquidPoll – Advanced Polls for Creators and Brands plugin to the latest available version (at least 3.3.69).
Plugin: Short URL
Vulnerability: Authenticated Stored Cross-Site Scripting Vulnerability
Patched Version: 1.6.5
Recommended Action: Update the WordPress Short URL plugin to the latest available version (at least 1.6.5).
Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Authentication Bypass Vulnerability
Patched Version: 7.6.5
Recommended Action: Update the WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin to the latest available version (at least 7.6.5).
Plugin: Zippy
Vulnerability: PHP Object Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WCP OpenWeather
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Side Cart Woocommerce (Ajax)
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Layer Slider
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Form Builder
Vulnerability: CSV Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Enhanced Text Widget
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Houzez CRM
Vulnerability: SQL Injection
Patched Version: 1.3.5
Recommended Action: Update the WordPress Houzez CRM plugin to the latest available version (at least 1.3.5).
Plugin: WPGraphQL
Vulnerability: Server Side Request Forgery (SSRF) vulnerability
Patched Version: 1.14.6
Recommended Action: Update the WordPress WPGraphQL plugin to the latest available version (at least 1.14.6).
Plugin: WP Post Author
Vulnerability: Privilege Escalation
Patched Version: 3.3.0
Recommended Action: Update the WordPress WP Post Author plugin to the latest available version (at least 3.3.0).
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Unauthenticated LDAP Injection vulnerability
Patched Version: 4.1.6
Recommended Action: Update the WordPress Active Directory Integration / LDAP Integration plugin to the latest available version (at least 4.1.6).
Plugin: Short URL
Vulnerability: SQL Injection
Patched Version: 1.6.5
Recommended Action: Update the WordPress Short URL plugin to the latest available version (at least 1.6.5).
Plugin: NOO Timetable
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: NOO Timetable
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Post to CSV by BestWebSoft
Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Catalyst Connect Zoho CRM Client Portal
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Catalyst Connect Zoho CRM Client Portal plugin to the latest available version (at least 2.1.0).
Plugin: Booked
Vulnerability: Unauth. Appointment Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: The7
Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is provided by the vendor.
Plugin: Image Map Pro
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Salon booking system
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 8.4.8
Recommended Action: Update the WordPress Salon booking system plugin to the latest available version (at least 8.4.8).
Plugin: Waitlist Woocommerce ( Back in stock notifier )
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.5.3
Recommended Action: Update the WordPress Waitlist WooCommerce ( Back in stock notifier ) plugin to the latest available version (at least 2.5.3).
Plugin: Enable SVG, WebP & ICO Upload
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Front User Submit / Front Editor
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.8.5
Recommended Action: Update the WordPress WP Front User Submit / Front Editor plugin to the latest available version (at least 3.8.5).
Plugin: Autochat Automatic Conversation
Vulnerability: Unauth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Formidable Forms
Vulnerability: Auth. Remote Code Execution (RCE) vulnerability
Patched Version: 6.3.1
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 6.3.1).
Plugin: WP Inventory Manager
Vulnerability: Inventory Items Deletion via CSRF vulnerability
Patched Version: 2.1.0.14
Recommended Action: Update the WordPress WP Inventory Manager plugin to the latest available version (at least 2.1.0.14).
Plugin: WP ERP
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.12.4
Recommended Action: Update the WordPress WP ERP plugin to the latest available version (at least 1.12.4).
Plugin: File Manager Advanced Shortcode
Vulnerability: Unauth. Remote Code Execution vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Kanban Boards for WordPress
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.5.21
Recommended Action: Update the WordPress Kanban Boards for WordPress plugin to the latest available version (at least 2.5.21).
Plugin: Editorial Calendar
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Editorial Calendar
Vulnerability: Insecure Direct Object References (IDOR) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: LearnDash LMS
Vulnerability: Authenticated IDOR to Account Takeover Vulnerability
Patched Version: 4.6.0.1
Recommended Action: Update the WordPress LearnDash LMS plugin to the latest available version (at least 4.6.0.1).
Plugin: ARMember
Vulnerability: Stored Cross Site Scripting (XSS) on Common Messages Settings
Patched Version: 4.0.5
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 4.0.5).
Plugin: Duplicate Post Page Menu & Custom Post Type
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WPJobBoard
Vulnerability: Unauth. Blind SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is provided for the validation.
Plugin: Email download link
Vulnerability: Sensitive Data Exposure
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Quiz Expert – Easy Quiz Maker, Exam and Test Manager
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: SW Product Bundles
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Post Hit Counter
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Contact Form & Lead Form Elementor Builder
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.5
Recommended Action: Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version (at least 1.8.5).
Plugin: Th Product Compare
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.6
Recommended Action: Update the WordPress Th Product Compare plugin to the latest available version (at least 1.2.6).
Plugin: WP Abstracts
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Caldera Forms Google Sheets Connector
Vulnerability: Access Code Update via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Popup by Supsystic
Vulnerability: Prototype Pollution vulnerability
Patched Version: 1.10.19
Recommended Action: Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.19).
0 Comments