This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Woocommerce, WP Hide Post and more!
Plugin: WP Mail Catcher
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: 2.1.3
Recommended Action: Update the WordPress WP Mail Catcher plugin to the latest available version (at least 2.1.3).
Plugin: GD Mail Queue
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email vulnerability
Patched Version: 4.0
Recommended Action: Update the WordPress GD Mail Queue plugin to the latest available version (at least 4.0).
Plugin: WP EasyCart
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘orderby’ vulnerability
Patched Version: 5.4.11
Recommended Action: Update the WordPress WP EasyCart plugin to the latest available version (at least 5.4.11).
Plugin: WP Mail Logging
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email vulnerability
Patched Version: 1.11.1
Recommended Action: Update the WordPress WP Mail Logging plugin to the latest available version (at least 1.11.1).
Plugin: Lana Email Logger
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Lana Email Logger plugin to the latest available version (at least 1.1.0).
Plugin: Members
Vulnerability: Missing Authorization to Settings Update vulnerability
Patched Version: 3.4.8
Recommended Action: Update the WordPress Members plugin to the latest available version (at least 3.4.8).
Plugin: FiboSearch – Ajax Search for WooCommerce
Vulnerability: WordPress FiboSearch – AJAX Search for WooCommerce plugin <= 1.23.0 – Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.24.0
Recommended Action: Update the WordPress FiboSearch – Ajax Search for WooCommerce plugin to the latest available version (at least 1.24.0).
Plugin: Metform Elementor Contact Form Builder
Vulnerability: Unauthenticated CSV Injection vulnerability
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_payment_status’ shortcode vulnerability
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode vulnerability
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_transaction_id’ shortcode vulnerability
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode vulnerability
Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf shortcode vulnerability
Patched Version: 3.3.2
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.3.2).
Plugin: Social Media & Share Icons
Vulnerability: Authenticated Stored Cross-Site Scripting Vulnerability
Patched Version: 2.8.2
Recommended Action: Update the WordPress Social Media & Share Icons plugin to the latest available version (at least 2.8.2).
Plugin: Ultimate Product Catalogue
Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 5.2.6
Recommended Action: Update the WordPress Ultimate Product Catalogue plugin to the latest available version (at least 5.2.6).
Plugin: Easy Digital Downloads
Vulnerability: Cross-Site Request Forgery Leading To Plugin Upgrade Vulnerability
Patched Version: 3.1.2
Recommended Action: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.2).
Plugin: Aajoda Testimonials
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.2.2
Recommended Action: Update the WordPress Aajoda Testimonials plugin to the latest available version (at least 2.2.2).
0 Comments