This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Woocommerce, WP Hide Post and more!

Plugin: WP Mail Catcher

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: 2.1.3
Recommended Action: Update the WordPress WP Mail Catcher plugin to the latest available version (at least 2.1.3).

Plugin: GD Mail Queue

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email vulnerability
Patched Version: 4.0
Recommended Action: Update the WordPress GD Mail Queue plugin to the latest available version (at least 4.0).

Plugin: WP EasyCart

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘orderby’ vulnerability
Patched Version: 5.4.11
Recommended Action: Update the WordPress WP EasyCart plugin to the latest available version (at least 5.4.11).

Plugin: WP Mail Logging

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email vulnerability
Patched Version: 1.11.1
Recommended Action: Update the WordPress WP Mail Logging plugin to the latest available version (at least 1.11.1).

Plugin: Lana Email Logger

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Lana Email Logger plugin to the latest available version (at least 1.1.0).

Plugin: Members

Vulnerability: Missing Authorization to Settings Update vulnerability
Patched Version: 3.4.8
Recommended Action: Update the WordPress Members plugin to the latest available version (at least 3.4.8).

Plugin: FiboSearch – Ajax Search for WooCommerce

Vulnerability: WordPress FiboSearch – AJAX Search for WooCommerce plugin <= 1.23.0 – Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.24.0
Recommended Action: Update the WordPress FiboSearch – Ajax Search for WooCommerce plugin to the latest available version (at least 1.24.0).

Plugin: Metform Elementor Contact Form Builder

Vulnerability: Unauthenticated CSV Injection vulnerability
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_payment_status’ shortcode vulnerability
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode vulnerability
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_transaction_id’ shortcode vulnerability
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode vulnerability
Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf shortcode vulnerability
Patched Version: 3.3.2
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.3.2).

Plugin: Social Media & Share Icons

Vulnerability: Authenticated Stored Cross-Site Scripting Vulnerability
Patched Version: 2.8.2
Recommended Action: Update the WordPress Social Media & Share Icons plugin to the latest available version (at least 2.8.2).

Plugin: Ultimate Product Catalogue

Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 5.2.6
Recommended Action: Update the WordPress Ultimate Product Catalogue plugin to the latest available version (at least 5.2.6).

Plugin: Easy Digital Downloads

Vulnerability: Cross-Site Request Forgery Leading To Plugin Upgrade Vulnerability
Patched Version: 3.1.2
Recommended Action: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.2).

Plugin: Aajoda Testimonials

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.2.2
Recommended Action: Update the WordPress Aajoda Testimonials plugin to the latest available version (at least 2.2.2).

***
Check out the WoW Archive for past Watch Out Wednesday posts.