This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Form Builder, WP Backup Manager, WP Affiliate Links and more!

Plugin: MStore API

Vulnerability: SQL Injection
Vulnerability: Cross-Site Request Forgery to Product Limit Update vulnerability
Vulnerability: Cross-Site Request Forgery to Product Limit Update vulnerability
Vulnerability: Cross-Site Request Forgery to Order Message Update vulnerability
Vulnerability: Cross-Site Request Forgery to Order Title Update vulnerability
Vulnerability: Cross-Site Request Forgery to Order Title Update vulnerability
Vulnerability: Cross-Site Request Forgery to Order Status Update vulnerability
Vulnerability: Cross-Site Request Forgery to Firebase Server Key Update vulnerability
Patched Version: 3.9.8
Recommended Action: Update the WordPress MStore API plugin to the latest available version (at least 3.9.8).

Plugin: Gutenverse

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.6
Recommended Action: Update the WordPress Gutenverse plugin to the latest available version (at least 1.8.6).

Plugin: Form Builder

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Custom Cursors

Vulnerability: Admin+ SQLi vulnerability
Patched Version: 3.2
Recommended Action: Update the WordPress WP Custom Cursors plugin to the latest available version (at least 3.2).

Plugin: Integration for Contact Form 7 and Zoho CRM, Bigin

Vulnerability: Admin+ SQLi vulnerability
Patched Version: 1.2.4
Recommended Action: Update the WordPress Integration for Contact Form 7 and Zoho CRM, Bigin plugin to the latest available version (at least 1.2.4).

Plugin: MojoPlug Slide Panel

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Conditional Menus

Vulnerability: Reflected XSS vulnerability
Patched Version: 1.2.1
Recommended Action: Update the WordPress Conditional Menus plugin to the latest available version (at least 1.2.1).

Plugin: File Renaming on Upload

Vulnerability: Admin+ Stored Cross-Site Scripting vulnerability
Patched Version: 2.5.2
Recommended Action: Update the WordPress File Renaming on Upload plugin to the latest available version (at least 2.5.2).

Plugin: SupportCandy

Vulnerability: Subscriber+ SQLi vulnerability
Vulnerability: Admin+ SQLi vulnerability
Patched Version: 3.1.7
Recommended Action: Update the WordPress SupportCandy plugin to the latest available version (at least 3.1.7).

Plugin: ChatBot

Vulnerability: Admin+ Stored Cross-Site Scripting vulnerability
Patched Version: 4.5.5
Recommended Action: Update the WordPress AI Chatbot plugin to the latest available version (at least 4.5.5).

Plugin: Smoothscroller

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Upload Resume

Vulnerability: Captcha Bypass vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Super Socializer

Vulnerability: Reflected XSS vulnerability
Patched Version: 7.13.52
Recommended Action: Update the WordPress Super Socializer plugin to the latest available version (at least 7.13.52).

Plugin: wpView

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Galleria

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on 2023 April 27.

Plugin: WP Backup Manager

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on 2023 May 15.

Plugin: Sermon’e – Sermons Online

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on 2023 April 26.

Plugin: Recent Posts Slider

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on 2023 April 26.

Plugin: Template Debugger

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on 2023 April 26.

Plugin: Seed Fonts

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: LWS Tools

Vulnerability: Multiple Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.4.2
Recommended Action: Update the WordPress LWS Tools plugin to the latest available version (at least 2.4.2).

Plugin: LWS Cleaner

Vulnerability: Multiple Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.3.1
Recommended Action: Update the WordPress LWS Cleaner plugin to the latest available version (at least 2.3.1).

Plugin: Google Map Shortcode

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on 2023 April 25.

Plugin: Who Hit The Page – Hit Counter

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: CHP Ads Block Detector

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.9.8
Recommended Action: Update the WordPress CHP Ads Block Detector plugin to the latest available version (at least 3.9.8).

Plugin: MasterStudy LMS

Vulnerability: Cross Site Scripting (XSS) vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. Refused by the vendor.

Plugin: breadcrumb simple

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Matterport Shortcode

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Flo Forms

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Affiliate Links

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Ignored by the vendor.

Plugin: NextGen GalleryView

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Recipe Maker For Your Food Blog from Zip Recipes

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 8.0.8
Recommended Action: Update the WordPress Recipe Maker For Your Food Blog from Zip Recipes plugin to the latest available version (at least 8.0.8).

Plugin: myCred

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.5.1
Recommended Action: Update the WordPress myCred plugin to the latest available version (at least 2.5.1).

Plugin: WooCommerce Stock Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.11.0
Recommended Action: Update the WordPress WooCommerce Stock Manager plugin to the latest available version (at least 2.11.0).

Plugin: Contact Form by WD

Vulnerability: Missing Authorization in check_score vulnerability
Patched Version: 1.15.17
Recommended Action: Update the WordPress Contact Form by WD plugin to the latest available version (at least 1.15.17).

***
Check out the WoW Archive for past Watch Out Wednesday posts.