Watch Out Wednesday – June 7, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Woocommerce, WP Hide Post and more!

Plugin: WP Hide Post

Vulnerability: Cross Site Request Forgery (CSRF) Leading To Post Status Change Vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Cart2Cart: Magento to WooCommerce Migration

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 9, 2023 and is not available for download. Reason: Security Issue.

Plugin: Change WooCommerce Add To Cart Button Text

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kebo Twitter Feed

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed and is not available for download.

Plugin: WPC Smart Wishlist for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Constant Contact Forms

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: B2BKing Premium

Vulnerability: Authenticated Product Price Change Vulnerability
Patched Version: 4.6.20
Recommended Action: Update the WordPress B2BKing Premium plugin to the latest available version (at least 4.6.20).

Plugin: Extended Post Status

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Download SpamReferrerBlock

Vulnerability: Cross Site Scripting (XSS) vulnerability
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kanban Boards for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.5.21
Recommended Action: Update the WordPress Kanban Boards for WordPress plugin to the latest available version (at least 2.5.21).

Plugin: GDPR Cookie Consent Notice Box

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.1.7
Recommended Action: Update the WordPress GDPR Cookie Consent Notice Box plugin to the latest available version (at least 1.1.7).

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Open Redirection vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.6.4.4
Recommended Action: Update the WordPress Uncanny Toolkit for LearnDash plugin to the latest available version (at least 3.6.4.4).

Plugin: WP Inventory Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.1.0.14
Recommended Action: Update the WordPress WP Inventory Manager plugin to the latest available version (at least 2.1.0.14).

Plugin: WooCommerce Box Office

Vulnerability: Unauthenticated Save Ticket Barcode vulnerability
Patched Version: 1.1.52
Recommended Action: Update the WordPress WooCommerce Box Office plugin to the latest available version (at least 1.1.52).

Plugin: JS Job Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.1
Recommended Action: Update the WordPress JS Job Manager plugin to the latest available version (at least 2.0.1).

Plugin: Social Media & Share Icons

Vulnerability: Broken Access Control + CSRF
Patched Version: 2.8.2
Recommended Action: Update the WordPress Social Media & Share Icons plugin to the latest available version (at least 2.8.2).

Plugin: WooCommerce Box Office

Vulnerability: Contributor+ Stored Cross Site Scripting (XSS) vulnerability
Patched Version: 1.1.51
Recommended Action: Update the WordPress WooCommerce Box Office plugin to the latest available version (at least 1.1.51).

Plugin: Call Now Accessibility Button

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2
Recommended Action: Update the WordPress Call Now Accessibility Button plugin to the latest available version (at least 1.2).

Plugin: Front End Users

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.2.25
Recommended Action: Update the WordPress Front End Users plugin to the latest available version (at least 3.2.25).

Plugin: WP ERP

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.12.4
Recommended Action: Update the WordPress WP ERP plugin to the latest available version (at least 1.12.4).

Plugin: Premium Addons PRO

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.8.25
Recommended Action: Update the WordPress Premium Addons PRO plugin to the latest available version (at least 2.8.25).

Plugin: Advanced Flat rate shipping Woocommerce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.4.6
Recommended Action: Update the WordPress Advanced Flat rate shipping Woocommerce plugin to the latest available version (at least 1.6.4.6).

Plugin: WP Directory Kit

Vulnerability: Reflected Cross-Site Scripting via ‘search’ vulnerability
Patched Version: 1.2.4
Recommended Action: Update the WordPress WP Directory Kit plugin to the latest available version (at least 1.2.4).

Plugin: Web Directory Free

Vulnerability: Authenticated (Contributor+) SQL Injection via post_id vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Formidable Forms

Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation vulnerability
Patched Version: 6.3.1
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 6.3.1).

Plugin: ReviewX

Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation vulnerability
Patched Version: 1.6.14
Recommended Action: Update the WordPress ReviewX plugin to the latest available version (at least 1.6.14).

Plugin: Brizy – Page Builder

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass vulnerability
Patched Version: 2.4.19
Recommended Action: Update the WordPress Brizy – Page Builder plugin to the latest available version (at least 2.4.19).

Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management

Vulnerability: Cross-Site Request Forgery to Survey Submission vulnerability
Patched Version: 1.2.10
Recommended Action: Update the WordPress Donation Platform for WooCommerce: Fundraising & Donation Management plugin to the latest available version (at least 1.2.10).

Plugin: Draw Attention

Vulnerability: Missing Authorization to Arbitrary Post Featured Image Modification vulnerability
Patched Version: 2.0.12
Recommended Action: Update the WordPress Draw Attention plugin to the latest available version (at least 2.0.12).

Plugin: Favorites

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress Favorites plugin to the latest available version (at least 2.3.3).

Plugin: CRM Perks Forms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.2
Recommended Action: Update the WordPress CRM Perks Forms plugin to the latest available version (at least 1.1.2).

Plugin: Nested Pages

Vulnerability: Missing Authorization to Authenticated (Editor+) Plugin Settings Reset vulnerability
Patched Version: 3.2.4
Recommended Action: Update the WordPress Nested Pages plugin to the latest available version (at least 3.2.4).

Plugin: Display post meta, term meta, comment meta, and user meta

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Blog-in-Blog

Vulnerability: Authenticated (Editor+) Local File Inclusion via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Feather Login Page

Vulnerability: WordPress Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Authentication Bypass and Privilege Escalation vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Feather Login Page

Vulnerability: WordPress Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Non-Arbitrary User Deletion vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Wordapp

Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature vulnerability
Patched Version: None
Recommended Action: No patched version available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.