Watch Out Wednesday – June 7, 2023

by | Jun 7, 2023 | WoW Archive

woman with surprised expression looking through binoculars, captioned watch out wednesday
woman with surprised expression looking through binoculars, captioned watch out wednesday
Watch Out Wednesday – June 7, 2023

by | Jun 7, 2023 | WoW Archive

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Woocommerce, WP Hide Post and more!

Plugin: WP Hide Post

Vulnerability: Cross Site Request Forgery (CSRF) Leading To Post Status Change Vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Cart2Cart: Magento to WooCommerce Migration

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 9, 2023 and is not available for download. Reason: Security Issue.

Plugin: Change WooCommerce Add To Cart Button Text

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kebo Twitter Feed

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed and is not available for download.

Plugin: WPC Smart Wishlist for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Constant Contact Forms

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: B2BKing Premium

Vulnerability: Authenticated Product Price Change Vulnerability
Patched Version: 4.6.20
Recommended Action: Update the WordPress B2BKing Premium plugin to the latest available version (at least 4.6.20).

Plugin: Extended Post Status

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Download SpamReferrerBlock

Vulnerability: Cross Site Scripting (XSS) vulnerability
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kanban Boards for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.5.21
Recommended Action: Update the WordPress Kanban Boards for WordPress plugin to the latest available version (at least 2.5.21).

Plugin: GDPR Cookie Consent Notice Box

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.1.7
Recommended Action: Update the WordPress GDPR Cookie Consent Notice Box plugin to the latest available version (at least 1.1.7).

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Open Redirection vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.6.4.4
Recommended Action: Update the WordPress Uncanny Toolkit for LearnDash plugin to the latest available version (at least 3.6.4.4).

Plugin: WP Inventory Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.1.0.14
Recommended Action: Update the WordPress WP Inventory Manager plugin to the latest available version (at least 2.1.0.14).

Plugin: WooCommerce Box Office

Vulnerability: Unauthenticated Save Ticket Barcode vulnerability
Patched Version: 1.1.52
Recommended Action: Update the WordPress WooCommerce Box Office plugin to the latest available version (at least 1.1.52).

Plugin: JS Job Manager

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.1
Recommended Action: Update the WordPress JS Job Manager plugin to the latest available version (at least 2.0.1).

Plugin: Social Media & Share Icons

Vulnerability: Broken Access Control + CSRF
Patched Version: 2.8.2
Recommended Action: Update the WordPress Social Media & Share Icons plugin to the latest available version (at least 2.8.2).

Plugin: WooCommerce Box Office

Vulnerability: Contributor+ Stored Cross Site Scripting (XSS) vulnerability
Patched Version: 1.1.51
Recommended Action: Update the WordPress WooCommerce Box Office plugin to the latest available version (at least 1.1.51).

Plugin: Call Now Accessibility Button

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2
Recommended Action: Update the WordPress Call Now Accessibility Button plugin to the latest available version (at least 1.2).

Plugin: Front End Users

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.2.25
Recommended Action: Update the WordPress Front End Users plugin to the latest available version (at least 3.2.25).

Plugin: WP ERP

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.12.4
Recommended Action: Update the WordPress WP ERP plugin to the latest available version (at least 1.12.4).

Plugin: Premium Addons PRO

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.8.25
Recommended Action: Update the WordPress Premium Addons PRO plugin to the latest available version (at least 2.8.25).

Plugin: Advanced Flat rate shipping Woocommerce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.4.6
Recommended Action: Update the WordPress Advanced Flat rate shipping Woocommerce plugin to the latest available version (at least 1.6.4.6).

Plugin: WP Directory Kit

Vulnerability: Reflected Cross-Site Scripting via ‘search’ vulnerability
Patched Version: 1.2.4
Recommended Action: Update the WordPress WP Directory Kit plugin to the latest available version (at least 1.2.4).

Plugin: Web Directory Free

Vulnerability: Authenticated (Contributor+) SQL Injection via post_id vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Formidable Forms

Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation vulnerability
Patched Version: 6.3.1
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 6.3.1).

Plugin: ReviewX

Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation vulnerability
Patched Version: 1.6.14
Recommended Action: Update the WordPress ReviewX plugin to the latest available version (at least 1.6.14).

Plugin: Brizy – Page Builder

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass vulnerability
Patched Version: 2.4.19
Recommended Action: Update the WordPress Brizy – Page Builder plugin to the latest available version (at least 2.4.19).

Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management

Vulnerability: Cross-Site Request Forgery to Survey Submission vulnerability
Patched Version: 1.2.10
Recommended Action: Update the WordPress Donation Platform for WooCommerce: Fundraising & Donation Management plugin to the latest available version (at least 1.2.10).

Plugin: Draw Attention

Vulnerability: Missing Authorization to Arbitrary Post Featured Image Modification vulnerability
Patched Version: 2.0.12
Recommended Action: Update the WordPress Draw Attention plugin to the latest available version (at least 2.0.12).

Plugin: Favorites

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress Favorites plugin to the latest available version (at least 2.3.3).

Plugin: CRM Perks Forms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.2
Recommended Action: Update the WordPress CRM Perks Forms plugin to the latest available version (at least 1.1.2).

Plugin: Nested Pages

Vulnerability: Missing Authorization to Authenticated (Editor+) Plugin Settings Reset vulnerability
Patched Version: 3.2.4
Recommended Action: Update the WordPress Nested Pages plugin to the latest available version (at least 3.2.4).

Plugin: Display post meta, term meta, comment meta, and user meta

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Blog-in-Blog

Vulnerability: Authenticated (Editor+) Local File Inclusion via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Feather Login Page

Vulnerability: WordPress Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Authentication Bypass and Privilege Escalation vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Feather Login Page

Vulnerability: WordPress Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Non-Arbitrary User Deletion vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Wordapp

Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature vulnerability
Patched Version: None
Recommended Action: No patched version available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

Meet the Author: FocusWP
FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *