This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Formidable Forms, Woocommerce, WP Hide Post and more!
Plugin: WP Hide Post
Vulnerability: Cross Site Request Forgery (CSRF) Leading To Post Status Change Vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Cart2Cart: Magento to WooCommerce Migration
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 9, 2023 and is not available for download. Reason: Security Issue.
Plugin: Change WooCommerce Add To Cart Button Text
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Kebo Twitter Feed
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed and is not available for download.
Plugin: WPC Smart Wishlist for WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Constant Contact Forms
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: B2BKing Premium
Vulnerability: Authenticated Product Price Change Vulnerability
Patched Version: 4.6.20
Recommended Action: Update the WordPress B2BKing Premium plugin to the latest available version (at least 4.6.20).
Plugin: Extended Post Status
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Download SpamReferrerBlock
Vulnerability: Cross Site Scripting (XSS) vulnerability
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Kanban Boards for WordPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.5.21
Recommended Action: Update the WordPress Kanban Boards for WordPress plugin to the latest available version (at least 2.5.21).
Plugin: GDPR Cookie Consent Notice Box
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.1.7
Recommended Action: Update the WordPress GDPR Cookie Consent Notice Box plugin to the latest available version (at least 1.1.7).
Plugin: Uncanny Toolkit for LearnDash
Vulnerability: Open Redirection vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.6.4.4
Recommended Action: Update the WordPress Uncanny Toolkit for LearnDash plugin to the latest available version (at least 3.6.4.4).
Plugin: WP Inventory Manager
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.1.0.14
Recommended Action: Update the WordPress WP Inventory Manager plugin to the latest available version (at least 2.1.0.14).
Plugin: WooCommerce Box Office
Vulnerability: Unauthenticated Save Ticket Barcode vulnerability
Patched Version: 1.1.52
Recommended Action: Update the WordPress WooCommerce Box Office plugin to the latest available version (at least 1.1.52).
Plugin: JS Job Manager
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.1
Recommended Action: Update the WordPress JS Job Manager plugin to the latest available version (at least 2.0.1).
Plugin: Social Media & Share Icons
Vulnerability: Broken Access Control + CSRF
Patched Version: 2.8.2
Recommended Action: Update the WordPress Social Media & Share Icons plugin to the latest available version (at least 2.8.2).
Plugin: WooCommerce Box Office
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS) vulnerability
Patched Version: 1.1.51
Recommended Action: Update the WordPress WooCommerce Box Office plugin to the latest available version (at least 1.1.51).
Plugin: Call Now Accessibility Button
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2
Recommended Action: Update the WordPress Call Now Accessibility Button plugin to the latest available version (at least 1.2).
Plugin: Front End Users
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.2.25
Recommended Action: Update the WordPress Front End Users plugin to the latest available version (at least 3.2.25).
Plugin: WP ERP
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 1.12.4
Recommended Action: Update the WordPress WP ERP plugin to the latest available version (at least 1.12.4).
Plugin: Premium Addons PRO
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.8.25
Recommended Action: Update the WordPress Premium Addons PRO plugin to the latest available version (at least 2.8.25).
Plugin: Advanced Flat rate shipping Woocommerce
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.4.6
Recommended Action: Update the WordPress Advanced Flat rate shipping Woocommerce plugin to the latest available version (at least 1.6.4.6).
Plugin: WP Directory Kit
Vulnerability: Reflected Cross-Site Scripting via ‘search’ vulnerability
Patched Version: 1.2.4
Recommended Action: Update the WordPress WP Directory Kit plugin to the latest available version (at least 1.2.4).
Plugin: Web Directory Free
Vulnerability: Authenticated (Contributor+) SQL Injection via post_id vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Formidable Forms
Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation vulnerability
Patched Version: 6.3.1
Recommended Action: Update the WordPress Formidable Forms plugin to the latest available version (at least 6.3.1).
Plugin: ReviewX
Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation vulnerability
Patched Version: 1.6.14
Recommended Action: Update the WordPress ReviewX plugin to the latest available version (at least 1.6.14).
Plugin: Brizy – Page Builder
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass vulnerability
Patched Version: 2.4.19
Recommended Action: Update the WordPress Brizy – Page Builder plugin to the latest available version (at least 2.4.19).
Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management
Vulnerability: Cross-Site Request Forgery to Survey Submission vulnerability
Patched Version: 1.2.10
Recommended Action: Update the WordPress Donation Platform for WooCommerce: Fundraising & Donation Management plugin to the latest available version (at least 1.2.10).
Plugin: Draw Attention
Vulnerability: Missing Authorization to Arbitrary Post Featured Image Modification vulnerability
Patched Version: 2.0.12
Recommended Action: Update the WordPress Draw Attention plugin to the latest available version (at least 2.0.12).
Plugin: Favorites
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress Favorites plugin to the latest available version (at least 2.3.3).
Plugin: CRM Perks Forms
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.2
Recommended Action: Update the WordPress CRM Perks Forms plugin to the latest available version (at least 1.1.2).
Plugin: Nested Pages
Vulnerability: Missing Authorization to Authenticated (Editor+) Plugin Settings Reset vulnerability
Patched Version: 3.2.4
Recommended Action: Update the WordPress Nested Pages plugin to the latest available version (at least 3.2.4).
Plugin: Display post meta, term meta, comment meta, and user meta
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Blog-in-Blog
Vulnerability: Authenticated (Editor+) Local File Inclusion via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Feather Login Page
Vulnerability: WordPress Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Authentication Bypass and Privilege Escalation vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Feather Login Page
Vulnerability: WordPress Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Non-Arbitrary User Deletion vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Wordapp
Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature vulnerability
Patched Version: None
Recommended Action: No patched version available.

0 Comments