Watch Out Wednesday – March 1, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Accordions, Admin Block Country, asMember, and more!

Plugin: Conditional Checkout Fields for WooCommerce

Vulnerability: Broken Authentication vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Drag and Drop Multiple File Upload for WooCommerce

Vulnerability: Unauth. Non-arbitrary file upload/deletion
Patched Version: 1.0.9
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload for WooCommerce plugin to the latest available version (at least 1.0.9).

Plugin: Spotify Play Button for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.06
Recommended Action: Update the WordPress Sp*tify Play Button for WordPress plugin to the latest available version (at least 2.06).

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Multiple CSRF vulnerabilities
Patched Version: 1.3.6.6
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.6.6).

Plugin: Zendrop – Global Dropshipping

Vulnerability: Arbitrary SQL Query Execution Vulnerability
Vulnerability: Arbitrary File Upload
Patched Version: None
Recommended Action: Deactivate and delete. Vendor was notified about the vulnerability in 2022 on Oct 5th. No patched version is available.

Plugin: Baidu/Google/Bing/IndexNow/Yandex/头条

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 13, 2023.

Plugin: asMember

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 20, 2023.

Plugin: Chat Bee

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 20, 2023.

Plugin: phpinfo() WP

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 17, 2023.

Plugin: Apollo13 Framework Extensions

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. We notified the vendor about the vulnerability on 2023 Jan 12th.

Plugin: KB Support

Vulnerability: CSV Injection vulnerability
Patched Version: 1.5.85
Recommended Action: Update the WordPress KB Support plugin to the latest available version (at least 1.5.85).

Plugin: Simple YouTube Responsive

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.0
Recommended Action: Update the WordPress Simple YouTube Responsive plugin to the latest available version (at least 3.0).

Plugin: YouTube Channel

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.23.4
Recommended Action: Update the WordPress YouTube Channel plugin to the latest available version (at least 3.23.4).

Plugin: Top 10

Vulnerability: Insufficient Authorization vulnerability
Patched Version: 3.2.5
Recommended Action: Update the WordPress Top 10 plugin to the latest available version (at least 3.2.5).

Plugin: Houzez Login Register

Vulnerability: Privilege Escalation
Patched Version: 2.6.4
Recommended Action: Update the WordPress Houzez Login Register plugin to the latest available version (at least 2.6.4).

Plugin: CPT – Speakers

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete.

Plugin: For the visually impaired

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 6, 2023.

Plugin: TypeSquare Webfonts for ConoHa

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 9, 2023.

Plugin: All In One Favicon

Vulnerability: Arbitrary File Deletion vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Jan 29, 2023.

Plugin: Admin Block Country

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Jan 23, 2023.

Plugin: GMAce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Arbitrary File Download vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Jan 19, 2023.

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Vulnerability: Missing Authorization in Settings Import to Stored Cross-Site Scripting vulnerability
Patched Version: 2.13.45
Recommended Action: Update the WordPress 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin to the latest available version (at least 2.13.45).

Plugin: WP Meta SEO

Vulnerability: Authenticated (Subscriber+) SQL Injection vulnerability
Patched Version: 4.5.3
Recommended Action: Update the WordPress WP Meta SEO plugin to the latest available version (at least 4.5.3).

Plugin: Etsy Shop

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.0.4
Recommended Action: Update the WordPress Etsy Shop plugin to the latest available version (at least 3.0.4).

Plugin: WP-RecentComments

Vulnerability: Unauthenticated Information Exposure vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 11.19
Recommended Action: Update the WordPress WPMobile.App — Android and iOS Mobile Application plugin to the latest available version (at least 11.19).

Plugin: VK All in One Expansion Unit

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI vulnerability
Patched Version: 9.87.1.0
Recommended Action: Update the WordPress VK All in One Expansion Unit plugin to the latest available version (at least 9.87.1.0).

Plugin: WordPress Tooltips

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 8.2.7
Recommended Action: Update the WordPress WordPress Tooltips plugin to the latest available version (at least 8.2.7).

Plugin: CM Answers

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress CM Answers plugin to the latest available version (at least 3.2.0).

Plugin: Top 10

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.2.5
Recommended Action: Update the WordPress Top 10 plugin to the latest available version (at least 3.2.5).

Plugin: Custom Login Page

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Upload Resume

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Simple Portfolio Gallery

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Paytm Payment Gateway

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 2.7.7
Recommended Action: Update the WordPress Paytm Payment Gateway plugin to the latest available version (at least 2.7.7).

Plugin: Hero Banner Ultimate

Vulnerability: Auth. Stored Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Community by PeepSo

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.0.3.0
Recommended Action: Update the WordPress Community by PeepSo plugin to the latest available version (at least 6.0.3.0).

Plugin: Accordions

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.3.1
Recommended Action: Update the WordPress Accordions plugin to the latest available version (at least 2.3.1).

Plugin: Integration for Contact Form 7 and Zoho CRM, Bigin

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress Integration for Contact Form 7 and Zoho CRM, Bigin plugin to the latest available version (at least 1.2.3).

Plugin: Client Portal – Private user pages and login

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.9
Recommended Action: Update the WordPress Client Portal – Private user pages and login plugin to the latest available version (at least 1.1.9).

Plugin: Auto Affiliate Links

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.3.0.3
Recommended Action: Update the WordPress Auto Affiliate Links plugin to the latest available version (at least 6.3.0.3).

Plugin: Redirect Redirection

Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 1.1.4
Recommended Action: Update the WordPress Redirect Redirection plugin to the latest available version (at least 1.1.4).

Plugin: Japanized For WooCommerce

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 2.5.5
Recommended Action: Update the WordPress Japanized For WooCommerce plugin to the latest available version (at least 2.5.5).

Plugin: Educare – Students & Result Management System

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Watch Out Wednesday – May 24, 2023

Watch Out Wednesday – May 24, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WordPress Core, UpdraftPlus, WeSecur Security and more! Plugin: Groundhogg Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability Patched Version: 2.7.10 Recommended...

Watch Out Wednesday – May 17, 2023

Watch Out Wednesday – May 17, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Fastest Cache, Loginizer, Elementor Website Builder and more! Plugin: Get Your Number Vulnerability: Admin+ Stored XSS vulnerability Patched Version: None Recommended Action: No...

Watch Out Wednesday – May 3, 2023

Watch Out Wednesday – May 3, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including File Manager, Biz Library, Ultimate Carousel and more! Plugin: WP Search Analytics Vulnerability: Cross Site Scripting (XSS) Patched Version:...

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

The geeks at FocusWP are constantly on alert for new vulnerabilities and nefarious characters in the world of WordPress and we send out a list of our top concerns every Wednesday so you know what to "Watch Out" for, without doing any legwork.

You can also subscribe to our "Tips & Tricks" newsletter, which is a semi-regular email with cool tools, educational resources, and useful tips to make your digital life a little easier.