This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Accordions, Admin Block Country, asMember, and more!
Plugin: Conditional Checkout Fields for WooCommerce
Vulnerability: Broken Authentication vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Drag and Drop Multiple File Upload for WooCommerce
Vulnerability: Unauth. Non-arbitrary file upload/deletion
Patched Version: 1.0.9
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload for WooCommerce plugin to the latest available version (at least 1.0.9).
Plugin: Spotify Play Button for WordPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.06
Recommended Action: Update the WordPress Sp*tify Play Button for WordPress plugin to the latest available version (at least 2.06).
Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Vulnerability: Multiple CSRF vulnerabilities
Patched Version: 1.3.6.6
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.6.6).
Plugin: Zendrop – Global Dropshipping
Vulnerability: Arbitrary SQL Query Execution Vulnerability
Vulnerability: Arbitrary File Upload
Patched Version: None
Recommended Action: Deactivate and delete. Vendor was notified about the vulnerability in 2022 on Oct 5th. No patched version is available.
Plugin: Baidu/Google/Bing/IndexNow/Yandex/头条
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 13, 2023.
Plugin: asMember
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 20, 2023.
Plugin: Chat Bee
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 20, 2023.
Plugin: phpinfo() WP
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 17, 2023.
Plugin: Apollo13 Framework Extensions
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. We notified the vendor about the vulnerability on 2023 Jan 12th.
Plugin: KB Support
Vulnerability: CSV Injection vulnerability
Patched Version: 1.5.85
Recommended Action: Update the WordPress KB Support plugin to the latest available version (at least 1.5.85).
Plugin: Simple YouTube Responsive
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.0
Recommended Action: Update the WordPress Simple YouTube Responsive plugin to the latest available version (at least 3.0).
Plugin: YouTube Channel
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.23.4
Recommended Action: Update the WordPress YouTube Channel plugin to the latest available version (at least 3.23.4).
Plugin: Top 10
Vulnerability: Insufficient Authorization vulnerability
Patched Version: 3.2.5
Recommended Action: Update the WordPress Top 10 plugin to the latest available version (at least 3.2.5).
Plugin: Houzez Login Register
Vulnerability: Privilege Escalation
Patched Version: 2.6.4
Recommended Action: Update the WordPress Houzez Login Register plugin to the latest available version (at least 2.6.4).
Plugin: CPT – Speakers
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete.
Plugin: For the visually impaired
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 6, 2023.
Plugin: TypeSquare Webfonts for ConoHa
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Feb 9, 2023.
Plugin: All In One Favicon
Vulnerability: Arbitrary File Deletion vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Jan 29, 2023.
Plugin: Admin Block Country
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Jan 23, 2023.
Plugin: GMAce
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Arbitrary File Download vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vulnerability was reported to the WordPress plugins team on Jan 19, 2023.
Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
Vulnerability: Missing Authorization in Settings Import to Stored Cross-Site Scripting vulnerability
Patched Version: 2.13.45
Recommended Action: Update the WordPress 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin to the latest available version (at least 2.13.45).
Plugin: WP Meta SEO
Vulnerability: Authenticated (Subscriber+) SQL Injection vulnerability
Patched Version: 4.5.3
Recommended Action: Update the WordPress WP Meta SEO plugin to the latest available version (at least 4.5.3).
Plugin: Etsy Shop
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.0.4
Recommended Action: Update the WordPress Etsy Shop plugin to the latest available version (at least 3.0.4).
Plugin: WP-RecentComments
Vulnerability: Unauthenticated Information Exposure vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 11.19
Recommended Action: Update the WordPress WPMobile.App — Android and iOS Mobile Application plugin to the latest available version (at least 11.19).
Plugin: VK All in One Expansion Unit
Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI vulnerability
Patched Version: 9.87.1.0
Recommended Action: Update the WordPress VK All in One Expansion Unit plugin to the latest available version (at least 9.87.1.0).
Plugin: WordPress Tooltips
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 8.2.7
Recommended Action: Update the WordPress WordPress Tooltips plugin to the latest available version (at least 8.2.7).
Plugin: CM Answers
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress CM Answers plugin to the latest available version (at least 3.2.0).
Plugin: Top 10
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.2.5
Recommended Action: Update the WordPress Top 10 plugin to the latest available version (at least 3.2.5).
Plugin: Custom Login Page
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Upload Resume
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Simple Portfolio Gallery
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Paytm Payment Gateway
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 2.7.7
Recommended Action: Update the WordPress Paytm Payment Gateway plugin to the latest available version (at least 2.7.7).
Plugin: Hero Banner Ultimate
Vulnerability: Auth. Stored Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Community by PeepSo
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.0.3.0
Recommended Action: Update the WordPress Community by PeepSo plugin to the latest available version (at least 6.0.3.0).
Plugin: Accordions
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.3.1
Recommended Action: Update the WordPress Accordions plugin to the latest available version (at least 2.3.1).
Plugin: Integration for Contact Form 7 and Zoho CRM, Bigin
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress Integration for Contact Form 7 and Zoho CRM, Bigin plugin to the latest available version (at least 1.2.3).
Plugin: Client Portal – Private user pages and login
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.9
Recommended Action: Update the WordPress Client Portal – Private user pages and login plugin to the latest available version (at least 1.1.9).
Plugin: Auto Affiliate Links
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.3.0.3
Recommended Action: Update the WordPress Auto Affiliate Links plugin to the latest available version (at least 6.3.0.3).
Plugin: Redirect Redirection
Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 1.1.4
Recommended Action: Update the WordPress Redirect Redirection plugin to the latest available version (at least 1.1.4).
Plugin: Japanized For WooCommerce
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 2.5.5
Recommended Action: Update the WordPress Japanized For WooCommerce plugin to the latest available version (at least 2.5.5).
Plugin: Educare – Students & Result Management System
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version available.
0 Comments