Watch Out Wednesday – March 22, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Shortcode, Popup Maker, UpdraftPlus, and more!

Plugin: WP Job Portal

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Return and Warranty Management System for WooCommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Surbma | GDPR Proof Cookie Consent & Notice Bar

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Simple Events

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Ecwid Shopping Cart

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 6.11.5
Recommended Action: Update the WordPress Ecwid Shopping Cart plugin to the latest available version (at least 6.11.5).

Plugin: Contact Form 7 – PayPal & Stripe Add-on

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.4
Recommended Action: Update the WordPress Contact Form 7 – PayPal & Stripe Add-on plugin to the latest available version (at least 1.9.4).

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Broken Access Control vulnerability
Patched Version: 12.1.21
Recommended Action: Update the WordPress SEO Plugin by Squirrly SEO plugin to the latest available version (at least 12.1.21).

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 12.1.21
Recommended Action: Update the WordPress SEO Plugin by Squirrly SEO plugin to the latest available version (at least 12.1.21).

Plugin: Real Estate Directory

Vulnerability: Authenticated Arbitrary Plugin Activation
Patched Version: 1.0.6
Recommended Action: Update the WordPress Real Estate Directory theme to the latest available version (at least 1.0.6).

Plugin: Open RDW kenteken voertuiginformatie

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.1.0
Recommended Action: Update the WordPress Open RDW kenteken voertuiginformatie plugin to the latest available version (at least 2.1.0).

Plugin: WPML – WordPress Multilingual

Vulnerability: Cross-Site Scripting (XSS) vulnerability
Patched Version: 4.6.1
Recommended Action: Update the WordPress WPML – WordPress Multilingual plugin to the latest available version (at least 4.6.1).

Plugin: UpdraftPlus

Vulnerability: Broken Access Control Vulnerability
Patched Version: 1.23.3
Recommended Action: Update the WordPress UpdraftPlus plugin to the latest available version (at least 1.23.3).

Plugin: UpdraftPlus

Vulnerability: Broken Access Control Vulnerability
Patched Version: 2.23.3
Recommended Action: Update the WordPress UpdraftPlus PRO plugin to the latest available version (at least 2.23.3).

Plugin: Slide Anything

Vulnerability: Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Shortcode by MyThemeShop

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor since August 26, 2022.

Plugin: WordPress Mortgage Calculator Estatik

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor for a long time. Vulnerability reported to the WordPress plugins team on 2023 Jan 19th.

Plugin: Newsmag

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Bulk Resize Media

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Import External Images

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Open Graphite

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.6.1
Recommended Action: Update the WordPress Open Graphite plugin to the latest available version (at least 1.6.1).

Plugin: ProfileGrid

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.0.4
Recommended Action: Update the WordPress ProfileGrid plugin to the latest available version (at least 5.0.4).

Plugin: WordPress Ping Optimizer

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.35.1.3.0
Recommended Action: Update the WordPress WordPress Ping Optimizer plugin to the latest available version (at least 2.35.1.3.0).

Plugin: Simple Shopping Cart

Vulnerability: Information Disclosure vulnerability
Patched Version: 4.6.4
Recommended Action: Update the WordPress Simple Shopping Cart plugin to the latest available version (at least 4.6.4).

Plugin: Contact Form Email

Vulnerability: Missing Authorization Leading To Feedback Submission Vulnerability
Patched Version: 1.3.32
Recommended Action: Update the WordPress Contact Form Email plugin to the latest available version (at least 1.3.32).

Plugin: CP Multi View Event Calendar

Vulnerability: Missing Authorization Leading To Feedback Submission vulnerability
Patched Version: 1.4.11
Recommended Action: Update the WordPress CP Multi View Event Calendar plugin to the latest available version (at least 1.4.11).

Plugin: Event Manager for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.7.8
Recommended Action: Update the WordPress Event Manager for WooCommerce plugin to the latest available version (at least 3.7.8).

Plugin: HT Feed

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress HT Feed plugin to the latest available version (at least 1.2.8).

Plugin: Hotel Booking Lite

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Hotel Booking Lite plugin to the latest available version (at least 4.7.0).

Plugin: Slideshow Gallery

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.7.7
Recommended Action: Update the WordPress Slideshow Gallery plugin to the latest available version (at least 1.7.7).

Plugin: SMTP2GO

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.5.0
Recommended Action: Update the WordPress SMTP2GO plugin to the latest available version (at least 1.5.0).

Plugin: Slideshow Gallery

Vulnerability: SQL Injection
Patched Version: 1.7.7
Recommended Action: Update the WordPress Slideshow Gallery plugin to the latest available version (at least 1.7.7).

Plugin: Force First and Last Name as Display Name

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.1
Recommended Action: Update the WordPress Force First and Last Name as Display Name plugin to the latest available version (at least 1.2.1).

Plugin: Min and Max Quantity for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 1.3.2.7
Recommended Action: Update the WordPress Min and Max Quantity for WooCommerce plugin to the latest available version (at least 1.3.2.7).

Plugin: Advanced Product Labels for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 1.2.4.1
Recommended Action: Update the WordPress Advanced Product Labels for WooCommerce plugin to the latest available version (at least 1.2.4.1).

Plugin: Load More Products for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 1.1.9.8
Recommended Action: Update the WordPress Load More Products for WooCommerce plugin to the latest available version (at least 1.1.9.8).

Plugin: Brands for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 3.7.0.6
Recommended Action: Update the WordPress Brands for WooCommerce plugin to the latest available version (at least 3.7.0.6).

Plugin: Grid List View for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 1.1.3.7
Recommended Action: Update the WordPress Grid/List View for WooCommerce plugin to the latest available version (at least 1.1.3.7).

Plugin: Cart Notices for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Cart Notices for WooCommerce plugin to the latest available version (at least 3.5.7.7).

Plugin: Terms and Conditions Popup for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Terms and Conditions Popup for WooCommerce plugin to the latest available version (at least 3.5.7.7).

Plugin: Product Tabs Manager for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 1.1.5.8
Recommended Action: Update the WordPress Product Tabs Manager for WooCommerce plugin to the latest available version (at least 1.1.5.8).

Plugin: Product Watermark for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 1.3.5.7
Recommended Action: Update the WordPress Product Watermark for WooCommerce plugin to the latest available version (at least 1.3.5.7).

Plugin: Sequential Order Numbers for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Sequential Order Numbers for WooCommerce plugin to the latest available version (at least 3.5.7.7).

Plugin: Pagination Styler for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Pagination Styler for WooCommerce plugin to the latest available version (at least 3.5.7.7).

Plugin: Sales Report for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Sales Report for WooCommerce plugin to the latest available version (at least 3.5.7.7).

Plugin: Products Compare for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 3.5.7.8
Recommended Action: Update the WordPress Products Compare for WooCommerce plugin to the latest available version (at least 3.5.7.8).

Plugin: Products Suggestions for WooCommerce

Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Products Suggestions for WooCommerce plugin to the latest available version (at least 3.5.7.7).

Plugin: Website Monetization by MageNet

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Custom Options Plus

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available, no reply from the vendor.

Plugin: Chankhe

Vulnerability: Authenticated Arbitrary Plugin Activation
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Mediciti Lite

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: WSB Brands

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2
Recommended Action: Update the WordPress WSB Brands plugin to the latest available version (at least 1.2).

Plugin: Drag and Drop Multiple File Upload PRO

Vulnerability: WordPress Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard plugin <= 2.11.0 - Reflected Cross-Site Scripting vulnerability Patched Version: 2.11.1 Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 2.11.1).

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 3.11
Recommended Action: Update the WordPress WordPress Email Marketing Plugin – WP Email Capture plugin to the latest available version (at least 3.11).

Plugin: Dynamics 365 Integration

Vulnerability: Broken Access Control
Patched Version: 1.3.13
Recommended Action: Update the WordPress Dynamics 365 Integration plugin to the latest available version (at least 1.3.13).

Plugin: Fluid Checkout for WooCommerce – Lite

Vulnerability: Cross-Site Request Forgery via dismiss_notice vulnerability
Patched Version: 2.3.2
Recommended Action: Update the WordPress Fluid Checkout for WooCommerce – Lite plugin to the latest available version (at least 2.3.2).

Plugin: Be POPIA Compliant

Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available, no reply from the vendor.

Plugin: PB SEO Friendly Images

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available, no reply from the vendor.

Plugin: Auto Rename Media On Upload

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Auto Rename Media On Upload plugin to the latest available version (at least 1.1.0).

Plugin: Modern Footnotes

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.4.16
Recommended Action: Update the WordPress Modern Footnotes plugin to the latest available version (at least 1.4.16).

Plugin: Contact Form 7 Redirect & Thank You Page

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress Contact Form 7 Redirect & Thank You Page plugin to the latest available version (at least 1.0.4).

Plugin: Backup Bank: WordPress Backup Plugin

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Weaver Xtreme Theme Support

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 6.2.5
Recommended Action: Update the WordPress Weaver Xtreme Theme Support plugin to the latest available version (at least 6.2.5).

Plugin: Redirect Redirection

Vulnerability: Cross-Site Request Forgery to Plugin De-Installation vulnerability
Patched Version: 1.1.5
Recommended Action: Update the WordPress Redirect Redirection plugin to the latest available version (at least 1.1.5).

Plugin: Customify

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.10.5
Recommended Action: Update the WordPress Customify plugin to the latest available version (at least 2.10.5).

Plugin: Google XML Sitemap for Videos

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Google XML Sitemap for Images

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Tags Cloud Manager

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: CF7 Invisible reCAPTCHA

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7.2
Recommended Action: Update the WordPress Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin to the latest available version (at least 2.7.2).

Plugin: Yandex.News Feed by Teplitsa

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: WordPress Console

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Admin side data storage for Contact Form 7

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Easy Event calendar

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Popup Maker

Vulnerability: Unauth Access to debug log
Patched Version: 1.18.0
Recommended Action: Update the WordPress Popup Maker plugin to the latest available version (at least 1.18.0).

Plugin: LOGIN AND REGISTRATION ATTEMPTS LIMIT

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: WP Basic Elements

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.3.0
Recommended Action: Update the WordPress WP Basic Elements plugin to the latest available version (at least 5.3.0).

Plugin: Chronoforms

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: xili-tidy-tags

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: WP-Advanced-Search

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Store Locator

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.98.8
Recommended Action: Update the WordPress Store Locator plugin to the latest available version (at least 3.98.8).

Plugin: Coming Soon Landing Page and Maintenance Mode WordPress Plugin

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Woo Products Widgets For Elementor

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: 1.0.8
Recommended Action: Update the WordPress Woo Products Widgets For Elementor plugin to the latest available version (at least 1.0.8).

Plugin: Ajax Load More

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 5.6.0.3
Recommended Action: Update the WordPress Ajax Load More plugin to the latest available version (at least 5.6.0.3).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.