This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Shortcode, Popup Maker, UpdraftPlus, and more!
Plugin: WP Job Portal
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Return and Warranty Management System for WooCommerce
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Surbma | GDPR Proof Cookie Consent & Notice Bar
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Simple Events
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Ecwid Shopping Cart
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 6.11.5
Recommended Action: Update the WordPress Ecwid Shopping Cart plugin to the latest available version (at least 6.11.5).
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.4
Recommended Action: Update the WordPress Contact Form 7 – PayPal & Stripe Add-on plugin to the latest available version (at least 1.9.4).
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Broken Access Control vulnerability
Patched Version: 12.1.21
Recommended Action: Update the WordPress SEO Plugin by Squirrly SEO plugin to the latest available version (at least 12.1.21).
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 12.1.21
Recommended Action: Update the WordPress SEO Plugin by Squirrly SEO plugin to the latest available version (at least 12.1.21).
Plugin: Real Estate Directory
Vulnerability: Authenticated Arbitrary Plugin Activation
Patched Version: 1.0.6
Recommended Action: Update the WordPress Real Estate Directory theme to the latest available version (at least 1.0.6).
Plugin: Open RDW kenteken voertuiginformatie
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.1.0
Recommended Action: Update the WordPress Open RDW kenteken voertuiginformatie plugin to the latest available version (at least 2.1.0).
Plugin: WPML – WordPress Multilingual
Vulnerability: Cross-Site Scripting (XSS) vulnerability
Patched Version: 4.6.1
Recommended Action: Update the WordPress WPML – WordPress Multilingual plugin to the latest available version (at least 4.6.1).
Plugin: UpdraftPlus
Vulnerability: Broken Access Control Vulnerability
Patched Version: 1.23.3
Recommended Action: Update the WordPress UpdraftPlus plugin to the latest available version (at least 1.23.3).
Plugin: UpdraftPlus
Vulnerability: Broken Access Control Vulnerability
Patched Version: 2.23.3
Recommended Action: Update the WordPress UpdraftPlus PRO plugin to the latest available version (at least 2.23.3).
Plugin: Slide Anything
Vulnerability: Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Shortcode by MyThemeShop
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor since August 26, 2022.
Plugin: WordPress Mortgage Calculator Estatik
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor for a long time. Vulnerability reported to the WordPress plugins team on 2023 Jan 19th.
Plugin: Newsmag
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Bulk Resize Media
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Import External Images
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Open Graphite
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.6.1
Recommended Action: Update the WordPress Open Graphite plugin to the latest available version (at least 1.6.1).
Plugin: ProfileGrid
Vulnerability: Broken Access Control vulnerability
Patched Version: 5.0.4
Recommended Action: Update the WordPress ProfileGrid plugin to the latest available version (at least 5.0.4).
Plugin: WordPress Ping Optimizer
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.35.1.3.0
Recommended Action: Update the WordPress WordPress Ping Optimizer plugin to the latest available version (at least 2.35.1.3.0).
Plugin: Simple Shopping Cart
Vulnerability: Information Disclosure vulnerability
Patched Version: 4.6.4
Recommended Action: Update the WordPress Simple Shopping Cart plugin to the latest available version (at least 4.6.4).
Plugin: Contact Form Email
Vulnerability: Missing Authorization Leading To Feedback Submission Vulnerability
Patched Version: 1.3.32
Recommended Action: Update the WordPress Contact Form Email plugin to the latest available version (at least 1.3.32).
Plugin: CP Multi View Event Calendar
Vulnerability: Missing Authorization Leading To Feedback Submission vulnerability
Patched Version: 1.4.11
Recommended Action: Update the WordPress CP Multi View Event Calendar plugin to the latest available version (at least 1.4.11).
Plugin: Event Manager for WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.7.8
Recommended Action: Update the WordPress Event Manager for WooCommerce plugin to the latest available version (at least 3.7.8).
Plugin: HT Feed
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress HT Feed plugin to the latest available version (at least 1.2.8).
Plugin: Hotel Booking Lite
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.7.0
Recommended Action: Update the WordPress Hotel Booking Lite plugin to the latest available version (at least 4.7.0).
Plugin: Slideshow Gallery
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.7.7
Recommended Action: Update the WordPress Slideshow Gallery plugin to the latest available version (at least 1.7.7).
Plugin: SMTP2GO
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.5.0
Recommended Action: Update the WordPress SMTP2GO plugin to the latest available version (at least 1.5.0).
Plugin: Slideshow Gallery
Vulnerability: SQL Injection
Patched Version: 1.7.7
Recommended Action: Update the WordPress Slideshow Gallery plugin to the latest available version (at least 1.7.7).
Plugin: Force First and Last Name as Display Name
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.1
Recommended Action: Update the WordPress Force First and Last Name as Display Name plugin to the latest available version (at least 1.2.1).
Plugin: Min and Max Quantity for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 1.3.2.7
Recommended Action: Update the WordPress Min and Max Quantity for WooCommerce plugin to the latest available version (at least 1.3.2.7).
Plugin: Advanced Product Labels for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 1.2.4.1
Recommended Action: Update the WordPress Advanced Product Labels for WooCommerce plugin to the latest available version (at least 1.2.4.1).
Plugin: Load More Products for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 1.1.9.8
Recommended Action: Update the WordPress Load More Products for WooCommerce plugin to the latest available version (at least 1.1.9.8).
Plugin: Brands for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 3.7.0.6
Recommended Action: Update the WordPress Brands for WooCommerce plugin to the latest available version (at least 3.7.0.6).
Plugin: Grid List View for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 1.1.3.7
Recommended Action: Update the WordPress Grid/List View for WooCommerce plugin to the latest available version (at least 1.1.3.7).
Plugin: Cart Notices for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Cart Notices for WooCommerce plugin to the latest available version (at least 3.5.7.7).
Plugin: Terms and Conditions Popup for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Terms and Conditions Popup for WooCommerce plugin to the latest available version (at least 3.5.7.7).
Plugin: Product Tabs Manager for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 1.1.5.8
Recommended Action: Update the WordPress Product Tabs Manager for WooCommerce plugin to the latest available version (at least 1.1.5.8).
Plugin: Product Watermark for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 1.3.5.7
Recommended Action: Update the WordPress Product Watermark for WooCommerce plugin to the latest available version (at least 1.3.5.7).
Plugin: Sequential Order Numbers for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Sequential Order Numbers for WooCommerce plugin to the latest available version (at least 3.5.7.7).
Plugin: Pagination Styler for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Pagination Styler for WooCommerce plugin to the latest available version (at least 3.5.7.7).
Plugin: Sales Report for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Sales Report for WooCommerce plugin to the latest available version (at least 3.5.7.7).
Plugin: Products Compare for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 3.5.7.8
Recommended Action: Update the WordPress Products Compare for WooCommerce plugin to the latest available version (at least 3.5.7.8).
Plugin: Products Suggestions for WooCommerce
Vulnerability: Broken Access Control
Patched Version: 3.5.7.7
Recommended Action: Update the WordPress Products Suggestions for WooCommerce plugin to the latest available version (at least 3.5.7.7).
Plugin: Website Monetization by MageNet
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Custom Options Plus
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available, no reply from the vendor.
Plugin: Chankhe
Vulnerability: Authenticated Arbitrary Plugin Activation
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Mediciti Lite
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: WSB Brands
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2
Recommended Action: Update the WordPress WSB Brands plugin to the latest available version (at least 1.2).
Plugin: Drag and Drop Multiple File Upload PRO
Vulnerability: WordPress Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard plugin <= 2.11.0 - Reflected Cross-Site Scripting vulnerability Patched Version: 2.11.1 Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 2.11.1).
Plugin: WordPress Email Marketing Plugin – WP Email Capture
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 3.11
Recommended Action: Update the WordPress WordPress Email Marketing Plugin – WP Email Capture plugin to the latest available version (at least 3.11).
Plugin: Dynamics 365 Integration
Vulnerability: Broken Access Control
Patched Version: 1.3.13
Recommended Action: Update the WordPress Dynamics 365 Integration plugin to the latest available version (at least 1.3.13).
Plugin: Fluid Checkout for WooCommerce – Lite
Vulnerability: Cross-Site Request Forgery via dismiss_notice vulnerability
Patched Version: 2.3.2
Recommended Action: Update the WordPress Fluid Checkout for WooCommerce – Lite plugin to the latest available version (at least 2.3.2).
Plugin: Be POPIA Compliant
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: No patched version is available, no reply from the vendor.
Plugin: PB SEO Friendly Images
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available, no reply from the vendor.
Plugin: Auto Rename Media On Upload
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Auto Rename Media On Upload plugin to the latest available version (at least 1.1.0).
Plugin: Modern Footnotes
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.4.16
Recommended Action: Update the WordPress Modern Footnotes plugin to the latest available version (at least 1.4.16).
Plugin: Contact Form 7 Redirect & Thank You Page
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress Contact Form 7 Redirect & Thank You Page plugin to the latest available version (at least 1.0.4).
Plugin: Backup Bank: WordPress Backup Plugin
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Weaver Xtreme Theme Support
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 6.2.5
Recommended Action: Update the WordPress Weaver Xtreme Theme Support plugin to the latest available version (at least 6.2.5).
Plugin: Redirect Redirection
Vulnerability: Cross-Site Request Forgery to Plugin De-Installation vulnerability
Patched Version: 1.1.5
Recommended Action: Update the WordPress Redirect Redirection plugin to the latest available version (at least 1.1.5).
Plugin: Customify
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.10.5
Recommended Action: Update the WordPress Customify plugin to the latest available version (at least 2.10.5).
Plugin: Google XML Sitemap for Videos
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Google XML Sitemap for Images
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Tags Cloud Manager
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: CF7 Invisible reCAPTCHA
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7.2
Recommended Action: Update the WordPress Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin to the latest available version (at least 2.7.2).
Plugin: Yandex.News Feed by Teplitsa
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: WordPress Console
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Easy Event calendar
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Popup Maker
Vulnerability: Unauth Access to debug log
Patched Version: 1.18.0
Recommended Action: Update the WordPress Popup Maker plugin to the latest available version (at least 1.18.0).
Plugin: LOGIN AND REGISTRATION ATTEMPTS LIMIT
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: WP Basic Elements
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.3.0
Recommended Action: Update the WordPress WP Basic Elements plugin to the latest available version (at least 5.3.0).
Plugin: Chronoforms
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: xili-tidy-tags
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: WP-Advanced-Search
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Store Locator
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.98.8
Recommended Action: Update the WordPress Store Locator plugin to the latest available version (at least 3.98.8).
Plugin: Coming Soon Landing Page and Maintenance Mode WordPress Plugin
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Woo Products Widgets For Elementor
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: 1.0.8
Recommended Action: Update the WordPress Woo Products Widgets For Elementor plugin to the latest available version (at least 1.0.8).
Plugin: Ajax Load More
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 5.6.0.3
Recommended Action: Update the WordPress Ajax Load More plugin to the latest available version (at least 5.6.0.3).
0 Comments