This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including BuddyPress, LiteSpeed Cache, Owl Carousel, and more!
Plugin: WooCommerce Payments
Vulnerability: Unauthenticated Privilege Escalation Vulnerability
Patched Version: 5.6.2
Recommended Action: Update the WordPress WooCommerce Payments plugin to the latest available version (at least 5.6.2).
Plugin: CBX Currency Converter
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.0.4
Recommended Action: Update the WordPress CBX Currency Converter plugin to the latest available version (at least 3.0.4).
Plugin: TH Variation Swatches
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress TH Variation Swatches plugin to the latest available version (at least 1.2.8).
Plugin: TH Side Cart and Menu Cart for Woocommerce
Vulnerability: Broken Access Control
Patched Version: 1.1.2
Recommended Action: Update the WordPress TH Side Cart and Menu Cart for Woocommerce plugin to the latest available version (at least 1.1.2).
Plugin: Advance WordPress Search Plugin
Vulnerability: Broken Access Control
Patched Version: 1.1.5
Recommended Action: Update the WordPress TH Advance Product Search plugin to the latest available version (at least 1.1.5).
Plugin: Meta Slider
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 3.29.1
Recommended Action: Update the WordPress Meta Slider plugin to the latest available version (at least 3.29.1).
Plugin: LiteSpeed Cache
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 5.3.1
Recommended Action: Update the WordPress LiteSpeed Cache plugin to the latest available version (at least 5.3.1).
Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.0.14
Recommended Action: Update the WordPress Thank You Page Customizer for WooCommerce – Increase Your Sales plugin to the latest available version (at least 1.0.14).
Plugin: Stock Sync for WooCommerce
Vulnerability: Broken Access Control + CSRF
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WooCommerce JazzCash Gateway Plugin
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Export Users Data Distinct
Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: amr users
Vulnerability: CSV Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Owl Carousel
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: eRoom – Zoom Meetings & Webinar
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: If Menu
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: I Recommend This
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Wbcom Designs – BuddyPress Activity Social Share
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Product Feed PRO for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vendor attempted to patch the issue. However, the patch was incomplete. We have notified the vendor, and there’s no reply.
Plugin: Resoto
Vulnerability: Broken Access Control to Arbitrary Plugin Activation
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Content Pilot – Autoblogging & Affiliate Marketing Plugin
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Worth The Read
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Fuse Social Floating Sidebar
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Download Increase Maximum Upload File Size | Increase Execution Time
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Visibility Logic for Elementor
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.3.4
Recommended Action: Update the WordPress Visibility Logic for Elementor plugin to the latest available version (at least 2.3.4).
Plugin: GS Pins for Pinterest
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Onepage Builder – Easiest Landing Page Builder For WordPress
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Update Image Tag Alt Attribute
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: BuddyPress Builder for Elementor – BuddyBuilder
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.7.2
Recommended Action: Update the WordPress BuddyPress Builder for Elementor – BuddyBuilder plugin to the latest available version (at least 1.7.2).
Plugin: PT Addons for Elementor Lite
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Product Category Slider for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Elementor Addons, Widgets and Enhancements – Stax
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Post Grid, Slider & Carousel Ultimate
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Bangladeshi Payment Gateways
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Rejected by the vendor.
Plugin: Challan – PDF Invoice & Packing Slip for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Mail Logging
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.11.0
Recommended Action: Update the WordPress WP Mail Logging plugin to the latest available version (at least 1.11.0).
Plugin: Exclusive Addons Elementor
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.6.2
Recommended Action: Update the WordPress Exclusive Addons Elementor plugin to the latest available version (at least 2.6.2).
Plugin: Subscribe2
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 10.38
Recommended Action: Update the WordPress Subscribe2 plugin to the latest available version (at least 10.38).
Plugin: WP Dark Mode
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.0.5
Recommended Action: Update the WordPress WP Dark Mode – Best Dark Mode & Social Sharing Plugin for WordPress plugin to the latest available version (at least 3.0.5).
Plugin: WP User Frontend
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.6.1
Recommended Action: Update the WordPress WP User Frontend plugin to the latest available version (at least 3.6.1).
Plugin: Product Gallery Slider for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.2.7
Recommended Action: Update the WordPress Product Gallery Slider for WooCommerce plugin to the latest available version (at least 2.2.7).
Plugin: Dashboard Welcome for Elementor
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.0.7
Recommended Action: Update the WordPress Dashboard Welcome for Elementor plugin to the latest available version (at least 1.0.7).
Plugin: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 8.2.6
Recommended Action: Update the WordPress WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin to the latest available version (at least 8.2.6).
Plugin: Woostify Sites Library
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.4
Recommended Action: Update the WordPress Woostify Sites Library plugin to the latest available version (at least 1.4.4).
Plugin: W4 Post List
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.4.3
Recommended Action: Update the WordPress W4 Post List plugin to the latest available version (at least 2.4.3).
Plugin: Boostify Header Footer Builder for Elementor
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.9
Recommended Action: Update the WordPress Boostify Header Footer Builder for Elementor plugin to the latest available version (at least 1.2.9).
Plugin: Click to top
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.20
Recommended Action: Update the WordPress Click to top plugin to the latest available version (at least 1.2.20).
Plugin: wePOS – Point Of Sale (POS) for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.6
Recommended Action: Update the WordPress wePOS – Point Of Sale (POS) for WooCommerce plugin to the latest available version (at least 1.2.6).
Plugin: Gallery Box
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.7.31
Recommended Action: Update the WordPress Gallery Box plugin to the latest available version (at least 1.7.31).
Plugin: Magical Posts Display – Elementor & Gutenberg Posts Blocks
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.16
Recommended Action: Update the WordPress Magical Posts Display – Elementor & Gutenberg Posts Blocks plugin to the latest available version (at least 1.2.16).
Plugin: GS Testimonial Slider
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.8
Recommended Action: Update the WordPress GS Testimonial Slider plugin to the latest available version (at least 1.9.8).
Plugin: Webinar and Video Conference with Jitsi Meet
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.0
Recommended Action: Update the WordPress Webinar and Video Conference with Jitsi Meet plugin to the latest available version (at least 2.0.0).
Plugin: Stylish Cost Calculator
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 7.3.7
Recommended Action: Update the WordPress Stylish Cost Calculator plugin to the latest available version (at least 7.3.7).
Plugin: Dark Mode
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 4.1.3
Recommended Action: Update the WordPress Dark Mode plugin to the latest available version (at least 4.1.3).
Plugin: Wp Edit Password Protected – Create Member/User Only Page & Design Password Protected Form
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.4
Recommended Action: Update the WordPress Wp Edit Password Protected – Create Member/User Only Page & Design Password Protected Form plugin to the latest available version (at least 1.2.4).
Plugin: Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.1.4
Recommended Action: Update the WordPress Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD plugin to the latest available version (at least 3.1.4).
Plugin: Sheets To WP Table Live Sync
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.12.15
Recommended Action: Update the WordPress Sheets To WP Table Live Sync plugin to the latest available version (at least 2.12.15).
Plugin: Happy Addons for Elementor
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.8.0
Recommended Action: Update the WordPress Happy Addons for Elementor plugin to the latest available version (at least 3.8.0).
Plugin: Wiremo – Product Reviews for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.97
Recommended Action: Update the WordPress Wiremo – Product Reviews for WooCommerce plugin to the latest available version (at least 1.4.97).
Plugin: Responsive Slider by MetaSlider
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.28.1
Recommended Action: Update the WordPress Responsive Slider by MetaSlider plugin to the latest available version (at least 3.28.1).
Plugin: Team Member
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.5
Recommended Action: Update the WordPress Team Member – Team with Slider plugin to the latest available version (at least 4.5).
Plugin: Easy Table of Contents
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.0.46
Recommended Action: Update the WordPress Easy Table of Contents plugin to the latest available version (at least 2.0.46).
Plugin: Enhanced Plugin Admin
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.17
Recommended Action: Update the WordPress Enhanced Plugin Admin plugin to the latest available version (at least 1.17).
Plugin: JS Job Manager
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version available.
Plugin: VigilanTor
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Download Weather Station
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Simple Custom Author Profiles
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: User Registration
Vulnerability: Authenticated PHP Object Injection vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress User Registration plugin to the latest available version (at least 2.3.3).
Plugin: Custom Field Template
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: BigContact
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Userlike – WordPress Live Chat plugin
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3
Recommended Action: Update the WordPress Userlike – WordPress Live Chat plugin plugin to the latest available version (at least 2.3).
Plugin: Lazy Social Comments
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Disqus Conditional Load
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Vertical scroll recent post
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: GamiPress – Youtube integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.0.8
Recommended Action: Update the WordPress GamiPress – Youtube integration plugin to the latest available version (at least 1.0.8).
Plugin: Amazon S3
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 1.6
Recommended Action: Update the WordPress Amazon S3 plugin to the latest available version (at least 1.6).
Plugin: WooCommerce Multiple Customer Addresses & Shipping
Vulnerability: Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: 21.7
Recommended Action: Update the WordPress WooCommerce Multiple Customer Addresses & Shipping plugin to the latest available version (at least 21.7).
Plugin: Google XML Sitemap for Mobile
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Kanban Boards for WordPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Content Filter – Censor All Offensive Content From Your Site
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
0 Comments