Watch Out Wednesday – March 29, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including BuddyPress, LiteSpeed Cache, Owl Carousel, and more!

Plugin: WooCommerce Payments

Vulnerability: Unauthenticated Privilege Escalation Vulnerability
Patched Version: 5.6.2
Recommended Action: Update the WordPress WooCommerce Payments plugin to the latest available version (at least 5.6.2).

Plugin: CBX Currency Converter

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.0.4
Recommended Action: Update the WordPress CBX Currency Converter plugin to the latest available version (at least 3.0.4).

Plugin: TH Variation Swatches

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress TH Variation Swatches plugin to the latest available version (at least 1.2.8).

Plugin: TH Side Cart and Menu Cart for Woocommerce

Vulnerability: Broken Access Control
Patched Version: 1.1.2
Recommended Action: Update the WordPress TH Side Cart and Menu Cart for Woocommerce plugin to the latest available version (at least 1.1.2).

Plugin: Advance WordPress Search Plugin

Vulnerability: Broken Access Control
Patched Version: 1.1.5
Recommended Action: Update the WordPress TH Advance Product Search plugin to the latest available version (at least 1.1.5).

Plugin: Meta Slider

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 3.29.1
Recommended Action: Update the WordPress Meta Slider plugin to the latest available version (at least 3.29.1).

Plugin: LiteSpeed Cache

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 5.3.1
Recommended Action: Update the WordPress LiteSpeed Cache plugin to the latest available version (at least 5.3.1).

Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.0.14
Recommended Action: Update the WordPress Thank You Page Customizer for WooCommerce – Increase Your Sales plugin to the latest available version (at least 1.0.14).

Plugin: Stock Sync for WooCommerce

Vulnerability: Broken Access Control + CSRF
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WooCommerce JazzCash Gateway Plugin

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Export Users Data Distinct

Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: amr users

Vulnerability: CSV Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Owl Carousel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: eRoom – Zoom Meetings & Webinar

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: If Menu

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: I Recommend This

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Wbcom Designs – BuddyPress Activity Social Share

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Product Feed PRO for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vendor attempted to patch the issue. However, the patch was incomplete. We have notified the vendor, and there’s no reply.

Plugin: Resoto

Vulnerability: Broken Access Control to Arbitrary Plugin Activation
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Content Pilot – Autoblogging & Affiliate Marketing Plugin

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Worth The Read

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Fuse Social Floating Sidebar

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Download Increase Maximum Upload File Size | Increase Execution Time

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Visibility Logic for Elementor

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.3.4
Recommended Action: Update the WordPress Visibility Logic for Elementor plugin to the latest available version (at least 2.3.4).

Plugin: GS Pins for Pinterest

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Onepage Builder – Easiest Landing Page Builder For WordPress

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Update Image Tag Alt Attribute

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: BuddyPress Builder for Elementor – BuddyBuilder

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.7.2
Recommended Action: Update the WordPress BuddyPress Builder for Elementor – BuddyBuilder plugin to the latest available version (at least 1.7.2).

Plugin: PT Addons for Elementor Lite

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Product Category Slider for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Elementor Addons, Widgets and Enhancements – Stax

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Post Grid, Slider & Carousel Ultimate

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Bangladeshi Payment Gateways

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Rejected by the vendor.

Plugin: Challan – PDF Invoice & Packing Slip for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Mail Logging

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.11.0
Recommended Action: Update the WordPress WP Mail Logging plugin to the latest available version (at least 1.11.0).

Plugin: Exclusive Addons Elementor

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.6.2
Recommended Action: Update the WordPress Exclusive Addons Elementor plugin to the latest available version (at least 2.6.2).

Plugin: Subscribe2

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 10.38
Recommended Action: Update the WordPress Subscribe2 plugin to the latest available version (at least 10.38).

Plugin: WP Dark Mode

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.0.5
Recommended Action: Update the WordPress WP Dark Mode – Best Dark Mode & Social Sharing Plugin for WordPress plugin to the latest available version (at least 3.0.5).

Plugin: WP User Frontend

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.6.1
Recommended Action: Update the WordPress WP User Frontend plugin to the latest available version (at least 3.6.1).

Plugin: Product Gallery Slider for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.2.7
Recommended Action: Update the WordPress Product Gallery Slider for WooCommerce plugin to the latest available version (at least 2.2.7).

Plugin: Dashboard Welcome for Elementor

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.0.7
Recommended Action: Update the WordPress Dashboard Welcome for Elementor plugin to the latest available version (at least 1.0.7).

Plugin: WP VR – 360 Panorama and Virtual Tour Builder For WordPress

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 8.2.6
Recommended Action: Update the WordPress WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin to the latest available version (at least 8.2.6).

Plugin: Woostify Sites Library

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.4
Recommended Action: Update the WordPress Woostify Sites Library plugin to the latest available version (at least 1.4.4).

Plugin: W4 Post List

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.4.3
Recommended Action: Update the WordPress W4 Post List plugin to the latest available version (at least 2.4.3).

Plugin: Boostify Header Footer Builder for Elementor

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.9
Recommended Action: Update the WordPress Boostify Header Footer Builder for Elementor plugin to the latest available version (at least 1.2.9).

Plugin: Click to top

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.20
Recommended Action: Update the WordPress Click to top plugin to the latest available version (at least 1.2.20).

Plugin: wePOS – Point Of Sale (POS) for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.6
Recommended Action: Update the WordPress wePOS – Point Of Sale (POS) for WooCommerce plugin to the latest available version (at least 1.2.6).

Plugin: Gallery Box

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.7.31
Recommended Action: Update the WordPress Gallery Box plugin to the latest available version (at least 1.7.31).

Plugin: Magical Posts Display – Elementor & Gutenberg Posts Blocks

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.16
Recommended Action: Update the WordPress Magical Posts Display – Elementor & Gutenberg Posts Blocks plugin to the latest available version (at least 1.2.16).

Plugin: GS Testimonial Slider

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.8
Recommended Action: Update the WordPress GS Testimonial Slider plugin to the latest available version (at least 1.9.8).

Plugin: Webinar and Video Conference with Jitsi Meet

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.0
Recommended Action: Update the WordPress Webinar and Video Conference with Jitsi Meet plugin to the latest available version (at least 2.0.0).

Plugin: Stylish Cost Calculator

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 7.3.7
Recommended Action: Update the WordPress Stylish Cost Calculator plugin to the latest available version (at least 7.3.7).

Plugin: Dark Mode

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 4.1.3
Recommended Action: Update the WordPress Dark Mode plugin to the latest available version (at least 4.1.3).

Plugin: Wp Edit Password Protected – Create Member/User Only Page & Design Password Protected Form

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.4
Recommended Action: Update the WordPress Wp Edit Password Protected – Create Member/User Only Page & Design Password Protected Form plugin to the latest available version (at least 1.2.4).

Plugin: Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.1.4
Recommended Action: Update the WordPress Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD plugin to the latest available version (at least 3.1.4).

Plugin: Sheets To WP Table Live Sync

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.12.15
Recommended Action: Update the WordPress Sheets To WP Table Live Sync plugin to the latest available version (at least 2.12.15).

Plugin: Happy Addons for Elementor

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 3.8.0
Recommended Action: Update the WordPress Happy Addons for Elementor plugin to the latest available version (at least 3.8.0).

Plugin: Wiremo – Product Reviews for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.4.97
Recommended Action: Update the WordPress Wiremo – Product Reviews for WooCommerce plugin to the latest available version (at least 1.4.97).

Plugin: Responsive Slider by MetaSlider

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.28.1
Recommended Action: Update the WordPress Responsive Slider by MetaSlider plugin to the latest available version (at least 3.28.1).

Plugin: Team Member

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 4.5
Recommended Action: Update the WordPress Team Member – Team with Slider plugin to the latest available version (at least 4.5).

Plugin: Easy Table of Contents

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.0.46
Recommended Action: Update the WordPress Easy Table of Contents plugin to the latest available version (at least 2.0.46).

Plugin: Enhanced Plugin Admin

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.17
Recommended Action: Update the WordPress Enhanced Plugin Admin plugin to the latest available version (at least 1.17).

Plugin: JS Job Manager

Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version available.

Plugin: VigilanTor

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Download Weather Station

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Simple Custom Author Profiles

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: User Registration

Vulnerability: Authenticated PHP Object Injection vulnerability
Patched Version: 2.3.3
Recommended Action: Update the WordPress User Registration plugin to the latest available version (at least 2.3.3).

Plugin: Custom Field Template

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: BigContact

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Userlike – WordPress Live Chat plugin

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3
Recommended Action: Update the WordPress Userlike – WordPress Live Chat plugin plugin to the latest available version (at least 2.3).

Plugin: Lazy Social Comments

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Disqus Conditional Load

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Vertical scroll recent post

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: GamiPress – Youtube integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.0.8
Recommended Action: Update the WordPress GamiPress – Youtube integration plugin to the latest available version (at least 1.0.8).

Plugin: Amazon S3

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 1.6
Recommended Action: Update the WordPress Amazon S3 plugin to the latest available version (at least 1.6).

Plugin: WooCommerce Multiple Customer Addresses & Shipping

Vulnerability: Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: 21.7
Recommended Action: Update the WordPress WooCommerce Multiple Customer Addresses & Shipping plugin to the latest available version (at least 21.7).

Plugin: Google XML Sitemap for Mobile

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kanban Boards for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Content Filter – Censor All Offensive Content From Your Site

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.