Watch Out Wednesday – March 8, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Clean Up, Yoast SEO, GTmetrix for WordPress, and more!

Plugin: Ever Compare

Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: HT Portfolio

Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.1.6
Recommended Action: Update the WordPress HT Portfolio plugin to the latest available version (at least 1.1.6).

Plugin: Smart Slider 3

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.5.1.14
Recommended Action: Update the WordPress Smart Slider 3 plugin to the latest available version (at least 3.5.1.14).

Plugin: Shortcodes Ultimate

Vulnerability: Subscriber+ User Meta Disclosure vulnerability
Patched Version: 5.12.8
Recommended Action: Update the WordPress Shortcodes Ultimate plugin to the latest available version (at least 5.12.8).

Plugin: HT Slider For Elementor

Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.4.0
Recommended Action: Update the WordPress HT Slider For Elementor plugin to the latest available version (at least 1.4.0).

Plugin: Watu Quiz

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 3.3.9.1
Recommended Action: Update the WordPress Watu Quiz plugin to the latest available version (at least 3.3.9.1).

Plugin: menu shortcode

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Big Store

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.4
Recommended Action: Update the WordPress Big Store theme to the latest available version (at least 1.9.4).

Plugin: Jetpack CRM

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 5.5.0
Recommended Action: Update the WordPress Jetpack CRM plugin to the latest available version (at least 5.5.0).

Plugin: Event Espresso 4 Decaf

Vulnerability: Bypass vulnerability
Patched Version: 4.10.45.decaf
Recommended Action: Update the WordPress Event Espresso 4 Decaf plugin to the latest available version (at least 4.10.45.decaf).

Plugin: DecaLog

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.7.1
Recommended Action: Update the WordPress DecaLog plugin to the latest available version (at least 3.7.1).

Plugin: Wpopal Core Features

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: AMO for WP – Membership Management

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.

Plugin: WooVirtualWallet – A virtual wallet for WooCommerce

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.

Plugin: WooVIP – Membership plugin for WordPress and WooCommerce

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.

Plugin: WooSupply – Suppliers, Supply Orders and Stock Management

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.

Plugin: Theme Minifier

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.

Plugin: Styles

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WordPress Page Builder – Qards

Vulnerability: WordPress WordPress Page Builder – Qards plugin <= 1.0.5 – Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.

Plugin: PHPFreeChat

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Custom Login Admin Front-end CSS

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 1.5
Recommended Action: Update the WordPress Custom Login Admin Front-end CSS plugin to the latest available version (at least 1.5).

Plugin: CSS Adder By Agence-Press

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Confirm Data

Vulnerability: Unauth. Server-Side Request Forgery (SSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: AMP Toolbox

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Admin CSS MU

Vulnerability: Server-Side Request Forgery (SSRF) vulnerability
Patched Version: 2.7
Recommended Action: Update the WordPress Admin CSS MU plugin to the latest available version (at least 2.7).

Plugin: Types

Vulnerability: Authenticated Arbitrary File Upload Vulnerability
Patched Version: 3.4.18
Recommended Action: Update the WordPress Types plugin to the latest available version (at least 3.4.18).

Plugin: YITH WooCommerce Product Slider Carousel

Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: 1.16.1
Recommended Action: Update the WordPress YITH WooCommerce Product Slider Carousel plugin to the latest available version (at least 1.16.1).

Plugin: FareHarbor for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Manage Upload Limit

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 24, 2023).

Plugin: Elegant Custom Fonts

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 14, 2023).

Plugin: WP Translitera

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 10, 2023).

Plugin: WP Clean Up

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 6, 2023).

Plugin: Classic Editor and Classic Widgets

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 13, 2023).

Plugin: New Adman

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 9, 2023).

Plugin: New Adman

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 9, 2023).

Plugin: CPO Content Types

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 8, 2023).

Plugin: Leyka

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 9, 2023).

Plugin: Leyka

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 9, 2023).

Plugin: Blog Floating Button

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Resize at Upload Plus

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 7, 2023).

Plugin: About Me 3000 widget

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 7, 2023).

Plugin: Yet Another Stars Rating

Vulnerability: XSS & Arbitrary Shortcode Execution Vulnerability
Patched Version: 3.1.3
Recommended Action: Update the WordPress Yet Another Stars Rating plugin to the latest available version (at least 3.1.3).

Plugin: Total Poll Lite

Vulnerability: Broken Access Control vulnerability
Patched Version: 4.8.7
Recommended Action: Update the WordPress Total Poll Lite plugin to the latest available version (at least 4.8.7).

Plugin: Custom Content Shortcode

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Custom Content Shortcode

Vulnerability: Contributor+ LFI vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: GoToWP

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Unauthenticated SQLi vulnerability
Patched Version: 1.0.73
Recommended Action: Update the WordPress 10Web Map Builder for Google Maps plugin to the latest available version (at least 1.0.73).

Plugin: FluentSMTP

Vulnerability: Stored XSS via Email Logs vulnerability
Patched Version: 2.2.3
Recommended Action: Update the WordPress FluentSMTP plugin to the latest available version (at least 2.2.3).

Plugin: Namaste! LMS

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.6
Recommended Action: Update the WordPress Namaste! LMS plugin to the latest available version (at least 2.6).

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Author+ Arbitrary File Upload vulnerability
Patched Version: 3.9.16
Recommended Action: Update the WordPress Auto Featured Image (Auto Post Thumbnail) plugin to the latest available version (at least 3.9.16).

Plugin: OptinMonster

Vulnerability: Subscriber+ Arbitrary Post Content Disclosure vulnerability
Patched Version: 2.12.2
Recommended Action: Update the WordPress OptinMonster plugin to the latest available version (at least 2.12.2).

Plugin: Download Attachments

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Advanced Recent Posts

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: UpQode Google Maps

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Resume Builder

Vulnerability: Subscriber+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Synved Shortcodes

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: i2 Pros & Cons

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Product GTIN (EAN, UPC, ISBN) for WooCommerce

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WPaudio MP3 Player

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WPCode

Vulnerability: Contributor+ WPCode Library Auth Key Update/Deletion vulnerability
Patched Version: 2.0.7
Recommended Action: Update the WordPress WPCode plugin to the latest available version (at least 2.0.7).

Plugin: Yoast SEO

Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting vulnerability
Patched Version: 20.2.1
Recommended Action: Update the WordPress Yoast SEO plugin to the latest available version (at least 20.2.1).

Plugin: Metform Elementor Contact Form Builder

Vulnerability: reCaptcha Protection Bypass vulnerability
Patched Version: 3.2.2
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.2.2).

Plugin: real.Kit

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 5.1.1
Recommended Action: Update the WordPress real.Kit plugin to the latest available version (at least 5.1.1).

Plugin: React Webcam

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Saan World Clock

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WPB Advanced FAQ

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Video Background

Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Smart Logo Showcase Lite

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: OAuth Server

Vulnerability: Subscriber+ Arbitrary Client Deletion vulnerability
Patched Version: 4.3.0
Recommended Action: Update the WordPress OAuth Server plugin to the latest available version (at least 4.3.0).

Plugin: Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.1.6
Recommended Action: Update the WordPress Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD plugin to the latest available version (at least 3.1.6).

Plugin: clickfunnels

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version available.

Plugin: Easy Testimonial Slider and Form

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.16
Recommended Action: Update the WordPress Easy Testimonial Slider and Form plugin to the latest available version (at least 1.0.16).

Plugin: Instant Images

Vulnerability: Auth. Server-Side Request Forgery (SSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vendor attempted to fix it, but the patch was incomplete, we have notified the vendor, but still, no fully patched version is available.

Plugin: Sales Report Email for WooCommerce

Vulnerability: Auth. Test Email Submission vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Simple CSV/XLS Exporter

Vulnerability: Authenticated CSV Injection Vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Simple Vimeo Shortcode

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 23, 2023).

Plugin: DeepL Pro API translation

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.1.5
Recommended Action: Update the WordPress DeepL Pro API translation plugin to the latest available version (at least 2.1.5).

Plugin: WP SMS

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 6.0.4.1
Recommended Action: Update the WordPress WP SMS plugin to the latest available version (at least 6.0.4.1).

Plugin: Rife Elementor Extensions & Templates

Vulnerability: Broken Access Control
Patched Version: 1.2.0
Recommended Action: Update the WordPress Rife Elementor Extensions & Templates plugin to the latest available version (at least 1.2.0).

Plugin: Cookie Notice & Compliance for GDPR / CCPA

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.4.7
Recommended Action: Update the WordPress Cookie Notice & Compliance for GDPR / CCPA plugin to the latest available version (at least 2.4.7).

Plugin: GTmetrix for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 0.4.6
Recommended Action: Update the WordPress GTmetrix for WordPress plugin to the latest available version (at least 0.4.6).

Plugin: JCH Optimize

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.2.3
Recommended Action: Update the WordPress JCH Optimize plugin to the latest available version (at least 3.2.3).

Plugin: LWS Tools

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.4
Recommended Action: Update the WordPress LWS Tools plugin to the latest available version (at least 2.4).

Plugin: Add Expires Headers & Optimized Minify

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.7.1
Recommended Action: Update the WordPress Add Expires Headers & Optimized Minify plugin to the latest available version (at least 2.7.1).

Plugin: Dokan

Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 3.7.13
Recommended Action: Update the WordPress Dokan plugin to the latest available version (at least 3.7.13).

Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.4.10.6
Recommended Action: Update the WordPress WpStream – Live Streaming, Video on Demand, Pay Per View plugin to the latest available version (at least 4.4.10.6).

Plugin: Button Generator – easily Button Builder

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3.4
Recommended Action: Update the WordPress Button Generator – easily Button Builder plugin to the latest available version (at least 2.3.4).

Plugin: WP SMS

Vulnerability: Authenticated Stored Cross-Site Scripting vulnerability
Patched Version: 5.4.13
Recommended Action: Update the WordPress WP SMS plugin to the latest available version (at least 5.4.13).

Plugin: When Last Login

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.2
Recommended Action: Update the WordPress When Last Login plugin to the latest available version (at least 1.2.2).

Plugin: WP Plugin Manager

Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.1.8
Recommended Action: Update the WordPress WP Plugin Manager plugin to the latest available version (at least 1.1.8).

Plugin: ProfileGrid

Vulnerability: Subscriber+ Arbitrary Password Reset vulnerability
Patched Version: 5.3.1
Recommended Action: Update the WordPress ProfileGrid plugin to the latest available version (at least 5.3.1).

Plugin: Simple File List

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 6.0.10
Recommended Action: Update the WordPress Simple File List plugin to the latest available version (at least 6.0.10).

Plugin: WC Sales Notification

Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress WC Sales Notification plugin to the latest available version (at least 1.2.3).

Plugin: Preview Link Generator

Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress Preview Link Generator plugin to the latest available version (at least 1.0.4).

Plugin: Real Estate 7

Vulnerability: Cross-Site Request Forgery vulnerability
Vulnerability: Reflected Cross-Site Scripting via ct_additional_features vulnerability
Patched Version: 3.3.5
Recommended Action: Update the WordPress Real Estate 7 theme to the latest available version (at least 3.3.5).

Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery

Vulnerability: Missing Authorization in pgc_sgb_add_dashboard_widget vulnerability
Patched Version: 3.0.8
Recommended Action: Update the WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin to the latest available version (at least 3.0.8).

Plugin: CP Contact Form with Paypal

Vulnerability: Missing Authorization Leading To Feedback Submission vulnerability
Patched Version: 1.3.35
Recommended Action: Update the WordPress CP Contact Form with Paypal plugin to the latest available version (at least 1.3.35).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.