This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Clean Up, Yoast SEO, GTmetrix for WordPress, and more!
Plugin: Ever Compare
Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: HT Portfolio
Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.1.6
Recommended Action: Update the WordPress HT Portfolio plugin to the latest available version (at least 1.1.6).
Plugin: Smart Slider 3
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 3.5.1.14
Recommended Action: Update the WordPress Smart Slider 3 plugin to the latest available version (at least 3.5.1.14).
Plugin: Shortcodes Ultimate
Vulnerability: Subscriber+ User Meta Disclosure vulnerability
Patched Version: 5.12.8
Recommended Action: Update the WordPress Shortcodes Ultimate plugin to the latest available version (at least 5.12.8).
Plugin: HT Slider For Elementor
Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.4.0
Recommended Action: Update the WordPress HT Slider For Elementor plugin to the latest available version (at least 1.4.0).
Plugin: Watu Quiz
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 3.3.9.1
Recommended Action: Update the WordPress Watu Quiz plugin to the latest available version (at least 3.3.9.1).
Plugin: menu shortcode
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Big Store
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.4
Recommended Action: Update the WordPress Big Store theme to the latest available version (at least 1.9.4).
Plugin: Jetpack CRM
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 5.5.0
Recommended Action: Update the WordPress Jetpack CRM plugin to the latest available version (at least 5.5.0).
Plugin: Event Espresso 4 Decaf
Vulnerability: Bypass vulnerability
Patched Version: 4.10.45.decaf
Recommended Action: Update the WordPress Event Espresso 4 Decaf plugin to the latest available version (at least 4.10.45.decaf).
Plugin: DecaLog
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.7.1
Recommended Action: Update the WordPress DecaLog plugin to the latest available version (at least 3.7.1).
Plugin: Wpopal Core Features
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: AMO for WP – Membership Management
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.
Plugin: WooVirtualWallet – A virtual wallet for WooCommerce
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.
Plugin: WooVIP – Membership plugin for WordPress and WooCommerce
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.
Plugin: WooSupply – Suppliers, Supply Orders and Stock Management
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.
Plugin: Theme Minifier
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.
Plugin: Styles
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WordPress Page Builder – Qards
Vulnerability: WordPress WordPress Page Builder – Qards plugin <= 1.0.5 – Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.
Plugin: PHPFreeChat
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Custom Login Admin Front-end CSS
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 1.5
Recommended Action: Update the WordPress Custom Login Admin Front-end CSS plugin to the latest available version (at least 1.5).
Plugin: CSS Adder By Agence-Press
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Confirm Data
Vulnerability: Unauth. Server-Side Request Forgery (SSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: AMP Toolbox
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Admin CSS MU
Vulnerability: Server-Side Request Forgery (SSRF) vulnerability
Patched Version: 2.7
Recommended Action: Update the WordPress Admin CSS MU plugin to the latest available version (at least 2.7).
Plugin: Types
Vulnerability: Authenticated Arbitrary File Upload Vulnerability
Patched Version: 3.4.18
Recommended Action: Update the WordPress Types plugin to the latest available version (at least 3.4.18).
Plugin: YITH WooCommerce Product Slider Carousel
Vulnerability: Cross-Site Request Forgery (CSRF)
Patched Version: 1.16.1
Recommended Action: Update the WordPress YITH WooCommerce Product Slider Carousel plugin to the latest available version (at least 1.16.1).
Plugin: FareHarbor for WordPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Manage Upload Limit
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 24, 2023).
Plugin: Elegant Custom Fonts
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 14, 2023).
Plugin: WP Translitera
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 10, 2023).
Plugin: WP Clean Up
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 6, 2023).
Plugin: Classic Editor and Classic Widgets
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 13, 2023).
Plugin: New Adman
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 9, 2023).
Plugin: New Adman
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 9, 2023).
Plugin: CPO Content Types
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 8, 2023).
Plugin: Leyka
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 9, 2023).
Plugin: Leyka
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 9, 2023).
Plugin: Blog Floating Button
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Resize at Upload Plus
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 7, 2023).
Plugin: About Me 3000 widget
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 7, 2023).
Plugin: Yet Another Stars Rating
Vulnerability: XSS & Arbitrary Shortcode Execution Vulnerability
Patched Version: 3.1.3
Recommended Action: Update the WordPress Yet Another Stars Rating plugin to the latest available version (at least 3.1.3).
Plugin: Total Poll Lite
Vulnerability: Broken Access Control vulnerability
Patched Version: 4.8.7
Recommended Action: Update the WordPress Total Poll Lite plugin to the latest available version (at least 4.8.7).
Plugin: Custom Content Shortcode
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Custom Content Shortcode
Vulnerability: Contributor+ LFI vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: GoToWP
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: 10Web Map Builder for Google Maps
Vulnerability: Unauthenticated SQLi vulnerability
Patched Version: 1.0.73
Recommended Action: Update the WordPress 10Web Map Builder for Google Maps plugin to the latest available version (at least 1.0.73).
Plugin: FluentSMTP
Vulnerability: Stored XSS via Email Logs vulnerability
Patched Version: 2.2.3
Recommended Action: Update the WordPress FluentSMTP plugin to the latest available version (at least 2.2.3).
Plugin: Namaste! LMS
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.6
Recommended Action: Update the WordPress Namaste! LMS plugin to the latest available version (at least 2.6).
Plugin: Auto Featured Image (Auto Post Thumbnail)
Vulnerability: Author+ Arbitrary File Upload vulnerability
Patched Version: 3.9.16
Recommended Action: Update the WordPress Auto Featured Image (Auto Post Thumbnail) plugin to the latest available version (at least 3.9.16).
Plugin: OptinMonster
Vulnerability: Subscriber+ Arbitrary Post Content Disclosure vulnerability
Patched Version: 2.12.2
Recommended Action: Update the WordPress OptinMonster plugin to the latest available version (at least 2.12.2).
Plugin: Download Attachments
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Advanced Recent Posts
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: UpQode Google Maps
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Resume Builder
Vulnerability: Subscriber+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 11, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Synved Shortcodes
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: i2 Pros & Cons
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Product GTIN (EAN, UPC, ISBN) for WooCommerce
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WPaudio MP3 Player
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of January 5, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WPCode
Vulnerability: Contributor+ WPCode Library Auth Key Update/Deletion vulnerability
Patched Version: 2.0.7
Recommended Action: Update the WordPress WPCode plugin to the latest available version (at least 2.0.7).
Plugin: Yoast SEO
Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting vulnerability
Patched Version: 20.2.1
Recommended Action: Update the WordPress Yoast SEO plugin to the latest available version (at least 20.2.1).
Plugin: Metform Elementor Contact Form Builder
Vulnerability: reCaptcha Protection Bypass vulnerability
Patched Version: 3.2.2
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.2.2).
Plugin: real.Kit
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: 5.1.1
Recommended Action: Update the WordPress real.Kit plugin to the latest available version (at least 5.1.1).
Plugin: React Webcam
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Saan World Clock
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WPB Advanced FAQ
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Video Background
Vulnerability: Contributor+ Stored XSS via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Smart Logo Showcase Lite
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: OAuth Server
Vulnerability: Subscriber+ Arbitrary Client Deletion vulnerability
Patched Version: 4.3.0
Recommended Action: Update the WordPress OAuth Server plugin to the latest available version (at least 4.3.0).
Plugin: Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.1.6
Recommended Action: Update the WordPress Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD plugin to the latest available version (at least 3.1.6).
Plugin: clickfunnels
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: No patched version available.
Plugin: Easy Testimonial Slider and Form
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.16
Recommended Action: Update the WordPress Easy Testimonial Slider and Form plugin to the latest available version (at least 1.0.16).
Plugin: Instant Images
Vulnerability: Auth. Server-Side Request Forgery (SSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The vendor attempted to fix it, but the patch was incomplete, we have notified the vendor, but still, no fully patched version is available.
Plugin: Sales Report Email for WooCommerce
Vulnerability: Auth. Test Email Submission vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Simple CSV/XLS Exporter
Vulnerability: Authenticated CSV Injection Vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Simple Vimeo Shortcode
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to the WordPress plugins team (on Feb 23, 2023).
Plugin: DeepL Pro API translation
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.1.5
Recommended Action: Update the WordPress DeepL Pro API translation plugin to the latest available version (at least 2.1.5).
Plugin: WP SMS
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 6.0.4.1
Recommended Action: Update the WordPress WP SMS plugin to the latest available version (at least 6.0.4.1).
Plugin: Rife Elementor Extensions & Templates
Vulnerability: Broken Access Control
Patched Version: 1.2.0
Recommended Action: Update the WordPress Rife Elementor Extensions & Templates plugin to the latest available version (at least 1.2.0).
Plugin: Cookie Notice & Compliance for GDPR / CCPA
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.4.7
Recommended Action: Update the WordPress Cookie Notice & Compliance for GDPR / CCPA plugin to the latest available version (at least 2.4.7).
Plugin: GTmetrix for WordPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 0.4.6
Recommended Action: Update the WordPress GTmetrix for WordPress plugin to the latest available version (at least 0.4.6).
Plugin: JCH Optimize
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.2.3
Recommended Action: Update the WordPress JCH Optimize plugin to the latest available version (at least 3.2.3).
Plugin: LWS Tools
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.4
Recommended Action: Update the WordPress LWS Tools plugin to the latest available version (at least 2.4).
Plugin: Add Expires Headers & Optimized Minify
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.7.1
Recommended Action: Update the WordPress Add Expires Headers & Optimized Minify plugin to the latest available version (at least 2.7.1).
Plugin: Dokan
Vulnerability: Authenticated SQL Injection vulnerability
Patched Version: 3.7.13
Recommended Action: Update the WordPress Dokan plugin to the latest available version (at least 3.7.13).
Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.4.10.6
Recommended Action: Update the WordPress WpStream – Live Streaming, Video on Demand, Pay Per View plugin to the latest available version (at least 4.4.10.6).
Plugin: Button Generator – easily Button Builder
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3.4
Recommended Action: Update the WordPress Button Generator – easily Button Builder plugin to the latest available version (at least 2.3.4).
Plugin: WP SMS
Vulnerability: Authenticated Stored Cross-Site Scripting vulnerability
Patched Version: 5.4.13
Recommended Action: Update the WordPress WP SMS plugin to the latest available version (at least 5.4.13).
Plugin: When Last Login
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.2
Recommended Action: Update the WordPress When Last Login plugin to the latest available version (at least 1.2.2).
Plugin: WP Plugin Manager
Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.1.8
Recommended Action: Update the WordPress WP Plugin Manager plugin to the latest available version (at least 1.1.8).
Plugin: ProfileGrid
Vulnerability: Subscriber+ Arbitrary Password Reset vulnerability
Patched Version: 5.3.1
Recommended Action: Update the WordPress ProfileGrid plugin to the latest available version (at least 5.3.1).
Plugin: Simple File List
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 6.0.10
Recommended Action: Update the WordPress Simple File List plugin to the latest available version (at least 6.0.10).
Plugin: WC Sales Notification
Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress WC Sales Notification plugin to the latest available version (at least 1.2.3).
Plugin: Preview Link Generator
Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability
Patched Version: 1.0.4
Recommended Action: Update the WordPress Preview Link Generator plugin to the latest available version (at least 1.0.4).
Plugin: Real Estate 7
Vulnerability: Cross-Site Request Forgery vulnerability
Vulnerability: Reflected Cross-Site Scripting via ct_additional_features vulnerability
Patched Version: 3.3.5
Recommended Action: Update the WordPress Real Estate 7 theme to the latest available version (at least 3.3.5).
Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Vulnerability: Missing Authorization in pgc_sgb_add_dashboard_widget vulnerability
Patched Version: 3.0.8
Recommended Action: Update the WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin to the latest available version (at least 3.0.8).
Plugin: CP Contact Form with Paypal
Vulnerability: Missing Authorization Leading To Feedback Submission vulnerability
Patched Version: 1.3.35
Recommended Action: Update the WordPress CP Contact Form with Paypal plugin to the latest available version (at least 1.3.35).
0 Comments