This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Fastest Cache, Loginizer, Elementor Website Builder and more!
Plugin: Get Your Number
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WPCS
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress WPCS plugin to the latest available version (at least 1.2.0).
Plugin: WPCS
Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress WPCS plugin to the latest available version (at least 1.2.0).
Plugin: Seo By 10Web
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 1.2.7
Recommended Action: Update the WordPress Seo By 10Web plugin to the latest available version (at least 1.2.7).
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.2.71
Recommended Action: Update the WordPress Download Manager plugin to the latest available version (at least 3.2.71).
Plugin: AP Pricing Tables Lite
Vulnerability: Admin+ SQLi vulnerability
Patched Version: None
Recommended Action: Deactivate the plugin. This plugin has been closed as of March 28, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Cross-Site Request Forgery to SQL Injection vulnerability
Patched Version: 4.1.5
Recommended Action: Update the WordPress Active Directory Integration / LDAP Integration plugin to the latest available version (at least 4.1.5).
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Authenticated (Administrator+) SQL Injection vulnerability
Patched Version: 4.1.5
Recommended Action: Update the WordPress Active Directory Integration / LDAP Integration plugin to the latest available version (at least 4.1.5).
Plugin: Booking Ultra Pro
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: CALL ME NOW
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Featured Image Pro Post Grid
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 5.15
Recommended Action: Update the WordPress Featured Image Pro Post Grid plugin to the latest available version (at least 5.15).
Plugin: GS Pins for Pinterest
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.6.8
Recommended Action: Update the WordPress GS Pins for Pinterest plugin to the latest available version (at least 1.6.8).
Plugin: Community by PeepSo
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.1.0.0
Recommended Action: Update the WordPress Community by PeepSo plugin to the latest available version (at least 6.1.0.0).
Plugin: Product page shipping calculator for WooCommerce
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.26
Recommended Action: Update the WordPress Product page shipping calculator for WooCommerce plugin to the latest available version (at least 1.3.26).
Plugin: WP Register Profile With Shortcode
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: itemprop WP for SERP/SEO Rich snippets
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Button
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: iframe popup
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Hyphenator
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: weebotLite
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Elementor Website Builder
Vulnerability: Missing Authorization to Settings Update vulnerability
Patched Version: 3.13.2
Recommended Action: Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.13.2).
Plugin: Sunny Search
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Sunny Search
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Post State Tags
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Quick Page/Post Redirect
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Easy Hide Login
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.0.9
Recommended Action: Update the WordPress Easy Hide Login plugin to the latest available version (at least 1.0.9).
Plugin: BuddyForms
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.8.2
Recommended Action: Update the WordPress BuddyForms plugin to the latest available version (at least 2.8.2).
Plugin: DBargain
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP All Backup
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Column-Matic
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: LetterPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: eBecas
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: NotifyVisitors
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WordPress Announcement & Notification Banner Plugin – Bulletin
Vulnerability: Missing Authorization Checks vulnerability
Patched Version: 3.7.0
Recommended Action: Update the WordPress WordPress Announcement & Notification Banner Plugin – Bulletin plugin to the latest available version (at least 3.7.0).
Plugin: WordPress Announcement & Notification Banner Plugin – Bulletin
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.7.1
Recommended Action: Update the WordPress WordPress Announcement & Notification Banner Plugin – Bulletin plugin to the latest available version (at least 3.7.1).
Plugin: Don8
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Dyslexiefont Free
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Reactions Lite
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.3.9
Recommended Action: Update the WordPress WP Reactions Lite plugin to the latest available version (at least 1.3.9).
Plugin: WP-Chatbot for Messenger
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Soundcloud Is Gold
Vulnerability: Broken Access Control
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WoodMart
Vulnerability: Cross-Site Scripting (XSS) vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 7.2.2
Recommended Action: Update the WordPress WoodMart theme to the latest available version (at least 7.2.2).
Plugin: Woodmart Core
Vulnerability: PHP Object Injection
Vulnerability: Privilege Escalation
Patched Version: 1.0.37
Recommended Action: Update the WordPress Woodmart Core plugin to the latest available version (at least 1.0.37).
Plugin: Forget About Shortcode Buttons
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.1.3
Recommended Action: Update the WordPress Forget About Shortcode Buttons plugin to the latest available version (at least 2.1.3).
Plugin: Portfolio Gallery – Responsive Image Gallery
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Category Post List Widget
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Add Posts to Pages
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Owl Carousel
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Pinterest RSS Widget
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: DevBuddy Twitter Feed
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Slimstat Analytics
Vulnerability: SQL Injection (SQLi) vulnerability
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 5.0.5
Recommended Action: Update the WordPress Slimstat Analytics plugin to the latest available version (at least 5.0.5).
Plugin: Bookly
Vulnerability: Authenticated Arbitrary File Deletion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: PPOM for WooCommerce
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 32.0.7
Recommended Action: Update the WordPress Product Addons & Fields for WooCommerce plugin to the latest available version (at least 32.0.7).
Plugin: Locatoraid Store Locator
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.9.19
Recommended Action: Update the WordPress Locatoraid Store Locator plugin to the latest available version (at least 3.9.19).
Plugin: Add to Feedly
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Custom 404 Pro
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 3.7.3
Recommended Action: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.3).
Plugin: Login Rebuilder
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.8.1
Recommended Action: Update the WordPress Login Rebuilder plugin to the latest available version (at least 2.8.1).
Plugin: Newsletter Popup
Vulnerability: Unauthenticated Stored XSS vulnerability
Vulnerability: Record Deletion via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WP Fastest Cache
Vulnerability: Blind SSRF via CSRF vulnerability
Patched Version: 1.1.5
Recommended Action: Update the WordPress WP Fastest Cache plugin to the latest available version (at least 1.1.5).
Plugin: Loginizer
Vulnerability: Reflected XSS vulnerability
Patched Version: 1.7.9
Recommended Action: Update the WordPress Loginizer plugin to the latest available version (at least 1.7.9).
Plugin: AnyWhere Elementor
Vulnerability: Freemius API Key Disclosure vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress AnyWhere Elementor plugin to the latest available version (at least 1.2.8).
Plugin: Injection Guard
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.2
Recommended Action: Update the WordPress Injection Guard plugin to the latest available version (at least 1.2.2).
Plugin: Essential Addons for Elementor
Vulnerability: Unauthenticated Privilege Escalation vulnerability
Patched Version: 5.7.2
Recommended Action: Update the WordPress Essential Addons for Elementor plugin to the latest available version (at least 5.7.2).
Plugin: Custom Base Terms
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’ vulnerability
Patched Version: 1.0.3
Recommended Action: Update the WordPress Custom Base Terms plugin to the latest available version (at least 1.0.3).
Plugin: 10Web Social Post Feed
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 1.2.9
Recommended Action: Update the WordPress 10Web Social Post Feed plugin to the latest available version (at least 1.2.9).
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
Vulnerability: Reflected Cross-Site Scripting via ‘lang’ vulnerability
Patched Version: 3.1.61
Recommended Action: Update the WordPress Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue plugin to the latest available version (at least 3.1.61).
Plugin: WP Replicate Post
Vulnerability: Authenticated (Contributor+) SQL Injection vulnerability
Patched Version: 4.1
Recommended Action: Update the WordPress WP Replicate Post plugin to the latest available version (at least 4.1).
Plugin: WCP Contact Form
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WCP Contact Form
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Chinese Conversion
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: MailChimp Subscribe Forms
Vulnerability: Open Redirection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Download Monitor
Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: 4.7.70
Recommended Action: Update the WordPress Download Monitor plugin to the latest available version (at least 4.7.70).
Plugin: Google Analytics by Monster Insights
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 8.14.1
Recommended Action: Update the WordPress Google Analytics by Monster Insights plugin to the latest available version (at least 8.14.1).
Plugin: YITH WooCommerce Gift Cards Premium
Vulnerability: Unauth. Gift Card Creation Leading to Stored XSS vulnerability
Patched Version: 3.24.0
Recommended Action: Update the WordPress YITH WooCommerce Gift Cards Premium plugin to the latest available version (at least 3.24.0).
Plugin: Custom Field Suite
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.6.3
Recommended Action: Update the WordPress Custom Field Suite plugin to the latest available version (at least 2.6.3).
Plugin: Restaurant Menu – Food Ordering System – Table Reservation
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3.7
Recommended Action: Update the WordPress Restaurant Menu – Food Ordering System – Table Reservation plugin to the latest available version (at least 2.3.7).
Plugin: QuBotChat
Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.6
Recommended Action: Update the WordPress QuBotChat plugin to the latest available version (at least 1.1.6).
Plugin: My WP Customize Admin/Frontend
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings vulnerability
Patched Version: 1.21.1
Recommended Action: Update the WordPress My WP Customize Admin/Frontend plugin to the latest available version (at least 1.21.1).
Plugin: Team Circle Image Slider With Lightbox
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 1.0.18
Recommended Action: Update the WordPress Team Circle Image Slider With Lightbox plugin to the latest available version (at least 1.0.18).
Plugin: Google Site Verification plugin using Meta Tag
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
0 Comments