This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Code Snippets, iQ Block Country, User Meta and more!

Plugin: Code Snippets
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. We were unable to contact the vendor.

Plugin: RSVPMarker
Vulnerability: SQL Injection
Patched Version: 9.3.3
Recommended Action: Update the WordPress RSVPMaker plugin to the latest available version (at least 9.3.3).

Plugin: iQ Block Country
Vulnerability: Other Vulnerability Type
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 20, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Newsletter
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 7.4.5
Recommended Action: Update the WordPress Newsletter plugin to the latest available version (at least 7.4.5).

Plugin: Code Snippets Extended
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No patched version is available. No reply from the vendor.

Plugin: Opal Hotel Room Booking
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Enqueue Anything
Vulnerability: Other Vulnerability Type
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 26, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Useful Banner Manager
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Bestbooks
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 11, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Athletics
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Hot Linked Image Cacher
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 16, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Google Places Reviews
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.0
Recommended Action: Fixed in version 2.0.0, but has been closed as of April 8, 2022 and is not available for download. This closure is temporary, pending a full review. Deactivate and delete.

Plugin: Advanced Admin Search
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of 26. apr. 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Ask Me
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 6.8.2
Recommended Action: Update the WordPress Ask Me premium theme to the latest available version (at least 6.8.2).

Plugin: Ask Me
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.8.2
Recommended Action: Update the WordPress Ask Me premium theme to the latest available version (at least 6.8.2).

Plugin: Discy
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.2
Recommended Action: Update the WordPress Discy premium theme to the latest available version (at least 5.2).

Plugin: User Meta
Vulnerability: Other Vulnerability Type
Patched Version: 2.4.4
Recommended Action: Update the WordPress User Meta plugin to the latest available version (at least 2.4.4).

Plugin: WordPress File Upload
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.16.4
Recommended Action: Update the WordPress WordPress File Upload plugin to the latest available version (at least 4.16.4).

Plugin: Photo Gallery by 10Web
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.6.4
Recommended Action: Update the WordPress Photo Gallery plugin to the latest available version (at least 1.6.4).

Plugin: FiboSearch – Ajax Search for WooCommerce
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.18.0
Recommended Action: Update the WordPress FiboSearch plugin to the latest available version (at least 1.18.0).

Plugin: WPQA – Builder forms Addon
Vulnerability: Information Disclosure
Patched Version: 5.5
Recommended Action: Update the WordPress WPQA premium plugin to the latest available version (at least 5.5).

Plugin: Throws SPAM Away
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.3.1
Recommended Action: Update the WordPress Throws SPAM Away plugin to the latest available version (at least 3.3.1).

Plugin: Video Slider – Slider Carousel
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.4.8
Recommended Action: Update the WordPress Video Slider – Slider Carousel plugin to the latest available version (at least 1.4.8).

Plugin: FormCraft
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.6
Recommended Action: Update the WordPress FormCraft Basic plugin to the latest available version (at least 1.2.6).

Plugin: LiveSync
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 13, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WPify Woo Czech
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.5.7
Recommended Action: Update the WordPress WPify Woo Czech plugin to the latest available version (at least 3.5.7).

Plugin: Popup Box
Vulnerability: Local File Inclusion
Patched Version: 2.2
Recommended Action: Update the WordPress Popup Box plugin to the latest available version (at least 2.2).

Plugin: Counter Box
Vulnerability: Local File Inclusion
Patched Version: 1.2
Recommended Action: Update the WordPress Counter Box plugin to the latest available version (at least 1.2).

Plugin: Hover Effects
Vulnerability: Local File Inclusion
Patched Version: 2.1.1
Recommended Action: Update the WordPress Hover Effects plugin to the latest available version (at least 2.1.1).

Plugin: Herd Effects
Vulnerability: Local File Inclusion
Patched Version: 5.2.1
Recommended Action: Update the WordPress Herd Effects plugin to the latest available version (at least 5.2.1).

Plugin: WP Born Babies
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 27, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Donations
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of February 28, 2022 and is not available for download. Reason: Security Issue.

Plugin: Files Download Delay
Vulnerability: Other Vulnerability Type
Patched Version: 1.0.7
Recommended Action: Update the WordPress Files Download Delay plugin to the latest available version (at least 1.0.7).

Plugin: CP Image Store with Slideshow
Vulnerability: SQL Injection
Patched Version: 1.0.68
Recommended Action: Update the WordPress CP Image Store with Slideshow plugin to the latest available version (at least 1.0.68)

Plugin: Team Members
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 5.1.1
Recommended Action: Update the WordPress Team Members plugin to the latest available version (at least 5.1.1).

Plugin: Drag & Drop Builder
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.4.9.4
Recommended Action: Update the WordPress Drag & Drop Builder plugin to the latest available version (at least 1.4.9.4).

Plugin: amtyThumb
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: CUBE SLIDER
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 3, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Five Minute Webshop
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Note Press
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Simple Adsense Insertion
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.1
Recommended Action: Update the WordPress WP Simple Adsense Insertion plugin to the latest available version (at least 2.1).

Plugin: Database Backup for WordPress
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.5.2
Recommended Action: Update the WordPress Database Backup for WordPress plugin to the latest available version (at least 2.5.2).

Plugin: WP Fundraising Donation and Crowdfunding Platform
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 26, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WooCommerce Green Wallet Gateway
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.2
Recommended Action: Update the WordPress WooCommerce Green Wallet Gateway plugin to the latest available version (at least 1.0.2).