Watch Out Wednesday – May 18, 2022

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Code Snippets, iQ Block Country, User Meta and more!

Plugin: Code Snippets
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. We were unable to contact the vendor.

Plugin: RSVPMarker
Vulnerability: SQL Injection
Patched Version: 9.3.3
Recommended Action: Update the WordPress RSVPMaker plugin to the latest available version (at least 9.3.3).

Plugin: iQ Block Country
Vulnerability: Other Vulnerability Type
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 20, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Newsletter
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 7.4.5
Recommended Action: Update the WordPress Newsletter plugin to the latest available version (at least 7.4.5).

Plugin: Code Snippets Extended
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. No patched version is available. No reply from the vendor.

Plugin: Opal Hotel Room Booking
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Enqueue Anything
Vulnerability: Other Vulnerability Type
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 26, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Useful Banner Manager
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Bestbooks
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 11, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Athletics
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Hot Linked Image Cacher
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 16, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Google Places Reviews
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.0
Recommended Action: Fixed in version 2.0.0, but has been closed as of April 8, 2022 and is not available for download. This closure is temporary, pending a full review. Deactivate and delete.

Plugin: Advanced Admin Search
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of 26. apr. 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Ask Me
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 6.8.2
Recommended Action: Update the WordPress Ask Me premium theme to the latest available version (at least 6.8.2).

Plugin: Ask Me
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.8.2
Recommended Action: Update the WordPress Ask Me premium theme to the latest available version (at least 6.8.2).

Plugin: Discy
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.2
Recommended Action: Update the WordPress Discy premium theme to the latest available version (at least 5.2).

Plugin: User Meta
Vulnerability: Other Vulnerability Type
Patched Version: 2.4.4
Recommended Action: Update the WordPress User Meta plugin to the latest available version (at least 2.4.4).

Plugin: WordPress File Upload
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.16.4
Recommended Action: Update the WordPress WordPress File Upload plugin to the latest available version (at least 4.16.4).

Plugin: Photo Gallery by 10Web
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.6.4
Recommended Action: Update the WordPress Photo Gallery plugin to the latest available version (at least 1.6.4).

Plugin: FiboSearch – Ajax Search for WooCommerce
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.18.0
Recommended Action: Update the WordPress FiboSearch plugin to the latest available version (at least 1.18.0).

Plugin: WPQA – Builder forms Addon
Vulnerability: Information Disclosure
Patched Version: 5.5
Recommended Action: Update the WordPress WPQA premium plugin to the latest available version (at least 5.5).

Plugin: Throws SPAM Away
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.3.1
Recommended Action: Update the WordPress Throws SPAM Away plugin to the latest available version (at least 3.3.1).

Plugin: Video Slider – Slider Carousel
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.4.8
Recommended Action: Update the WordPress Video Slider – Slider Carousel plugin to the latest available version (at least 1.4.8).

Plugin: FormCraft
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.6
Recommended Action: Update the WordPress FormCraft Basic plugin to the latest available version (at least 1.2.6).

Plugin: LiveSync
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 13, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WPify Woo Czech
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.5.7
Recommended Action: Update the WordPress WPify Woo Czech plugin to the latest available version (at least 3.5.7).

Plugin: Popup Box
Vulnerability: Local File Inclusion
Patched Version: 2.2
Recommended Action: Update the WordPress Popup Box plugin to the latest available version (at least 2.2).

Plugin: Counter Box
Vulnerability: Local File Inclusion
Patched Version: 1.2
Recommended Action: Update the WordPress Counter Box plugin to the latest available version (at least 1.2).

Plugin: Hover Effects
Vulnerability: Local File Inclusion
Patched Version: 2.1.1
Recommended Action: Update the WordPress Hover Effects plugin to the latest available version (at least 2.1.1).

Plugin: Herd Effects
Vulnerability: Local File Inclusion
Patched Version: 5.2.1
Recommended Action: Update the WordPress Herd Effects plugin to the latest available version (at least 5.2.1).

Plugin: WP Born Babies
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 27, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Donations
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of February 28, 2022 and is not available for download. Reason: Security Issue.

Plugin: Files Download Delay
Vulnerability: Other Vulnerability Type
Patched Version: 1.0.7
Recommended Action: Update the WordPress Files Download Delay plugin to the latest available version (at least 1.0.7).

Plugin: CP Image Store with Slideshow
Vulnerability: SQL Injection
Patched Version: 1.0.68
Recommended Action: Update the WordPress CP Image Store with Slideshow plugin to the latest available version (at least 1.0.68)

Plugin: Team Members
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 5.1.1
Recommended Action: Update the WordPress Team Members plugin to the latest available version (at least 5.1.1).

Plugin: Drag & Drop Builder
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.4.9.4
Recommended Action: Update the WordPress Drag & Drop Builder plugin to the latest available version (at least 1.4.9.4).

Plugin: amtyThumb
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: CUBE SLIDER
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 3, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Five Minute Webshop
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Note Press
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Simple Adsense Insertion
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.1
Recommended Action: Update the WordPress WP Simple Adsense Insertion plugin to the latest available version (at least 2.1).

Plugin: Database Backup for WordPress
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.5.2
Recommended Action: Update the WordPress Database Backup for WordPress plugin to the latest available version (at least 2.5.2).

Plugin: WP Fundraising Donation and Crowdfunding Platform
Vulnerability: SQL Injection
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of April 26, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WooCommerce Green Wallet Gateway
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.2
Recommended Action: Update the WordPress WooCommerce Green Wallet Gateway plugin to the latest available version (at least 1.0.2).

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published.

Related Posts

No more subscriptions

No more subscriptions

We are excited to announce a major change to our pricing model at FocusWP. Now you no longer have to commit to a monthly subscription of hours. Rather, you just buy hours as you need them and can take your time using them (up to 6 months!). Why are we eliminating...

Watch Out Wednesday – September 21, 2022

Watch Out Wednesday – September 21, 2022

This Week's Watch Out Wednesday shows the latest WordPress vulnerabilities including Sucuri Security, Simple File List and more! Plugin: Simple File List Vulnerability: Cross Site Request Forgery (CSRF) Patched Version: 4.4.13 Recommended Action: Update the WordPress...

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

The geeks at FocusWP are constantly on alert for new vulnerabilities and nefarious characters in the world of WordPress and we send out a list of our top concerns every Wednesday so you know what to "Watch Out" for, without doing any legwork.

You can also subscribe to our "Tips & Tricks" newsletter, which is a semi-regular email with cool tools, educational resources, and useful tips to make your digital life a little easier.