This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WordPress Core, UpdraftPlus, WeSecur Security and more!
Plugin: Groundhogg
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.7.10
Recommended Action: Update the WordPress Groundhogg plugin to the latest available version (at least 2.7.10).
Plugin: WooDiscuz – WooCommerce Comments
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3.0
Recommended Action: Update the WordPress WooDiscuz – WooCommerce Comments plugin to the latest available version (at least 2.3.0).
Plugin: AI Engine: ChatGPT Chatbot
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.6.83
Recommended Action: Update the WordPress AI Engine: ChatGPT Chatbot plugin to the latest available version (at least 1.6.83).
Plugin: nuajik CDN
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP htaccess Control
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: SEO Change Monitor
Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Cookie Monster
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: BP Social Connect
Vulnerability: Authentication Bypass vulnerability
Patched Version: 1.6.2
Recommended Action: Update the WordPress BP Social Connect plugin to the latest available version (at least 1.6.2).
Plugin: Stop Referrer Spam
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: A partial fix is available in versions >= 1.2.9. No fully patched version is available. No reply from the vendor.
Plugin: WeSecur Security
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of February 21, 2023 and is not available for download. This closure is permanent. Reason: Author Request.
Plugin: Jazz Popups
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Jazz Popups
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Scripts n Styles
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Better Notifications for WP
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.3
Recommended Action: Update the WordPress Better Notifications for WP plugin to the latest available version (at least 1.9.3).
Plugin: Performance Lab
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.3.0
Recommended Action: Update the WordPress Performance Lab plugin to the latest available version (at least 2.3.0).
Plugin: WooCommerce Predictive Search
Vulnerability: Broken Access Control vulnerability
Patched Version: 5.8.1
Recommended Action: Update the WordPress WooCommerce Predictive Search plugin to the latest available version (at least 5.8.1).
Plugin: WishSuite
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.5
Recommended Action: Update the WordPress WishSuite plugin to the latest available version (at least 1.3.5).
Plugin: Simple Page Ordering
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.5.1
Recommended Action: Update the WordPress Simple Page Ordering plugin to the latest available version (at least 2.5.1).
Plugin: Baidu Tongji generator
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. Reported to WP plugins review team on 2023 Apr 28.
Plugin: UpdraftPlus
Vulnerability: CSRF lead to wp-admin Site Wide XSS vulnerability
Patched Version: 1.23.4
Recommended Action: Update the WordPress UpdraftPlus plugin to the latest available version (at least 1.23.4).
Plugin: Waiting: One-click countdowns
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Easy Forms for Mailchimp
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. 2023-02-08 – vendor (YIKES) notified about the vulnerability 2023-05-11 – we tried to notify the vendor (YIKES) again and got the answer that the plugin/business is sold to another company (EH Dev Shop). We notified the new vendor the same day. 2023-05-17 – still no reply from the vendor (EH Dev Shop). The decision to make the disclosure is made.
Plugin: WordPress Core
Vulnerability: Insufficient Sanitization of Block Attributes vulnerabilities
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Vulnerability: Unauth. Shortcode Execution vulnerability
Vulnerability: Unauth. Directory Traversal vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 6.2.1
Recommended Action: Update the WordPress core to the latest available version (at least 6.2.1).
0 Comments