This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including File Manager, Biz Library, Ultimate Carousel and more!

Plugin: WP Search Analytics

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.0.14
Recommended Action: Update the WordPress Photo Gallery Slideshow & Masonry Tiled Gallery plugin to the latest available version (at least 1.0.14).

Plugin: Plugins List

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.5.1
Recommended Action: Update the WordPress Plugins List plugin to the latest available version (at least 2.5.1).

Plugin: Maintenance Switch

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Mass Email To users

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.5
Recommended Action: Update the WordPress Mass Email To users plugin to the latest available version (at least 1.1.5).

Plugin: AJAX Thumbnail Rebuild

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP-CORS

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: File Manager

Vulnerability: PHP Object Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Depicter Slider

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Emails & Newsletters with Jackmail

Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Thumbs Rating

Vulnerability: Race Condition vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated Server Side Request Forgery (SSRF) vulnerability
Patched Version: 2.10.24
Recommended Action: Update the WordPress Orbit Fox by ThemeIsle plugin to the latest available version (at least 2.10.24).

Plugin: SEO ALert

Vulnerability: Authenticated Stored Cross-Site Scripting Vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP Directory Kit

Vulnerability: Open Redirection vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress WP Directory Kit plugin to the latest available version (at least 1.2.0).

Plugin: Zephyr Project Manager

Vulnerability: Open Redirection vulnerability
Patched Version: 3.3.91
Recommended Action: Update the WordPress Zephyr Project Manager plugin to the latest available version (at least 3.3.91).

Plugin: BizLibrary

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Unauthenticated Data Disclosure vulnerability
Patched Version: 4.1.1
Recommended Action: Update the WordPress Active Directory Integration / LDAP Integration plugin to the latest available version (at least 4.1.1).

Plugin: RapidExpCart

Vulnerability: Stored XSS via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: KIWIZ Invoices Certification & PDF System

Vulnerability: Unauthenticated Arbitrary File Download vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Help Desk WP

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WooCommerce Order Status Change Notifier

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.

Plugin: Ad Inserter

Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 2.7.27
Recommended Action: Update the WordPress Ad Inserter plugin to the latest available version (at least 2.7.27).

Plugin: LIQUID SPEECH BALLOON

Vulnerability: Settings Update via CSRF vulnerability
Patched Version: 1.2
Recommended Action: Update the WordPress LIQUID SPEECH BALLOON plugin to the latest available version (at least 1.2).

Plugin: Profile Builder

Vulnerability: Insecure Password Reset Mechanism vulnerability
Patched Version: 3.9.1
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.9.1).

Plugin: CM On Demand Search And Replace

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.1
Recommended Action: Update the WordPress CM On Demand Search And Replace plugin to the latest available version (at least 1.3.1).

Plugin: User IP and Location

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.2.1
Recommended Action: Update the WordPress User IP and Location plugin to the latest available version (at least 2.2.1).

Plugin: Responsive Filterable Portfolio

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.0.20
Recommended Action: Update the WordPress Responsive Filterable Portfolio plugin to the latest available version (at least 1.0.20).

Plugin: Pretty Url

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Thumbnail carousel slider

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.1.10
Recommended Action: Update the WordPress Thumbnail carousel slider plugin to the latest available version (at least 1.1.10).

Plugin: f(x) TOC

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: wordpress vertical image slider plugin

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.2.17
Recommended Action: Update the WordPress wordpress vertical image slider plugin plugin to the latest available version (at least 1.2.17).

Plugin: ActiveCampaign

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 8.1.12
Recommended Action: Update the WordPress ActiveCampaign plugin to the latest available version (at least 8.1.12).

Plugin: Custom 404 Pro

Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: 3.7.3
Recommended Action: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.3).

Plugin: HTTP Headers

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.18.8
Recommended Action: Update the WordPress HTTP Headers plugin to the latest available version (at least 1.18.8).

Plugin: Autoptimize

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.1.7
Recommended Action: Update the WordPress Autoptimize plugin to the latest available version (at least 3.1.7).

Plugin: Stream

Vulnerability: Auth. Insecure Direct Object References (IDOR) vulnerability
Patched Version: 3.9.3
Recommended Action: Update the WordPress Stream plugin to the latest available version (at least 3.9.3).

Plugin: Shield Security

Vulnerability: Unauth. Stored Cross-Site Scripting (XSS) vulnerability
Vulnerability: Missing Authorization vulnerability
Patched Version: 17.0.18
Recommended Action: Update the WordPress Shield Security plugin to the latest available version (at least 17.0.18).

Plugin: Glaze Blog Lite

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Fascinate

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Cream Blog

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Cream Magazine

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Mocho Blog

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Everest News

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Arya Multipurpose

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Viable blog

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Popups

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.1.5.1
Recommended Action: Update the WordPress WP Popups plugin to the latest available version (at least 2.1.5.1).

Plugin: Customizer Export/Import

Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 0.9.6
Recommended Action: Update the WordPress Customizer Export/Import plugin to the latest available version (at least 0.9.6).

Plugin: Japanized For WooCommerce

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Product Slider For WooCommerce Lite

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Wp D3

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Custom Post Type List Shortcode

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Post Shortcode

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Enable/Disable Auto Login when Register

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Membership Database

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Video List Manager

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Ultimate Carousel For WPBakery Page Builder

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Mega Addons For WPBakery Page Builder

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Ultimate Carousel For Elementor

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Avirato hotels online booking engine

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.