Watch Out Wednesday – May 3, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including File Manager, Biz Library, Ultimate Carousel and more!

Plugin: WP Search Analytics

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.0.14
Recommended Action: Update the WordPress Photo Gallery Slideshow & Masonry Tiled Gallery plugin to the latest available version (at least 1.0.14).

Plugin: Plugins List

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.5.1
Recommended Action: Update the WordPress Plugins List plugin to the latest available version (at least 2.5.1).

Plugin: Maintenance Switch

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Mass Email To users

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.5
Recommended Action: Update the WordPress Mass Email To users plugin to the latest available version (at least 1.1.5).

Plugin: AJAX Thumbnail Rebuild

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP-CORS

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: File Manager

Vulnerability: PHP Object Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Depicter Slider

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Emails & Newsletters with Jackmail

Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Thumbs Rating

Vulnerability: Race Condition vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated Server Side Request Forgery (SSRF) vulnerability
Patched Version: 2.10.24
Recommended Action: Update the WordPress Orbit Fox by ThemeIsle plugin to the latest available version (at least 2.10.24).

Plugin: SEO ALert

Vulnerability: Authenticated Stored Cross-Site Scripting Vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: WP Directory Kit

Vulnerability: Open Redirection vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress WP Directory Kit plugin to the latest available version (at least 1.2.0).

Plugin: Zephyr Project Manager

Vulnerability: Open Redirection vulnerability
Patched Version: 3.3.91
Recommended Action: Update the WordPress Zephyr Project Manager plugin to the latest available version (at least 3.3.91).

Plugin: BizLibrary

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Unauthenticated Data Disclosure vulnerability
Patched Version: 4.1.1
Recommended Action: Update the WordPress Active Directory Integration / LDAP Integration plugin to the latest available version (at least 4.1.1).

Plugin: RapidExpCart

Vulnerability: Stored XSS via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: KIWIZ Invoices Certification & PDF System

Vulnerability: Unauthenticated Arbitrary File Download vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Help Desk WP

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WooCommerce Order Status Change Notifier

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.

Plugin: Ad Inserter

Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 2.7.27
Recommended Action: Update the WordPress Ad Inserter plugin to the latest available version (at least 2.7.27).

Plugin: LIQUID SPEECH BALLOON

Vulnerability: Settings Update via CSRF vulnerability
Patched Version: 1.2
Recommended Action: Update the WordPress LIQUID SPEECH BALLOON plugin to the latest available version (at least 1.2).

Plugin: Profile Builder

Vulnerability: Insecure Password Reset Mechanism vulnerability
Patched Version: 3.9.1
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.9.1).

Plugin: CM On Demand Search And Replace

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.1
Recommended Action: Update the WordPress CM On Demand Search And Replace plugin to the latest available version (at least 1.3.1).

Plugin: User IP and Location

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.2.1
Recommended Action: Update the WordPress User IP and Location plugin to the latest available version (at least 2.2.1).

Plugin: Responsive Filterable Portfolio

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.0.20
Recommended Action: Update the WordPress Responsive Filterable Portfolio plugin to the latest available version (at least 1.0.20).

Plugin: Pretty Url

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Thumbnail carousel slider

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.1.10
Recommended Action: Update the WordPress Thumbnail carousel slider plugin to the latest available version (at least 1.1.10).

Plugin: f(x) TOC

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: wordpress vertical image slider plugin

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.2.17
Recommended Action: Update the WordPress wordpress vertical image slider plugin plugin to the latest available version (at least 1.2.17).

Plugin: ActiveCampaign

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 8.1.12
Recommended Action: Update the WordPress ActiveCampaign plugin to the latest available version (at least 8.1.12).

Plugin: Custom 404 Pro

Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: 3.7.3
Recommended Action: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.3).

Plugin: HTTP Headers

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.18.8
Recommended Action: Update the WordPress HTTP Headers plugin to the latest available version (at least 1.18.8).

Plugin: Autoptimize

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.1.7
Recommended Action: Update the WordPress Autoptimize plugin to the latest available version (at least 3.1.7).

Plugin: Stream

Vulnerability: Auth. Insecure Direct Object References (IDOR) vulnerability
Patched Version: 3.9.3
Recommended Action: Update the WordPress Stream plugin to the latest available version (at least 3.9.3).

Plugin: Shield Security

Vulnerability: Unauth. Stored Cross-Site Scripting (XSS) vulnerability
Vulnerability: Missing Authorization vulnerability
Patched Version: 17.0.18
Recommended Action: Update the WordPress Shield Security plugin to the latest available version (at least 17.0.18).

Plugin: Glaze Blog Lite

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Fascinate

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Cream Blog

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Cream Magazine

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Mocho Blog

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Everest News

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Arya Multipurpose

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Viable blog

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Popups

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.1.5.1
Recommended Action: Update the WordPress WP Popups plugin to the latest available version (at least 2.1.5.1).

Plugin: Customizer Export/Import

Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 0.9.6
Recommended Action: Update the WordPress Customizer Export/Import plugin to the latest available version (at least 0.9.6).

Plugin: Japanized For WooCommerce

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Product Slider For WooCommerce Lite

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Wp D3

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Custom Post Type List Shortcode

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Post Shortcode

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Enable/Disable Auto Login when Register

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Membership Database

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Video List Manager

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Ultimate Carousel For WPBakery Page Builder

Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Mega Addons For WPBakery Page Builder

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Ultimate Carousel For Elementor

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Avirato hotels online booking engine

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.