This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including File Manager, Biz Library, Ultimate Carousel and more!
Plugin: WP Search Analytics
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.0.14
Recommended Action: Update the WordPress Photo Gallery Slideshow & Masonry Tiled Gallery plugin to the latest available version (at least 1.0.14).
Plugin: Plugins List
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.5.1
Recommended Action: Update the WordPress Plugins List plugin to the latest available version (at least 2.5.1).
Plugin: Maintenance Switch
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Mass Email To users
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.5
Recommended Action: Update the WordPress Mass Email To users plugin to the latest available version (at least 1.1.5).
Plugin: AJAX Thumbnail Rebuild
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP-CORS
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: File Manager
Vulnerability: PHP Object Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Depicter Slider
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Emails & Newsletters with Jackmail
Vulnerability: CSV Injection
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Thumbs Rating
Vulnerability: Race Condition vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated Server Side Request Forgery (SSRF) vulnerability
Patched Version: 2.10.24
Recommended Action: Update the WordPress Orbit Fox by ThemeIsle plugin to the latest available version (at least 2.10.24).
Plugin: SEO ALert
Vulnerability: Authenticated Stored Cross-Site Scripting Vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: WP Directory Kit
Vulnerability: Open Redirection vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress WP Directory Kit plugin to the latest available version (at least 1.2.0).
Plugin: Zephyr Project Manager
Vulnerability: Open Redirection vulnerability
Patched Version: 3.3.91
Recommended Action: Update the WordPress Zephyr Project Manager plugin to the latest available version (at least 3.3.91).
Plugin: BizLibrary
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Unauthenticated Data Disclosure vulnerability
Patched Version: 4.1.1
Recommended Action: Update the WordPress Active Directory Integration / LDAP Integration plugin to the latest available version (at least 4.1.1).
Plugin: RapidExpCart
Vulnerability: Stored XSS via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: KIWIZ Invoices Certification & PDF System
Vulnerability: Unauthenticated Arbitrary File Download vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Help Desk WP
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WooCommerce Order Status Change Notifier
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed.
Plugin: Ad Inserter
Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 2.7.27
Recommended Action: Update the WordPress Ad Inserter plugin to the latest available version (at least 2.7.27).
Plugin: LIQUID SPEECH BALLOON
Vulnerability: Settings Update via CSRF vulnerability
Patched Version: 1.2
Recommended Action: Update the WordPress LIQUID SPEECH BALLOON plugin to the latest available version (at least 1.2).
Plugin: Profile Builder
Vulnerability: Insecure Password Reset Mechanism vulnerability
Patched Version: 3.9.1
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.9.1).
Plugin: CM On Demand Search And Replace
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.1
Recommended Action: Update the WordPress CM On Demand Search And Replace plugin to the latest available version (at least 1.3.1).
Plugin: User IP and Location
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.2.1
Recommended Action: Update the WordPress User IP and Location plugin to the latest available version (at least 2.2.1).
Plugin: Responsive Filterable Portfolio
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.0.20
Recommended Action: Update the WordPress Responsive Filterable Portfolio plugin to the latest available version (at least 1.0.20).
Plugin: Pretty Url
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Thumbnail carousel slider
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.1.10
Recommended Action: Update the WordPress Thumbnail carousel slider plugin to the latest available version (at least 1.1.10).
Plugin: f(x) TOC
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: wordpress vertical image slider plugin
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.2.17
Recommended Action: Update the WordPress wordpress vertical image slider plugin plugin to the latest available version (at least 1.2.17).
Plugin: ActiveCampaign
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 8.1.12
Recommended Action: Update the WordPress ActiveCampaign plugin to the latest available version (at least 8.1.12).
Plugin: Custom 404 Pro
Vulnerability: Unauth. SQL Injection (SQLi) vulnerability
Patched Version: 3.7.3
Recommended Action: Update the WordPress Custom 404 Pro plugin to the latest available version (at least 3.7.3).
Plugin: HTTP Headers
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.18.8
Recommended Action: Update the WordPress HTTP Headers plugin to the latest available version (at least 1.18.8).
Plugin: Autoptimize
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.1.7
Recommended Action: Update the WordPress Autoptimize plugin to the latest available version (at least 3.1.7).
Plugin: Stream
Vulnerability: Auth. Insecure Direct Object References (IDOR) vulnerability
Patched Version: 3.9.3
Recommended Action: Update the WordPress Stream plugin to the latest available version (at least 3.9.3).
Plugin: Shield Security
Vulnerability: Unauth. Stored Cross-Site Scripting (XSS) vulnerability
Vulnerability: Missing Authorization vulnerability
Patched Version: 17.0.18
Recommended Action: Update the WordPress Shield Security plugin to the latest available version (at least 17.0.18).
Plugin: Glaze Blog Lite
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Fascinate
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Cream Blog
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Cream Magazine
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Mocho Blog
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Everest News
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Arya Multipurpose
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Viable blog
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Popups
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.1.5.1
Recommended Action: Update the WordPress WP Popups plugin to the latest available version (at least 2.1.5.1).
Plugin: Customizer Export/Import
Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 0.9.6
Recommended Action: Update the WordPress Customizer Export/Import plugin to the latest available version (at least 0.9.6).
Plugin: Japanized For WooCommerce
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Product Slider For WooCommerce Lite
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Wp D3
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Custom Post Type List Shortcode
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Post Shortcode
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Enable/Disable Auto Login when Register
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Membership Database
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Video List Manager
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Ultimate Carousel For WPBakery Page Builder
Vulnerability: Contributor+ Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Mega Addons For WPBakery Page Builder
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Ultimate Carousel For Elementor
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Avirato hotels online booking engine
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version available.
0 Comments