Watch Out Wednesday – May 31, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Recently Viewed Products, WooCommerce Shipping & Tax, Elementor Website Builder and more!

Plugin: QuBotChat

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 1.1.6
Recommended Action: Update the WordPress QuBotChat plugin to the latest available version (at least 1.1.6).

Plugin: WP Coder

Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter vulnerability
Patched Version: 2.5.6
Recommended Action: Update the WordPress WP Coder plugin to the latest available version (at least 2.5.6).

Plugin: Bubble Menu – circle floating menu

Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter vulnerability
Patched Version: 3.0.4
Recommended Action: Update the WordPress Bubble Menu – circle floating menu plugin to the latest available version (at least 3.0.4).

Plugin: This Day In History

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.

Plugin: Recently Viewed Products

Vulnerability: PHP Object Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Mar 27, 2023.

Plugin: SKU Label Changer For WooCommerce

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 3, 2023.

Plugin: IP Metaboxes

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.

Plugin: IP Metaboxes

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 12, 2023.

Plugin: WooCommerce Product Categories Selection Widget

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Apr 14, 2023.

Plugin: Button Generator – easily Button Builder

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. The WordPress plugins review team was notified on Feb 8, 2023.

Plugin: HashOne

Vulnerability: Broken Access Control Vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Viral

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.8.1
Recommended Action: Update the WordPress Viral theme to the latest available version (at least 1.8.1).

Plugin: Viral News

Vulnerability: Broken Access Control
Patched Version: 1.4.6
Recommended Action: Update the WordPress Viral News theme to the latest available version (at least 1.4.6).

Plugin: Video Contest WordPress Plugin

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Video Contest WordPress Plugin

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Product Gallery Slider for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.2.9
Recommended Action: Update the WordPress Product Gallery Slider for WooCommerce plugin to the latest available version (at least 2.2.9).

Plugin: Custom Twitter Feeds (Tweets Widget)

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0
Recommended Action: Update the WordPress Custom Twitter Feeds (Tweets Widget) plugin to the latest available version (at least 2.0).

Plugin: WS Form LITE

Vulnerability: CAPTCHA Bypass vulnerability
Patched Version: 1.9.118
Recommended Action: Update the WordPress WS Form LITE plugin to the latest available version (at least 1.9.118).

Plugin: Uncanny Automator

Vulnerability: Cross-Site Request Forgery via update_automator_connect vulnerability
Patched Version: 4.15
Recommended Action: Update the WordPress Uncanny Automator plugin to the latest available version (at least 4.15).

Plugin: Go Pricing

Vulnerability: WordPress Go Pricing – WordPress Responsive Pricing Tables plugin <= 3.3.19 - Authenticated (Subscriber+) PHP Object Injection vulnerability Patched Version: 3.4 Recommended Action: Update the WordPress Go Pricing plugin to the latest available version (at least 3.4).

Plugin: MStore API

Vulnerability: Authentication Bypass vulnerability
Patched Version: 3.9.3
Recommended Action: Update the WordPress MStore API plugin to the latest available version (at least 3.9.3).

Plugin: UTM Tracker

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Download Theme

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.1.0
Recommended Action: Update the WordPress Download Theme plugin to the latest available version (at least 1.1.0).

Plugin: Download Plugin

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 2.0.5
Recommended Action: Update the WordPress Download Plugin plugin to the latest available version (at least 2.0.5).

Plugin: Flickr Justified Gallery

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Tiles

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of March 15, 2023 and is not available for download. This closure is permanent. Reason: Author Request.

Plugin: Easy Google Maps

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.11.8
Recommended Action: Update the WordPress Easy Google Maps plugin to the latest available version (at least 1.11.8).

Plugin: WordPress Backup & Migration

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.4.1
Recommended Action: Update the WordPress WordPress Backup & Migration plugin to the latest available version (at least 1.4.1).

Plugin: Tutor LMS

Vulnerability: Multiple Broken Access Control vulnerabilities
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WooCommerce Product Vendors

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Vendor Admin+ SQL Injection vulnerability
Patched Version: 2.1.77
Recommended Action: Update the WordPress WooCommerce Product Vendors plugin to the latest available version (at least 2.1.77).

Plugin: WooCommerce Follow-Up Emails

Vulnerability: Follow-Up Emails Manager+ SQL Injection vulnerability
Patched Version: 4.9.51
Recommended Action: Update the WordPress WooCommerce Follow-Up Emails plugin to the latest available version (at least 4.9.51).

Plugin: Yoast SEO: Local

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 15.0
Recommended Action: Update the WordPress Yoast SEO: Local plugin to the latest available version (at least 15.0).

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Broken Authentication vulnerability
Patched Version: 6.23.4
Recommended Action: Update the WordPress OAuth Single Sign On – SSO (OAuth Client) plugin to the latest available version (at least 6.23.4).

Plugin: Elementor Website Builder

Vulnerability: Broken Access Control vulnerability
Patched Version: 3.13.3
Recommended Action: Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.13.3).

Plugin: WooCommerce Shipping & Tax

Vulnerability: Stored Cross-Site Scripting vulnerability
Patched Version: 2.2.5
Recommended Action: Update the WordPress WooCommerce Shipping & Tax plugin to the latest available version (at least 2.2.5).

Plugin: Easy Admin Menu

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: SIS Handball

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: SQL Injection vulnerability
Patched Version: 3.3.20
Recommended Action: Update the WordPress Multiple Page Generator Plugin – MPG plugin to the latest available version (at least 3.3.20).

Plugin: YouTube Playlist Player

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 4.6.5
Recommended Action: Update the WordPress YouTube Playlist Player plugin to the latest available version (at least 4.6.5).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.