This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Event Manager, Team Members Showcase, MainWP and more!

Plugin: EasyRotator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Themify Ultra

Vulnerability: Multiple Broken Access Control vulnerability
Patched Version: None
Recommended Action: Partially patched in versions >= 7.3.6. No fully patched version is available.

Plugin: Japanized For WooCommerce

Vulnerability: Multiple Broken Access Control vulnerability
Patched Version: 2.6.5
Recommended Action: Update the WordPress Japanized For WooCommerce plugin to the latest available version (at least 2.6.5).

Plugin: WP Event Manager

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Product Enquiry for WooCommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Shortcodes Finder

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Mini Cart Drawer For WooCommerce

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Flo Forms

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Podlove Web Player

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Additional Order Filters for WooCommerce

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Animator

Vulnerability: Unauthenticated Plugin Settings Change Vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Youtube SpeedLoad

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Woo Custom and Sequential Order Number

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.7.2.3
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.2.3).

Plugin: WP Logo Showcase Responsive Slider and Carousel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Popup Anything

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Responsive Recent Post Slider/Carousel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Slick Slider and Image Carousel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Blog and Widget

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP News and Scrolling Widgets

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP responsive FAQ with category

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Featured Content and Slider

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Featured Post Creative

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Preloader Matrix

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: MainWP

Vulnerability: Auth. (admin+) SQL Injection vulnerability
Patched Version: 4.4.3.4
Recommended Action: Update the WordPress MainWP plugin to the latest available version (at least 4.4.3.4).

Plugin: Essential Grid

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.1
Recommended Action: Update the WordPress Essential Grid plugin to the latest available version (at least 3.1.1).

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Authenticated Privilege Escalation vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP User Frontend

Vulnerability: Authenticated Privilege Escalation vulnerability
Patched Version: 3.6.6
Recommended Action: Update the WordPress WP User Frontend plugin to the latest available version (at least 3.6.6).

Plugin: WooCommerce Checkout Manager

Vulnerability: Broken Access Control vulnerability
Patched Version: 7.3.1
Recommended Action: Update the WordPress WooCommerce Checkout Manager plugin to the latest available version (at least 7.3.1).

Plugin: Qi Addons For Elementor

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Qi Addons For Elementor

Vulnerability: Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Martins Free & Easy SEO Link buildings

Vulnerability: Reflected XSS vulnerability
Patched Version: 1.2.30
Recommended Action: Update the WordPress Martins Free & Easy SEO Link buildings plugin to the latest available version (at least 1.2.30).

Plugin: Brizy – Page Builder

Vulnerability: Cross-Site Scripting vulnerability
Patched Version: 2.4.30
Recommended Action: Update the WordPress Brizy – Page Builder plugin to the latest available version (at least 2.4.30).

Plugin: Product Catalog Simple

Vulnerability: Cross-Site Request Forgery via ic_system_status vulnerability
Patched Version: 1.7.6
Recommended Action: Update the WordPress Product Catalog Simple plugin to the latest available version (at least 1.7.6).

Plugin: iThemes Sync

Vulnerability: Stored Cross-Site Scripting via packages vulnerability
Patched Version: 3.0.1
Recommended Action: Update the WordPress Solid Central plugin to the latest available version (at least 3.0.1).

Plugin: Ecwid Shopping Cart

Vulnerability: Missing Authorization on multiple functions vulnerability
Patched Version: 6.12.4
Recommended Action: Update the WordPress Ecwid Shopping Cart plugin to the latest available version (at least 6.12.4).

Plugin: Job Manager & Career

Vulnerability: Directory listing to Sensitive Data Exposure vulnerability
Patched Version: 1.4.4
Recommended Action: Update the WordPress Job Manager & Career plugin to the latest available version (at least 1.4.4).

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.20.2
Recommended Action: Update the WordPress Gift Up Gift Cards for WordPress and WooCommerce plugin to the latest available version (at least 2.20.2).

Plugin: Code Snippets

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.6.0
Recommended Action: Update the WordPress Code Snippets plugin to the latest available version (at least 3.6.0).

Plugin: Restrict Content

Vulnerability: Sensitive Data Exposure via Log File vulnerability
Patched Version: 3.2.8
Recommended Action: Update the WordPress Restrict Content plugin to the latest available version (at least 3.2.8).

Plugin: Profile Builder

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.10.4
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.10.4).

Plugin: Korea SNS

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Vertical scroll recent post

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.

Plugin: WP Category Post List Widget

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Post Pay Counter

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Full Stripe Free

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.

Plugin: Plainview Protect Passwords

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Foyer

Vulnerability: Content Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Team Members Showcase

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WooCommerce Product Enquiry

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.