This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Event Manager, Team Members Showcase, MainWP and more!
Plugin: EasyRotator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 10, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Themify Ultra
Vulnerability: Multiple Broken Access Control vulnerability
Patched Version: None
Recommended Action: Partially patched in versions >= 7.3.6. No fully patched version is available.
Plugin: Japanized For WooCommerce
Vulnerability: Multiple Broken Access Control vulnerability
Patched Version: 2.6.5
Recommended Action: Update the WordPress Japanized For WooCommerce plugin to the latest available version (at least 2.6.5).
Plugin: WP Event Manager
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Product Enquiry for WooCommerce
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Shortcodes Finder
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Mini Cart Drawer For WooCommerce
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Flo Forms
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Podlove Web Player
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Additional Order Filters for WooCommerce
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Animator
Vulnerability: Unauthenticated Plugin Settings Change Vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Youtube SpeedLoad
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Woo Custom and Sequential Order Number
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.7.2.3
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.2.3).
Plugin: WP Logo Showcase Responsive Slider and Carousel
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Popup Anything
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Responsive Recent Post Slider/Carousel
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Slick Slider and Image Carousel
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Blog and Widget
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP News and Scrolling Widgets
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP responsive FAQ with category
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Featured Content and Slider
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Featured Post Creative
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Preloader Matrix
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: MainWP
Vulnerability: Auth. (admin+) SQL Injection vulnerability
Patched Version: 4.4.3.4
Recommended Action: Update the WordPress MainWP plugin to the latest available version (at least 4.4.3.4).
Plugin: Essential Grid
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.1
Recommended Action: Update the WordPress Essential Grid plugin to the latest available version (at least 3.1.1).
Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Authenticated Privilege Escalation vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP User Frontend
Vulnerability: Authenticated Privilege Escalation vulnerability
Patched Version: 3.6.6
Recommended Action: Update the WordPress WP User Frontend plugin to the latest available version (at least 3.6.6).
Plugin: WooCommerce Checkout Manager
Vulnerability: Broken Access Control vulnerability
Patched Version: 7.3.1
Recommended Action: Update the WordPress WooCommerce Checkout Manager plugin to the latest available version (at least 7.3.1).
Plugin: Qi Addons For Elementor
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Qi Addons For Elementor
Vulnerability: Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Martins Free & Easy SEO Link buildings
Vulnerability: Reflected XSS vulnerability
Patched Version: 1.2.30
Recommended Action: Update the WordPress Martins Free & Easy SEO Link buildings plugin to the latest available version (at least 1.2.30).
Plugin: Brizy – Page Builder
Vulnerability: Cross-Site Scripting vulnerability
Patched Version: 2.4.30
Recommended Action: Update the WordPress Brizy – Page Builder plugin to the latest available version (at least 2.4.30).
Plugin: Product Catalog Simple
Vulnerability: Cross-Site Request Forgery via ic_system_status vulnerability
Patched Version: 1.7.6
Recommended Action: Update the WordPress Product Catalog Simple plugin to the latest available version (at least 1.7.6).
Plugin: iThemes Sync
Vulnerability: Stored Cross-Site Scripting via packages vulnerability
Patched Version: 3.0.1
Recommended Action: Update the WordPress Solid Central plugin to the latest available version (at least 3.0.1).
Plugin: Ecwid Shopping Cart
Vulnerability: Missing Authorization on multiple functions vulnerability
Patched Version: 6.12.4
Recommended Action: Update the WordPress Ecwid Shopping Cart plugin to the latest available version (at least 6.12.4).
Plugin: Job Manager & Career
Vulnerability: Directory listing to Sensitive Data Exposure vulnerability
Patched Version: 1.4.4
Recommended Action: Update the WordPress Job Manager & Career plugin to the latest available version (at least 1.4.4).
Plugin: Gift Up Gift Cards for WordPress and WooCommerce
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.20.2
Recommended Action: Update the WordPress Gift Up Gift Cards for WordPress and WooCommerce plugin to the latest available version (at least 2.20.2).
Plugin: Code Snippets
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.6.0
Recommended Action: Update the WordPress Code Snippets plugin to the latest available version (at least 3.6.0).
Plugin: Restrict Content
Vulnerability: Sensitive Data Exposure via Log File vulnerability
Patched Version: 3.2.8
Recommended Action: Update the WordPress Restrict Content plugin to the latest available version (at least 3.2.8).
Plugin: Profile Builder
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.10.4
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.10.4).
Plugin: Korea SNS
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Vertical scroll recent post
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.
Plugin: WP Category Post List Widget
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Post Pay Counter
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Full Stripe Free
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.
Plugin: Plainview Protect Passwords
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Foyer
Vulnerability: Content Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Team Members Showcase
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WooCommerce Product Enquiry
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments