Watch Out Wednesday – November 14, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Event Manager, Team Members Showcase, MainWP and more!

Plugin: EasyRotator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 10, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Themify Ultra

Vulnerability: Multiple Broken Access Control vulnerability
Patched Version: None
Recommended Action: Partially patched in versions >= 7.3.6. No fully patched version is available.

Plugin: Japanized For WooCommerce

Vulnerability: Multiple Broken Access Control vulnerability
Patched Version: 2.6.5
Recommended Action: Update the WordPress Japanized For WooCommerce plugin to the latest available version (at least 2.6.5).

Plugin: WP Event Manager

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Product Enquiry for WooCommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Shortcodes Finder

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Mini Cart Drawer For WooCommerce

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Flo Forms

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Podlove Web Player

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Additional Order Filters for WooCommerce

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Animator

Vulnerability: Unauthenticated Plugin Settings Change Vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Youtube SpeedLoad

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Woo Custom and Sequential Order Number

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.7.2.3
Recommended Action: Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.2.3).

Plugin: WP Logo Showcase Responsive Slider and Carousel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Popup Anything

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Responsive Recent Post Slider/Carousel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Slick Slider and Image Carousel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Blog and Widget

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP News and Scrolling Widgets

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP responsive FAQ with category

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Featured Content and Slider

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Featured Post Creative

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Preloader Matrix

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: MainWP

Vulnerability: Auth. (admin+) SQL Injection vulnerability
Patched Version: 4.4.3.4
Recommended Action: Update the WordPress MainWP plugin to the latest available version (at least 4.4.3.4).

Plugin: Essential Grid

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 3.1.1
Recommended Action: Update the WordPress Essential Grid plugin to the latest available version (at least 3.1.1).

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Authenticated Privilege Escalation vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP User Frontend

Vulnerability: Authenticated Privilege Escalation vulnerability
Patched Version: 3.6.6
Recommended Action: Update the WordPress WP User Frontend plugin to the latest available version (at least 3.6.6).

Plugin: WooCommerce Checkout Manager

Vulnerability: Broken Access Control vulnerability
Patched Version: 7.3.1
Recommended Action: Update the WordPress WooCommerce Checkout Manager plugin to the latest available version (at least 7.3.1).

Plugin: Qi Addons For Elementor

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Qi Addons For Elementor

Vulnerability: Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Martins Free & Easy SEO Link buildings

Vulnerability: Reflected XSS vulnerability
Patched Version: 1.2.30
Recommended Action: Update the WordPress Martins Free & Easy SEO Link buildings plugin to the latest available version (at least 1.2.30).

Plugin: Brizy – Page Builder

Vulnerability: Cross-Site Scripting vulnerability
Patched Version: 2.4.30
Recommended Action: Update the WordPress Brizy – Page Builder plugin to the latest available version (at least 2.4.30).

Plugin: Product Catalog Simple

Vulnerability: Cross-Site Request Forgery via ic_system_status vulnerability
Patched Version: 1.7.6
Recommended Action: Update the WordPress Product Catalog Simple plugin to the latest available version (at least 1.7.6).

Plugin: iThemes Sync

Vulnerability: Stored Cross-Site Scripting via packages vulnerability
Patched Version: 3.0.1
Recommended Action: Update the WordPress Solid Central plugin to the latest available version (at least 3.0.1).

Plugin: Ecwid Shopping Cart

Vulnerability: Missing Authorization on multiple functions vulnerability
Patched Version: 6.12.4
Recommended Action: Update the WordPress Ecwid Shopping Cart plugin to the latest available version (at least 6.12.4).

Plugin: Job Manager & Career

Vulnerability: Directory listing to Sensitive Data Exposure vulnerability
Patched Version: 1.4.4
Recommended Action: Update the WordPress Job Manager & Career plugin to the latest available version (at least 1.4.4).

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.20.2
Recommended Action: Update the WordPress Gift Up Gift Cards for WordPress and WooCommerce plugin to the latest available version (at least 2.20.2).

Plugin: Code Snippets

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.6.0
Recommended Action: Update the WordPress Code Snippets plugin to the latest available version (at least 3.6.0).

Plugin: Restrict Content

Vulnerability: Sensitive Data Exposure via Log File vulnerability
Patched Version: 3.2.8
Recommended Action: Update the WordPress Restrict Content plugin to the latest available version (at least 3.2.8).

Plugin: Profile Builder

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.10.4
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.10.4).

Plugin: Korea SNS

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Vertical scroll recent post

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.

Plugin: WP Category Post List Widget

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Post Pay Counter

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Full Stripe Free

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.

Plugin: Plainview Protect Passwords

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Foyer

Vulnerability: Content Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Team Members Showcase

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WooCommerce Product Enquiry

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.