Watch Out Wednesday – November 16, 2022

by | Nov 15, 2022 | WoW Archive

woman with surprised expression looking through binoculars, captioned watch out wednesday
woman with surprised expression looking through binoculars, captioned watch out wednesday
Watch Out Wednesday – November 16, 2022

by | Nov 15, 2022 | WoW Archive

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including User Blocker, ProfileGrid, Seed Social and more!

Plugin: WPB Show Core

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Super Testimonial Pro

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.8
Recommended Action: Update the WordPress Super Testimonial Pro plugin to the latest available version (at least 1.0.8).

Plugin: Testimonials

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.7
Recommended Action: Update the WordPress Testimonials plugin to the latest available version (at least 2.7).

Plugin: ProfileGrid

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 5.1.1
Recommended Action: Update the WordPress ProfileGrid plugin to the latest available version (at least 5.1.1).

Plugin: OAuth Client by DigitialPixies

Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: TeraWallet – For WooCommerce

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 1.4.4
Recommended Action: Update the WordPress TeraWallet – For WooCommerce plugin to the latest available version (at least 1.4.4).

Plugin: WPForms Pro

Vulnerability: CSV Injection
Patched Version: 1.7.7
Recommended Action: Update the WordPress WPForms Pro plugin to the latest available version (at least 1.7.7).

Plugin: Transposh WordPress Translation

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. This plugin has been closed as of February 7, 2022 and is not available for download. Reason: Security Issue.

Plugin: Add Multiple Marker

Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Activity Reactions For Buddypress

Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: AdRotate Banner Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.9.1
Recommended Action: Timeline: 6 July 2022 – first contact with the vendor. 6 July 2022 – vendor replied, and vulnerability details were sent. 11 November 2022 – still unpatched, vulnerability publicly disclosed. 15 November 2022 – the patched version was released. Update the WordPress AdRotate Banner Manager plugin to the latest available version (at least 5.9.1).

Plugin: PostmagThemes Demo Import

Vulnerability: Arbitrary File Upload
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 10, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: S2W – Import Shopify to WooCommerce

Vulnerability: Local File Inclusion
Patched Version: 1.1.13
Recommended Action: Update the WordPress S2W – Import Shopify to WooCommerce plugin to the latest available version (at least 1.1.13).

Plugin: Uji Countdown

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Add Comments

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Advanced WP Columns

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 7, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Clerk

Vulnerability: Sensitive Data Exposure
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Page Builder

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of 9. November, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WPUpper Share Buttons

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Seed Social

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.4
Recommended Action: Update the WordPress Seed Social plugin to the latest available version (at least 2.0.4).

Plugin: WP CSV Exporter

Vulnerability: SQL Injection
Patched Version: 1.3.7
Recommended Action: Update the WordPress WP CSV Exporter plugin to the latest available version (at least 1.3.7).

Plugin: Quick Restaurant Reservations

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.5.5
Recommended Action: Update the WordPress Quick Restaurant Reservations plugin to the latest available version (at least 1.5.5).

Plugin: Multilingual CMS

Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Other Vulnerability Type
Patched Version: 4.5.11
Recommended Action: Update the WordPress Multilingual CMS plugin to the latest available version (at least 4.5.11).

Plugin: BP Better Messages

Vulnerability: Other Vulnerability Type
Patched Version: 1.9.10.71
Recommended Action: Update the WordPress BP Better Messages plugin to the latest available version (at least 1.9.10.71).

Plugin: Asgaros Forum

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: wpForo Forum

Vulnerability: Arbitrary File Upload
Patched Version: 2.1.0
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.1.0).

Plugin: User Blocker

Vulnerability: CSV Injection
Patched Version: 1.5.6
Recommended Action: Update the WordPress User Blocker plugin to the latest available version (at least 1.5.6).

Plugin: WordPress REST API Authentication

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.4.1
Recommended Action: Update the WordPress WordPress REST API Authentication plugin to the latest available version (at least 2.4.1).

Plugin: Car Rental by BestWebSoft

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Simple Video Embedder

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 8, 2022 and is not available for download. This closure is temporary, pending a full review.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

Meet the Author: FocusWP
FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *