This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including User Blocker, ProfileGrid, Seed Social and more!
Plugin: WPB Show Core
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Super Testimonial Pro
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.8
Recommended Action: Update the WordPress Super Testimonial Pro plugin to the latest available version (at least 1.0.8).
Plugin: Testimonials
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.7
Recommended Action: Update the WordPress Testimonials plugin to the latest available version (at least 2.7).
Plugin: ProfileGrid
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 5.1.1
Recommended Action: Update the WordPress ProfileGrid plugin to the latest available version (at least 5.1.1).
Plugin: OAuth Client by DigitialPixies
Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: TeraWallet – For WooCommerce
Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 1.4.4
Recommended Action: Update the WordPress TeraWallet – For WooCommerce plugin to the latest available version (at least 1.4.4).
Plugin: WPForms Pro
Vulnerability: CSV Injection
Patched Version: 1.7.7
Recommended Action: Update the WordPress WPForms Pro plugin to the latest available version (at least 1.7.7).
Plugin: Transposh WordPress Translation
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. This plugin has been closed as of February 7, 2022 and is not available for download. Reason: Security Issue.
Plugin: Add Multiple Marker
Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Activity Reactions For Buddypress
Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: AdRotate Banner Manager
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.9.1
Recommended Action: Timeline: 6 July 2022 – first contact with the vendor. 6 July 2022 – vendor replied, and vulnerability details were sent. 11 November 2022 – still unpatched, vulnerability publicly disclosed. 15 November 2022 – the patched version was released. Update the WordPress AdRotate Banner Manager plugin to the latest available version (at least 5.9.1).
Plugin: PostmagThemes Demo Import
Vulnerability: Arbitrary File Upload
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 10, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: S2W – Import Shopify to WooCommerce
Vulnerability: Local File Inclusion
Patched Version: 1.1.13
Recommended Action: Update the WordPress S2W – Import Shopify to WooCommerce plugin to the latest available version (at least 1.1.13).
Plugin: Uji Countdown
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Add Comments
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Advanced WP Columns
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 7, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Clerk
Vulnerability: Sensitive Data Exposure
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Page Builder
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of 9. November, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WPUpper Share Buttons
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Seed Social
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.4
Recommended Action: Update the WordPress Seed Social plugin to the latest available version (at least 2.0.4).
Plugin: WP CSV Exporter
Vulnerability: SQL Injection
Patched Version: 1.3.7
Recommended Action: Update the WordPress WP CSV Exporter plugin to the latest available version (at least 1.3.7).
Plugin: Quick Restaurant Reservations
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.5.5
Recommended Action: Update the WordPress Quick Restaurant Reservations plugin to the latest available version (at least 1.5.5).
Plugin: Multilingual CMS
Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Other Vulnerability Type
Patched Version: 4.5.11
Recommended Action: Update the WordPress Multilingual CMS plugin to the latest available version (at least 4.5.11).
Plugin: BP Better Messages
Vulnerability: Other Vulnerability Type
Patched Version: 1.9.10.71
Recommended Action: Update the WordPress BP Better Messages plugin to the latest available version (at least 1.9.10.71).
Plugin: Asgaros Forum
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: wpForo Forum
Vulnerability: Arbitrary File Upload
Patched Version: 2.1.0
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.1.0).
Plugin: User Blocker
Vulnerability: CSV Injection
Patched Version: 1.5.6
Recommended Action: Update the WordPress User Blocker plugin to the latest available version (at least 1.5.6).
Plugin: WordPress REST API Authentication
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.4.1
Recommended Action: Update the WordPress WordPress REST API Authentication plugin to the latest available version (at least 2.4.1).
Plugin: Car Rental by BestWebSoft
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Simple Video Embedder
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 8, 2022 and is not available for download. This closure is temporary, pending a full review.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments