Watch Out Wednesday – November 2, 2022

WoW Archive
woman with surprised expression looking through binoculars, captioned watch out wednesday

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WatchTowerHQ, Ultimate Member, All in One SEO Pro and more!

Plugin: WatchTowerHQ

Vulnerability: Arbitrary File Deletion
Vulnerability: Arbitrary File Download
Patched Version: 3.6.16
Recommended Action: Update the WordPress WatchTowerHQ plugin to the latest available version (at least 3.6.16).

Plugin: Homepage Pop-up

Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Permalink Manager Lite

Vulnerability: Other Vulnerability Type
Patched Version: 2.2.20.1
Recommended Action: Update the WordPress Permalink Manager Lite plugin to the latest available version (at least 2.2.20.1).

Theme: Soledad

Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 8.2.6
Recommended Action: Update the WordPress soledad theme to the latest available version (at least 8.2.6).

Plugin: Content Egg

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: AFS Analytics

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: miniOrange’s Google Authenticator

Vulnerability: Other Vulnerability Type
Patched Version: 5.6.2
Recommended Action: Update the WordPress miniOrange’s Google Authenticator plugin to the latest available version (at least 5.6.2).

Plugin: Mantenimiento web

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 0.14
Recommended Action: Update the WordPress Mantenimiento web plugin to the latest available version (at least 0.14).

Plugin: WP User Frontend

Vulnerability: Broken Authentication
Patched Version: 3.5.29
Recommended Action: Update the WordPress WP User Frontend plugin to the latest available version (at least 3.5.29).

Plugin: Five Star Restaurant Reservations

Vulnerability: Other Vulnerability Type
Patched Version: 2.4.12
Recommended Action: Update the WordPress Five Star Restaurant Reservations plugin to the latest available version (at least 2.4.12).

Plugin: Booster Plus for WooCommerce

Vulnerability: Arbitrary File Download
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.6.5
Recommended Action: Update the WordPress Booster Plus for WooCommerce plugin to the latest available version (at least 5.6.5).

Plugin: Booster for WooCommerce

Vulnerability: Arbitrary File Download
Patched Version: 5.6.7
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.6.7).

Plugin: WordPress DeepL Pro API translation

Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.5
Recommended Action: Update the WordPress DeepL Pro API translation plugin to the latest available version (at least 1.7.5).

Plugin: DeepL Pro API translation

Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.5
Recommended Action: Update the WordPress DeepL Pro API translation plugin to the latest available version (at least 1.7.5).

Plugin: WP-Polls

Vulnerability: Bypass Vulnerability
Patched Version: 2.76.0
Recommended Action: Update the WordPress WP-Polls plugin to the latest available version (at least 2.76.0).

Plugin: Popup Maker

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.16.11
Recommended Action: Update the WordPress Popup Maker plugin to the latest available version (at least 1.16.11).

Plugin: Subscribe to Category

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Event Management Tickets Booking

Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update the WordPress Event Management Tickets Booking plugin to the latest available version (at least 1.2.1).

Plugin: Event Management Tickets Booking

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.2.0
Recommended Action: Update the WordPress Event Management Tickets Booking plugin to the latest available version (at least 1.2.0).

Plugin: Photo Gallery – Image Gallery by Ape

Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: TeraWallet – For WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Appointment Hour Booking

Vulnerability: Other Vulnerability Type
Patched Version: 1.3.72
Recommended Action: Update the WordPress Appointment Hour Booking plugin to the latest available version (at least 1.3.72).

Plugin: Appointment Booking Calendar

Vulnerability: Other Vulnerability Type
Patched Version: 1.3.70
Recommended Action: Update the WordPress Appointment Booking Calendar plugin to the latest available version (at least 1.3.70).

Plugin: Advanced Coupons for WooCommerce Coupons

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.5.0.1
Recommended Action: Update the WordPress Advanced Coupons for WooCommerce Coupons plugin to the latest available version (at least 4.5.0.1).

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.1.6
Recommended Action: Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the latest available version (at least 4.1.6).

Plugin: Custom Product Tabs for WooCommerce

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.8.0
Recommended Action: Update the WordPress Custom Product Tabs for WooCommerce plugin to the latest available version (at least 1.8.0).

Plugin: Glossary

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Forms by CaptainForm

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: My wpdb

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.5
Recommended Action: Update the WordPress My wpdb plugin to the latest available version (at least 2.5).

Plugin: Evaluate

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: Ultimate Member

Vulnerability: Directory Traversal
Vulnerability: Remote Code Execution (RCE)
Patched Version: 2.5.1
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.5.1).

Plugin: Ultimate Member

Vulnerability: Remote Code Execution (RCE)
Patched Version: 2.5.1
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.5.1).

Theme: Ask Me

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.8.7
Recommended Action: Update the WordPress Ask Me theme to the latest available version (at least 6.8.7).

Plugin: WP Bootstrap Gallery

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Slideshow SE

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 7, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: wpDiscuz

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 7.5
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.5).

Plugin: Modula Image Gallery

Vulnerability: Other Vulnerability Type
Patched Version: 2.6.91
Recommended Action: Update the WordPress Modula Image Gallery plugin to the latest available version (at least 2.6.91).

Plugin: Booster for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.6.7
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.6.7).

Plugin: Spacer

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0.7
Recommended Action: Update the WordPress Spacer plugin to the latest available version (at least 3.0.7).

Plugin: WP Best Quiz

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: Easy Digital Downloads

Vulnerability: CSV Injection
Patched Version: 3.1.0.2
Recommended Action: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.0.2).

Plugin: Creative Mail

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.6.0
Recommended Action: Update the WordPress Creative Mail plugin to the latest available version (at least 1.6.0).

Plugin: Api2Cart Bridge Connector

Vulnerability: Arbitrary File Upload
Vulnerability: SQL Injection
Patched Version: 1.2.0
Recommended Action: Update the WordPress Api2Cart Bridge Connector plugin to the latest available version (at least 1.2.0).

Plugin: All in One SEO Pro

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 4.2.6
Recommended Action: Update the WordPress All in One SEO Pro plugin to the latest available version (at least 4.2.6).

Plugin: 3D Tag Cloud

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 22, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: BuddyForms

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Gallery with thumbnail slider

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Backup Guard

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: CSV Injection
Patched Version: 1.2.6.5
Recommended Action: Update the WordPress to the latest available version (at least 1.2.6.5).

Plugin: Zoho CRM Lead Magnet

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Web Stories

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 1.25.0
Recommended Action: Update the WordPress Web Stories plugin to the latest available version (at least 1.25.0).

Plugin: Log HTTP Requests

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3.2
Recommended Action: Update the WordPress Log HTTP Requests plugin to the latest available version (at least 1.3.2).

Theme: Bricks Builder

Vulnerability: Remote Code Execution (RCE)
Vulnerability: Other Vulnerability Type
Patched Version: 1.5.4
Recommended Action: Update the WordPress Bricks Builder theme to the latest available version (at least 1.5.4).

Plugin: Testimonials

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.7
Recommended Action: Update the WordPress Testimonials plugin to the latest available version (at least 2.7).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Get your glasses

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Join Now

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.