This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WatchTowerHQ, Ultimate Member, All in One SEO Pro and more!
Plugin: WatchTowerHQ
Vulnerability: Arbitrary File Deletion
Vulnerability: Arbitrary File Download
Patched Version: 3.6.16
Recommended Action: Update the WordPress WatchTowerHQ plugin to the latest available version (at least 3.6.16).
Plugin: Homepage Pop-up
Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Permalink Manager Lite
Vulnerability: Other Vulnerability Type
Patched Version: 2.2.20.1
Recommended Action: Update the WordPress Permalink Manager Lite plugin to the latest available version (at least 2.2.20.1).
Theme: Soledad
Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 8.2.6
Recommended Action: Update the WordPress soledad theme to the latest available version (at least 8.2.6).
Plugin: Content Egg
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: AFS Analytics
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: miniOrange’s Google Authenticator
Vulnerability: Other Vulnerability Type
Patched Version: 5.6.2
Recommended Action: Update the WordPress miniOrange’s Google Authenticator plugin to the latest available version (at least 5.6.2).
Plugin: Mantenimiento web
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 0.14
Recommended Action: Update the WordPress Mantenimiento web plugin to the latest available version (at least 0.14).
Plugin: WP User Frontend
Vulnerability: Broken Authentication
Patched Version: 3.5.29
Recommended Action: Update the WordPress WP User Frontend plugin to the latest available version (at least 3.5.29).
Plugin: Five Star Restaurant Reservations
Vulnerability: Other Vulnerability Type
Patched Version: 2.4.12
Recommended Action: Update the WordPress Five Star Restaurant Reservations plugin to the latest available version (at least 2.4.12).
Plugin: Booster Plus for WooCommerce
Vulnerability: Arbitrary File Download
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.6.5
Recommended Action: Update the WordPress Booster Plus for WooCommerce plugin to the latest available version (at least 5.6.5).
Plugin: Booster for WooCommerce
Vulnerability: Arbitrary File Download
Patched Version: 5.6.7
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.6.7).
Plugin: WordPress DeepL Pro API translation
Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.5
Recommended Action: Update the WordPress DeepL Pro API translation plugin to the latest available version (at least 1.7.5).
Plugin: DeepL Pro API translation
Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.5
Recommended Action: Update the WordPress DeepL Pro API translation plugin to the latest available version (at least 1.7.5).
Plugin: WP-Polls
Vulnerability: Bypass Vulnerability
Patched Version: 2.76.0
Recommended Action: Update the WordPress WP-Polls plugin to the latest available version (at least 2.76.0).
Plugin: Popup Maker
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.16.11
Recommended Action: Update the WordPress Popup Maker plugin to the latest available version (at least 1.16.11).
Plugin: Subscribe to Category
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Event Management Tickets Booking
Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update the WordPress Event Management Tickets Booking plugin to the latest available version (at least 1.2.1).
Plugin: Event Management Tickets Booking
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.2.0
Recommended Action: Update the WordPress Event Management Tickets Booking plugin to the latest available version (at least 1.2.0).
Plugin: Photo Gallery – Image Gallery by Ape
Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: TeraWallet – For WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Appointment Hour Booking
Vulnerability: Other Vulnerability Type
Patched Version: 1.3.72
Recommended Action: Update the WordPress Appointment Hour Booking plugin to the latest available version (at least 1.3.72).
Plugin: Appointment Booking Calendar
Vulnerability: Other Vulnerability Type
Patched Version: 1.3.70
Recommended Action: Update the WordPress Appointment Booking Calendar plugin to the latest available version (at least 1.3.70).
Plugin: Advanced Coupons for WooCommerce Coupons
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.5.0.1
Recommended Action: Update the WordPress Advanced Coupons for WooCommerce Coupons plugin to the latest available version (at least 4.5.0.1).
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.1.6
Recommended Action: Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the latest available version (at least 4.1.6).
Plugin: Custom Product Tabs for WooCommerce
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.8.0
Recommended Action: Update the WordPress Custom Product Tabs for WooCommerce plugin to the latest available version (at least 1.8.0).
Plugin: Glossary
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Forms by CaptainForm
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: My wpdb
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.5
Recommended Action: Update the WordPress My wpdb plugin to the latest available version (at least 2.5).
Plugin: Evaluate
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: Ultimate Member
Vulnerability: Directory Traversal
Vulnerability: Remote Code Execution (RCE)
Patched Version: 2.5.1
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.5.1).
Plugin: Ultimate Member
Vulnerability: Remote Code Execution (RCE)
Patched Version: 2.5.1
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.5.1).
Theme: Ask Me
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.8.7
Recommended Action: Update the WordPress Ask Me theme to the latest available version (at least 6.8.7).
Plugin: WP Bootstrap Gallery
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Slideshow SE
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 7, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: wpDiscuz
Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 7.5
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.5).
Plugin: Modula Image Gallery
Vulnerability: Other Vulnerability Type
Patched Version: 2.6.91
Recommended Action: Update the WordPress Modula Image Gallery plugin to the latest available version (at least 2.6.91).
Plugin: Booster for WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.6.7
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.6.7).
Plugin: Spacer
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0.7
Recommended Action: Update the WordPress Spacer plugin to the latest available version (at least 3.0.7).
Plugin: WP Best Quiz
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: Easy Digital Downloads
Vulnerability: CSV Injection
Patched Version: 3.1.0.2
Recommended Action: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.0.2).
Plugin: Creative Mail
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.6.0
Recommended Action: Update the WordPress Creative Mail plugin to the latest available version (at least 1.6.0).
Plugin: Api2Cart Bridge Connector
Vulnerability: Arbitrary File Upload
Vulnerability: SQL Injection
Patched Version: 1.2.0
Recommended Action: Update the WordPress Api2Cart Bridge Connector plugin to the latest available version (at least 1.2.0).
Plugin: All in One SEO Pro
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 4.2.6
Recommended Action: Update the WordPress All in One SEO Pro plugin to the latest available version (at least 4.2.6).
Plugin: 3D Tag Cloud
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 22, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: BuddyForms
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Gallery with thumbnail slider
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Backup Guard
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Contact Form 7 Database Addon – CFDB7
Vulnerability: CSV Injection
Patched Version: 1.2.6.5
Recommended Action: Update the WordPress to the latest available version (at least 1.2.6.5).
Plugin: Zoho CRM Lead Magnet
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Web Stories
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 1.25.0
Recommended Action: Update the WordPress Web Stories plugin to the latest available version (at least 1.25.0).
Plugin: Log HTTP Requests
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3.2
Recommended Action: Update the WordPress Log HTTP Requests plugin to the latest available version (at least 1.3.2).
Theme: Bricks Builder
Vulnerability: Remote Code Execution (RCE)
Vulnerability: Other Vulnerability Type
Patched Version: 1.5.4
Recommended Action: Update the WordPress Bricks Builder theme to the latest available version (at least 1.5.4).
Plugin: Testimonials
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.7
Recommended Action: Update the WordPress Testimonials plugin to the latest available version (at least 2.7).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments