This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WatchTowerHQ, Ultimate Member, All in One SEO Pro and more!

Plugin: WatchTowerHQ

Vulnerability: Arbitrary File Deletion
Vulnerability: Arbitrary File Download
Patched Version: 3.6.16
Recommended Action: Update the WordPress WatchTowerHQ plugin to the latest available version (at least 3.6.16).

Plugin: Homepage Pop-up

Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Permalink Manager Lite

Vulnerability: Other Vulnerability Type
Patched Version: 2.2.20.1
Recommended Action: Update the WordPress Permalink Manager Lite plugin to the latest available version (at least 2.2.20.1).

Theme: Soledad

Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 8.2.6
Recommended Action: Update the WordPress soledad theme to the latest available version (at least 8.2.6).

Plugin: Content Egg

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: AFS Analytics

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: miniOrange’s Google Authenticator

Vulnerability: Other Vulnerability Type
Patched Version: 5.6.2
Recommended Action: Update the WordPress miniOrange’s Google Authenticator plugin to the latest available version (at least 5.6.2).

Plugin: Mantenimiento web

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 0.14
Recommended Action: Update the WordPress Mantenimiento web plugin to the latest available version (at least 0.14).

Plugin: WP User Frontend

Vulnerability: Broken Authentication
Patched Version: 3.5.29
Recommended Action: Update the WordPress WP User Frontend plugin to the latest available version (at least 3.5.29).

Plugin: Five Star Restaurant Reservations

Vulnerability: Other Vulnerability Type
Patched Version: 2.4.12
Recommended Action: Update the WordPress Five Star Restaurant Reservations plugin to the latest available version (at least 2.4.12).

Plugin: Booster Plus for WooCommerce

Vulnerability: Arbitrary File Download
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.6.5
Recommended Action: Update the WordPress Booster Plus for WooCommerce plugin to the latest available version (at least 5.6.5).

Plugin: Booster for WooCommerce

Vulnerability: Arbitrary File Download
Patched Version: 5.6.7
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.6.7).

Plugin: WordPress DeepL Pro API translation

Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.5
Recommended Action: Update the WordPress DeepL Pro API translation plugin to the latest available version (at least 1.7.5).

Plugin: DeepL Pro API translation

Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.5
Recommended Action: Update the WordPress DeepL Pro API translation plugin to the latest available version (at least 1.7.5).

Plugin: WP-Polls

Vulnerability: Bypass Vulnerability
Patched Version: 2.76.0
Recommended Action: Update the WordPress WP-Polls plugin to the latest available version (at least 2.76.0).

Plugin: Popup Maker

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.16.11
Recommended Action: Update the WordPress Popup Maker plugin to the latest available version (at least 1.16.11).

Plugin: Subscribe to Category

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Event Management Tickets Booking

Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update the WordPress Event Management Tickets Booking plugin to the latest available version (at least 1.2.1).

Plugin: Event Management Tickets Booking

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.2.0
Recommended Action: Update the WordPress Event Management Tickets Booking plugin to the latest available version (at least 1.2.0).

Plugin: Photo Gallery – Image Gallery by Ape

Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: TeraWallet – For WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Appointment Hour Booking

Vulnerability: Other Vulnerability Type
Patched Version: 1.3.72
Recommended Action: Update the WordPress Appointment Hour Booking plugin to the latest available version (at least 1.3.72).

Plugin: Appointment Booking Calendar

Vulnerability: Other Vulnerability Type
Patched Version: 1.3.70
Recommended Action: Update the WordPress Appointment Booking Calendar plugin to the latest available version (at least 1.3.70).

Plugin: Advanced Coupons for WooCommerce Coupons

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.5.0.1
Recommended Action: Update the WordPress Advanced Coupons for WooCommerce Coupons plugin to the latest available version (at least 4.5.0.1).

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.1.6
Recommended Action: Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the latest available version (at least 4.1.6).

Plugin: Custom Product Tabs for WooCommerce

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.8.0
Recommended Action: Update the WordPress Custom Product Tabs for WooCommerce plugin to the latest available version (at least 1.8.0).

Plugin: Glossary

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Forms by CaptainForm

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: My wpdb

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.5
Recommended Action: Update the WordPress My wpdb plugin to the latest available version (at least 2.5).

Plugin: Evaluate

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: Ultimate Member

Vulnerability: Directory Traversal
Vulnerability: Remote Code Execution (RCE)
Patched Version: 2.5.1
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.5.1).

Plugin: Ultimate Member

Vulnerability: Remote Code Execution (RCE)
Patched Version: 2.5.1
Recommended Action: Update the WordPress Ultimate Member plugin to the latest available version (at least 2.5.1).

Theme: Ask Me

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 6.8.7
Recommended Action: Update the WordPress Ask Me theme to the latest available version (at least 6.8.7).

Plugin: WP Bootstrap Gallery

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Slideshow SE

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 7, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: wpDiscuz

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 7.5
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.5).

Plugin: Modula Image Gallery

Vulnerability: Other Vulnerability Type
Patched Version: 2.6.91
Recommended Action: Update the WordPress Modula Image Gallery plugin to the latest available version (at least 2.6.91).

Plugin: Booster for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.6.7
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.6.7).

Plugin: Spacer

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0.7
Recommended Action: Update the WordPress Spacer plugin to the latest available version (at least 3.0.7).

Plugin: WP Best Quiz

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: Easy Digital Downloads

Vulnerability: CSV Injection
Patched Version: 3.1.0.2
Recommended Action: Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.1.0.2).

Plugin: Creative Mail

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.6.0
Recommended Action: Update the WordPress Creative Mail plugin to the latest available version (at least 1.6.0).

Plugin: Api2Cart Bridge Connector

Vulnerability: Arbitrary File Upload
Vulnerability: SQL Injection
Patched Version: 1.2.0
Recommended Action: Update the WordPress Api2Cart Bridge Connector plugin to the latest available version (at least 1.2.0).

Plugin: All in One SEO Pro

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 4.2.6
Recommended Action: Update the WordPress All in One SEO Pro plugin to the latest available version (at least 4.2.6).

Plugin: 3D Tag Cloud

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 22, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: BuddyForms

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Gallery with thumbnail slider

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Backup Guard

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: CSV Injection
Patched Version: 1.2.6.5
Recommended Action: Update the WordPress to the latest available version (at least 1.2.6.5).

Plugin: Zoho CRM Lead Magnet

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Web Stories

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 1.25.0
Recommended Action: Update the WordPress Web Stories plugin to the latest available version (at least 1.25.0).

Plugin: Log HTTP Requests

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3.2
Recommended Action: Update the WordPress Log HTTP Requests plugin to the latest available version (at least 1.3.2).

Theme: Bricks Builder

Vulnerability: Remote Code Execution (RCE)
Vulnerability: Other Vulnerability Type
Patched Version: 1.5.4
Recommended Action: Update the WordPress Bricks Builder theme to the latest available version (at least 1.5.4).

Plugin: Testimonials

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.7
Recommended Action: Update the WordPress Testimonials plugin to the latest available version (at least 2.7).

***
Check out the WoW Archive for past Watch Out Wednesday posts.