This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including ARMember, EmbedPress, SearchIQ and more!
Plugin: WP Mail Log
Vulnerability: Authenticated (Editor+) SQL Injection via id vulnerability
Patched Version: 1.1.3
Recommended Action: Update the WordPress WP Mail Log plugin to the latest available version (at least 1.1.3).
Plugin: Auto Affiliate Links
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 6.4.2.6
Recommended Action: Update the WordPress Auto Affiliate Links plugin to the latest available version (at least 6.4.2.6).
Plugin: Drop Shadow Boxes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.7.14
Recommended Action: Update the WordPress Drop Shadow Boxes plugin to the latest available version (at least 1.7.14).
Plugin: Analytify
Vulnerability: Broken Access Control vulnerability
Patched Version: 5.2.0
Recommended Action: Update the WordPress Analytify plugin to the latest available version (at least 5.2.0).
Plugin: Audio Merchant
Vulnerability: Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting vulnerability
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed and is no longer available for download.
Plugin: EmbedPress
Vulnerability: Reflected Cross-Site Scripting via the hash parameter vulnerability
Patched Version: 3.9.2
Recommended Action: Update the WordPress EmbedPress plugin to the latest available version (at least 3.9.2).
Plugin: eCommerce Product Catalog
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.3.27
Recommended Action: Update the WordPress eCommerce Product Catalog plugin to the latest available version (at least 3.3.27).
Plugin: Ultimate Responsive Image Slider
Vulnerability: Missing Authorization via AJAX action vulnerability
Patched Version: 3.5.12
Recommended Action: Update the WordPress Ultimate Responsive Image Slider plugin to the latest available version (at least 3.5.12).
Plugin: Conditional Fields for Contact Form 7
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: ARMember
Vulnerability: Membership Plan Bypass vulnerability
Patched Version: 4.0.11
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 4.0.11).
Plugin: WP Meta and Date Remover
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.3.1
Recommended Action: Update the WordPress WP Meta and Date Remover plugin to the latest available version (at least 2.3.1).
Plugin: ARI Stream Quiz
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.0
Recommended Action: Update the WordPress ARI Stream Quiz plugin to the latest available version (at least 1.3.0).
Plugin: Quiz And Survey Master
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 8.1.14
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 8.1.14).
Plugin: Theater for WordPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: SearchIQ
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: DrawIt (draw.io)
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Live Preview for Contact Form 7
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Quick Call Button
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: wpMandrill
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of November 3, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Events Addon for Elementor
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.1.4
Recommended Action: Update the WordPress Events Addon for Elementor plugin to the latest available version (at least 2.1.4).
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.5.4
Recommended Action: Update the WordPress Restaurant & Cafe Addon for Elementor plugin to the latest available version (at least 1.5.4).
Plugin: WP EXtra
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.5
Recommended Action: Update the WordPress WP EXtra plugin to the latest available version (at least 6.5).
Plugin: Legal Pages
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Legal Pages plugin to the latest available version (at least 1.3.9).
Plugin: FormCraft
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress FormCraft plugin to the latest available version (at least 1.2.8).
Plugin: MP3 Audio Player for Music, Radio & Podcast by Sonaar
Vulnerability: Broken Access Control vulnerability
Patched Version: 4.10.1
Recommended Action: Update the WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin to the latest available version (at least 4.10.1).
Plugin: Email Encoder Bundle
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.9
Recommended Action: Update the WordPress Email Encoder Bundle plugin to the latest available version (at least 2.1.9).
Plugin: WP Like Button
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of November 3, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Easy Call Now by ThikShare
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: LWS Hide Login
Vulnerability: Secret Login Page Location Disclosure on Multisites vulnerability
Patched Version: 2.1.9
Recommended Action: Update the WordPress LWS Hide Login plugin to the latest available version (at least 2.1.9).
Plugin: Daily Prayer Time
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2023.10.21
Recommended Action: Update the WordPress Daily Prayer Time plugin to the latest available version (at least 2023.10.21).
Plugin: Charitable
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.7.0.14
Recommended Action: Update the WordPress Charitable plugin to the latest available version (at least 1.7.0.14).
Plugin: BP Profile Shortcodes Extra
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: BMI Calculator Plugin
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Better RSS Widget
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Bamboo Columns
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Anywhere Flash Embed
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 20, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Ajax Domain Checker
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 9, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Accordion
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7
Recommended Action: Update the WordPress Accordion plugin to the latest available version (at least 2.7).
Plugin: Add Widgets to Page
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of October 8, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: 10WebAnalytics
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of August 2, 2023 and is not available for download. This closure is permanent. Reason: Author Request.
Plugin: Disable User Login
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Community by PeepSo
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.2.0.0
Recommended Action: Update the WordPress Community by PeepSo plugin to the latest available version (at least 6.2.0.0).
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Unauthenticated Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor
Plugin: Phlox Portfolio
Vulnerability: Unauthenticated Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Phlox Shop
Vulnerability: Unauthenticated Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments