This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including All In One WP Security & Firewall, Betheme, ProfileGridl and more!

Plugin: YITH WooCommerce Gift Cards Premium

Vulnerability: Arbitrary File Upload
Patched Version: 3.20.0
Recommended Action: Update the WordPress YITH WooCommerce Gift Cards Premium plugin to the latest available version (at least 3.20.0).

Plugin: All In One WP Security & Firewall

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.1.1
Recommended Action: Update the WordPress All In One WP Security & Firewall plugin to the latest available version (at least 5.1.1).

Plugin: Responsive Lightbox2

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.4
Recommended Action: Update the WordPress Responsive Lightbox2 plugin to the latest available version (at least 1.0.4).

Plugin: WP Stripe Checkout

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.2.21
Recommended Action: Update the WordPress WP Stripe Checkout plugin to the latest available version (at least 1.2.2.21).

Plugin: Videojs HTML5 Player

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.9
Recommended Action: Update the WordPress Videojs HTML5 Player plugin to the latest available version (at least 1.1.9).

Plugin: Flowplayer Video Player

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.5
Recommended Action: Update the WordPress Flowplayer Video Player plugin to the latest available version (at least 1.0.5).

Plugin: Checkout for PayPal

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.14
Recommended Action: Update the WordPress Checkout for PayPal plugin to the latest available version (at least 1.0.14).

Plugin: Easy Video Player

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.2.3
Recommended Action: Update the WordPress Easy Video Player plugin to the latest available version (at least 1.2.2.3).

Plugin: SMSA Shipping for WooCommerce

Vulnerability: Arbitrary File Download
Patched Version: 1.0.5
Recommended Action: Update the WordPress SMSA Shipping for WooCommerce plugin to the latest available version (at least 1.0.5).

Theme: Betheme

Vulnerability: PHP Object Injection
Vulnerability: Other Vulnerability Type
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Update the WordPress Betheme theme to the latest available version (at least 26.6).

Plugin: Car Dealer

Vulnerability: Other Vulnerability Type
Patched Version: 3.05
Recommended Action: Update the WordPress Car Dealer plugin to the latest available version (at least 3.05).

Plugin: Anti Hacker

Vulnerability: Other Vulnerability Type
Patched Version: 4.20
Recommended Action: Update the WordPress Anti Hacker plugin to the latest available version (at least 4.20).

Plugin: WP memory

Vulnerability: Other Vulnerability Type
Patched Version: 2.46
Recommended Action: Update the WordPress WP memory plugin to the latest available version (at least 2.46).

Plugin: StopBadBots

Vulnerability: Other Vulnerability Type
Patched Version: 7.24
Recommended Action: Update the WordPress StopBadBots plugin to the latest available version (at least 7.24).

Plugin: WP Tools

Vulnerability: Other Vulnerability Type
Patched Version: 3.43
Recommended Action: Update the WordPress WP Tools plugin to the latest available version (at least 3.43).

Plugin: Plugin for Google Reviews

Vulnerability: Other Vulnerability Type
Patched Version: 2.2.3
Recommended Action: Update the WordPress Plugin for Google Reviews plugin to the latest available version (at least 2.2.3).

Plugin: iFeature Slider

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the author.

Plugin: WooSwipe WooCommerce Gallery

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: ULTIMATE TABLES

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: ProfileGrid

Vulnerability: CSV Injection
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: Anthologize

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 0.8.1
Recommended Action: Update the WordPress Anthologize plugin to the latest available version (at least 0.8.1).

Plugin: Ezoic

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.8.9
Recommended Action: Update the WordPress Ezoic plugin to the latest available version (at least 2.8.9).

Plugin: wpForo Forum

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.1.0
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.1.0).

Plugin: Chameleon

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.4.4
Recommended Action: Update the WordPress Chameleon plugin to the latest available version (at least 1.4.4).

Plugin: News Announcement Scroll

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 9.0.0
Recommended Action: Update the WordPress News Announcement Scroll plugin to the latest available version (at least 9.0.0).

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Privilege Escalation
Patched Version: 3.0.10
Recommended Action: Update the WordPress Polldaddy Polls & Ratings plugin to the latest available version (at least 3.0.10).

Plugin: DPD Baltic Shipping

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.11
Recommended Action: Update the WordPress DPD Baltic Shipping plugin to the latest available version (at least 1.2.11).

Plugin: BeCustom

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.0.5.3
Recommended Action: Update the WordPress BeCustom plugin to the latest available version (at least 1.0.5.3).

***
Check out the WoW Archive for past Watch Out Wednesday posts.