This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including ARForms Form Builder, Smart Slider 3, Defender Security, and more!
Plugin: Content Repeater – Custom Posts Simplified
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version is available. Temporarily closed by WP for review.
Plugin: WP Clictracker
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version is available. Temporarily closed by WP for review.
Plugin: Community Events
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: 1.4.9
Recommended Action: Update the WordPress Community Events plugin to the latest available version (at least 1.4.9).
Plugin: WP ULike
Vulnerability: Race Condition vulnerability
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor since August 24th, 2022.
Plugin: Quizlord
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 22, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WHA Puzzle
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: ARForms Form Builder
Vulnerability: Unauth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No reply from the vendor.
Plugin: Organization chart
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.4.2
Recommended Action: Update the WordPress Organization chart plugin to the latest available version (at least 1.4.2).
Plugin: Smart Slider 3
Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 3.5.1.11
Recommended Action: Update the WordPress Smart Slider 3 plugin to the latest available version (at least 3.5.1.11).
Plugin: WordPress Countdown Widget
Vulnerability: CrossSite Request Forgery (CSRF) leading to CrossSite Scripting (XSS)
Patched Version: 3.1.9.3
Recommended Action: Update the WordPress WordPress Countdown Widget plugin to the latest available version (at least 3.1.9.3).
Plugin: Contest Gallery
Vulnerability: Unauth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: 14.0.0
Recommended Action: Update the WordPress Contest Gallery plugin to the latest available version (at least 14.0.0).
Plugin: Image Map Pro
Vulnerability: Multiple CrossSite Request Forgery (CSRF) vulnerabilities
Vulnerability: CrossSite Request Forgery (CSRF) leading to Stored CrossSite Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor for a long time.
Plugin: Activello
Vulnerability: Auth. Reflected CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: Activello
Vulnerability: Auth. Reflected CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: miniOrange’s Google Authenticator
Vulnerability: Factor Authentication plugin <= 5.6.1 Sensitive Data Exposure vulnerability Patched Version: 5.6.2 Recommended Action: Update the WordPress miniOrange's Google Authenticator plugin to the latest available version (at least 5.6.2).
Plugin: Defender Security
Vulnerability: Broken Authentication vulnerability
Patched Version: 3.3.3
Recommended Action: Update the WordPress Defender Security plugin to the latest available version (at least 3.3.3).
Plugin: WP-FormAssembly
Vulnerability: FormAssembly plugin <= 2.0.5 Auth. Arbitrary File Read vulnerability Patched Version: N/A Recommended Action: No patched version available.
Plugin: ShareThis Dashboard for Google Analytics
Vulnerability: Broken Access Control vulnerability
Patched Version: N/A
Recommended Action: No patched version available.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments