This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including ARForms Form Builder, Smart Slider 3, Defender Security, and more!

Plugin: Content Repeater – Custom Posts Simplified

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version is available. Temporarily closed by WP for review.

Plugin: WP Clictracker

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version is available. Temporarily closed by WP for review.

Plugin: Community Events

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: 1.4.9
Recommended Action: Update the WordPress Community Events plugin to the latest available version (at least 1.4.9).

Plugin: WP ULike

Vulnerability: Race Condition vulnerability
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor since August 24th, 2022.

Plugin: Quizlord

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 22, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WHA Puzzle

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: ARForms Form Builder

Vulnerability: Unauth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No reply from the vendor.

Plugin: Organization chart

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.4.2
Recommended Action: Update the WordPress Organization chart plugin to the latest available version (at least 1.4.2).

Plugin: Smart Slider 3

Vulnerability: Auth. Stored CrossSite Scripting (XSS) vulnerability
Vulnerability: Auth. PHP Object Injection vulnerability
Patched Version: 3.5.1.11
Recommended Action: Update the WordPress Smart Slider 3 plugin to the latest available version (at least 3.5.1.11).

Plugin: WordPress Countdown Widget

Vulnerability: CrossSite Request Forgery (CSRF) leading to CrossSite Scripting (XSS)
Patched Version: 3.1.9.3
Recommended Action: Update the WordPress WordPress Countdown Widget plugin to the latest available version (at least 3.1.9.3).

Plugin: Contest Gallery

Vulnerability: Unauth. Stored CrossSite Scripting (XSS) vulnerability
Patched Version: 14.0.0
Recommended Action: Update the WordPress Contest Gallery plugin to the latest available version (at least 14.0.0).

Plugin: Image Map Pro

Vulnerability: Multiple CrossSite Request Forgery (CSRF) vulnerabilities
Vulnerability: CrossSite Request Forgery (CSRF) leading to Stored CrossSite Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor for a long time.

Plugin: Activello

Vulnerability: Auth. Reflected CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: Activello

Vulnerability: Auth. Reflected CrossSite Scripting (XSS) vulnerability
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: miniOrange’s Google Authenticator

Vulnerability: Factor Authentication plugin <= 5.6.1 Sensitive Data Exposure vulnerability Patched Version: 5.6.2 Recommended Action: Update the WordPress miniOrange's Google Authenticator plugin to the latest available version (at least 5.6.2).

Plugin: Defender Security

Vulnerability: Broken Authentication vulnerability
Patched Version: 3.3.3
Recommended Action: Update the WordPress Defender Security plugin to the latest available version (at least 3.3.3).

Plugin: WP-FormAssembly

Vulnerability: FormAssembly plugin <= 2.0.5 Auth. Arbitrary File Read vulnerability Patched Version: N/A Recommended Action: No patched version available.

Plugin: ShareThis Dashboard for Google Analytics

Vulnerability: Broken Access Control vulnerability
Patched Version: N/A
Recommended Action: No patched version available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.