This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including GiveWP, Layer Slider, Defender Security and more!

Plugin: WP Affiliate Disclosure

Vulnerability: Broken Access Control + CSRF vulnerability
Patched Version: 1.2.7
Recommended Action: Update the WordPress WP Affiliate Disclosure plugin to the latest available version (at least 1.2.7).

Plugin: ShortCodes UI

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Contact Forms by Cimatti

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.1
Recommended Action: Update the WordPress Contact Forms by Cimatti plugin to the latest available version (at least 1.6.1).

Plugin: Download Top 25 Social Icons

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Layer Slider

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.

Plugin: Social Feed | All social media in one place

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Post Sliders & Post Grids

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Comments Ratings

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Email Templates

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.3
Recommended Action: Update the WordPress Email Templates plugin to the latest available version (at least 1.4.3).

Plugin: Short URL

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Travel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Basic Interactive World Map

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7
Recommended Action: Update the WordPress Basic Interactive World Map plugin to the latest available version (at least 2.7).

Plugin: Youzify

Vulnerability: Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress Youzify plugin to the latest available version (at least 1.2.3).

Plugin: Apollo13 Framework Extensions

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.9.1
Recommended Action: Update the WordPress Apollo13 Framework Extensions plugin to the latest available version (at least 1.9.1).

Plugin: Defender Security

Vulnerability: Masked Login Area View Bypass vulnerability
Patched Version: 4.2.1
Recommended Action: Update the WordPress Defender Security plugin to the latest available version (at least 4.2.1).

Plugin: Simple Job Board

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.10.6
Recommended Action: Update the WordPress Simple Job Board plugin to the latest available version (at least 2.10.6).

Plugin: Animated Rotating Words

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.5
Recommended Action: Update the WordPress Animated Rotating Words plugin to the latest available version (at least 5.5).

Plugin: Kadence WooCommerce Email Designer

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.5.12
Recommended Action: Update the WordPress Kadence WooCommerce Email Designer plugin to the latest available version (at least 1.5.12).

Plugin: Digirisk

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 6.1.0.0
Recommended Action: Update the WordPress Digirisk plugin to the latest available version (at least 6.1.0.0).

Plugin: video carousel slider with lightbox

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 1.0.1
Recommended Action: Update the WordPress video carousel slider with lightbox plugin to the latest available version (at least 1.0.1).

Plugin: SEO Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress SEO Slider plugin to the latest available version (at least 1.1.1).

Plugin: Advance Menu Manager

Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.0.7
Recommended Action: Update the WordPress Advance Menu Manager plugin to the latest available version (at least 3.0.7).

Plugin: ChatBot

Vulnerability: WordPress ChatBot plugin 4.8.6 – 4.9.6 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder vulnerability
Patched Version: 4.9.7
Recommended Action: Update the WordPress AI Engine: ChatGPT Chatbot plugin to the latest available version (at least 4.9.7).

Plugin: wpDiscuz

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 7.6.12
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.6.12).

Plugin: Funnelforms Free

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication vulnerability
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion vulnerability
Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 3.4.2
Recommended Action: Update the WordPress Funnelforms Free plugin to the latest available version (at least 3.4.2).

Plugin: Icons Font Loader

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload vulnerability
Patched Version: 1.1.3
Recommended Action: Update the WordPress Icons Font Loader plugin to the latest available version (at least 1.1.3).

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.7.3 – Unauthenticated Arbitrary File Upload vulnerability
Patched Version: 1.3.7.4
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.7.4).

Plugin: Solid Security

Vulnerability: Unauthenticated Login Page Disclosure vulnerability
Patched Version: 9.0.1
Recommended Action: Update the WordPress Better WP Security plugin to the latest available version (at least 9.0.1).

Plugin: Admin Bar & Dashboard Access Control

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.9
Recommended Action: Update the WordPress Admin Bar & Dashboard Access Control plugin to the latest available version (at least 1.2.9).

Plugin: GiveWP

Vulnerability: Cross-Site Request Forgery (CSRF) to Stripe Integration Deletion vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) to plugin installation vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) to plugin deactivation vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.33.2
Recommended Action: Update the WordPress GiveWP plugin to the latest available version (at least 2.33.2).

Plugin: EventPrime

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: EventPrime

Vulnerability: Booking Creation via CSRF vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: Popup box

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.7.2
Recommended Action: Update the WordPress Popup box plugin to the latest available version (at least 3.7.2).

Plugin: WP Meta and Date Remover

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress WP Meta and Date Remover plugin to the latest available version (at least 2.2.0).

Plugin: User Private Files

Vulnerability: Auth. Sensitive Data and Files Exposure via IDOR vulnerability
Patched Version: 2.0.5
Recommended Action: Update the WordPress User Private Files plugin to the latest available version (at least 2.0.5).

Plugin: e2pdf

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.20.20
Recommended Action: Update the WordPress E2Pdf plugin to the latest available version (at least 1.20.20).

Plugin: Memberlite Shortcodes

Vulnerability: Auth. Stored XSS via Shortcode vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Memberlite Shortcodes plugin to the latest available version (at least 1.3.9).

Plugin: EventPrime

Vulnerability: Reflected HTML Injection on keyword parameter vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: Login Screen Manager

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Login Screen Manager

Vulnerability: Unauth Stored Cross Site Scripting (XSS) via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Contest Gallery

Vulnerability: Unauth. Stored XSS via HTTP Headers vulnerability
Patched Version: 21.2.8.1
Recommended Action: Update the WordPress Contest Gallery plugin to the latest available version (at least 21.2.8.1).

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure vulnerability
Patched Version: 3.6.7
Recommended Action: Update the WordPress WP Customer Reviews plugin to the latest available version (at least 3.6.7).

Plugin: IdeaPush

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 8.53
Recommended Action: Update the WordPress IdeaPush plugin to the latest available version (at least 8.53).

***
Check out the WoW Archive for past Watch Out Wednesday posts.