This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including GiveWP, Layer Slider, Defender Security and more!
Plugin: WP Affiliate Disclosure
Vulnerability: Broken Access Control + CSRF vulnerability
Patched Version: 1.2.7
Recommended Action: Update the WordPress WP Affiliate Disclosure plugin to the latest available version (at least 1.2.7).
Plugin: ShortCodes UI
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Contact Forms by Cimatti
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.1
Recommended Action: Update the WordPress Contact Forms by Cimatti plugin to the latest available version (at least 1.6.1).
Plugin: Download Top 25 Social Icons
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Layer Slider
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.
Plugin: Social Feed | All social media in one place
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Post Sliders & Post Grids
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Comments Ratings
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Email Templates
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.3
Recommended Action: Update the WordPress Email Templates plugin to the latest available version (at least 1.4.3).
Plugin: Short URL
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Travel
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Basic Interactive World Map
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7
Recommended Action: Update the WordPress Basic Interactive World Map plugin to the latest available version (at least 2.7).
Plugin: Youzify
Vulnerability: Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress Youzify plugin to the latest available version (at least 1.2.3).
Plugin: Apollo13 Framework Extensions
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.9.1
Recommended Action: Update the WordPress Apollo13 Framework Extensions plugin to the latest available version (at least 1.9.1).
Plugin: Defender Security
Vulnerability: Masked Login Area View Bypass vulnerability
Patched Version: 4.2.1
Recommended Action: Update the WordPress Defender Security plugin to the latest available version (at least 4.2.1).
Plugin: Simple Job Board
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.10.6
Recommended Action: Update the WordPress Simple Job Board plugin to the latest available version (at least 2.10.6).
Plugin: Animated Rotating Words
Vulnerability: Broken Access Control vulnerability
Patched Version: 5.5
Recommended Action: Update the WordPress Animated Rotating Words plugin to the latest available version (at least 5.5).
Plugin: Kadence WooCommerce Email Designer
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.5.12
Recommended Action: Update the WordPress Kadence WooCommerce Email Designer plugin to the latest available version (at least 1.5.12).
Plugin: Digirisk
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 6.1.0.0
Recommended Action: Update the WordPress Digirisk plugin to the latest available version (at least 6.1.0.0).
Plugin: video carousel slider with lightbox
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 1.0.1
Recommended Action: Update the WordPress video carousel slider with lightbox plugin to the latest available version (at least 1.0.1).
Plugin: SEO Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress SEO Slider plugin to the latest available version (at least 1.1.1).
Plugin: Advance Menu Manager
Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.0.7
Recommended Action: Update the WordPress Advance Menu Manager plugin to the latest available version (at least 3.0.7).
Plugin: ChatBot
Vulnerability: WordPress ChatBot plugin 4.8.6 – 4.9.6 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder vulnerability
Patched Version: 4.9.7
Recommended Action: Update the WordPress AI Engine: ChatGPT Chatbot plugin to the latest available version (at least 4.9.7).
Plugin: wpDiscuz
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 7.6.12
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.6.12).
Plugin: Funnelforms Free
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication vulnerability
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion vulnerability
Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 3.4.2
Recommended Action: Update the WordPress Funnelforms Free plugin to the latest available version (at least 3.4.2).
Plugin: Icons Font Loader
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload vulnerability
Patched Version: 1.1.3
Recommended Action: Update the WordPress Icons Font Loader plugin to the latest available version (at least 1.1.3).
Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Vulnerability: WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.7.3 – Unauthenticated Arbitrary File Upload vulnerability
Patched Version: 1.3.7.4
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.7.4).
Plugin: Solid Security
Vulnerability: Unauthenticated Login Page Disclosure vulnerability
Patched Version: 9.0.1
Recommended Action: Update the WordPress Better WP Security plugin to the latest available version (at least 9.0.1).
Plugin: Admin Bar & Dashboard Access Control
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.9
Recommended Action: Update the WordPress Admin Bar & Dashboard Access Control plugin to the latest available version (at least 1.2.9).
Plugin: GiveWP
Vulnerability: Cross-Site Request Forgery (CSRF) to Stripe Integration Deletion vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) to plugin installation vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) to plugin deactivation vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.33.2
Recommended Action: Update the WordPress GiveWP plugin to the latest available version (at least 2.33.2).
Plugin: EventPrime
Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).
Plugin: EventPrime
Vulnerability: Booking Creation via CSRF vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).
Plugin: Popup box
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.7.2
Recommended Action: Update the WordPress Popup box plugin to the latest available version (at least 3.7.2).
Plugin: WP Meta and Date Remover
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress WP Meta and Date Remover plugin to the latest available version (at least 2.2.0).
Plugin: User Private Files
Vulnerability: Auth. Sensitive Data and Files Exposure via IDOR vulnerability
Patched Version: 2.0.5
Recommended Action: Update the WordPress User Private Files plugin to the latest available version (at least 2.0.5).
Plugin: e2pdf
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.20.20
Recommended Action: Update the WordPress E2Pdf plugin to the latest available version (at least 1.20.20).
Plugin: Memberlite Shortcodes
Vulnerability: Auth. Stored XSS via Shortcode vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Memberlite Shortcodes plugin to the latest available version (at least 1.3.9).
Plugin: EventPrime
Vulnerability: Reflected HTML Injection on keyword parameter vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).
Plugin: Login Screen Manager
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Login Screen Manager
Vulnerability: Unauth Stored Cross Site Scripting (XSS) via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Contest Gallery
Vulnerability: Unauth. Stored XSS via HTTP Headers vulnerability
Patched Version: 21.2.8.1
Recommended Action: Update the WordPress Contest Gallery plugin to the latest available version (at least 21.2.8.1).
Plugin: WP Customer Reviews
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure vulnerability
Patched Version: 3.6.7
Recommended Action: Update the WordPress WP Customer Reviews plugin to the latest available version (at least 3.6.7).
Plugin: IdeaPush
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 8.53
Recommended Action: Update the WordPress IdeaPush plugin to the latest available version (at least 8.53).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments