Watch Out Wednesday – November 8, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including GiveWP, Layer Slider, Defender Security and more!

Plugin: WP Affiliate Disclosure

Vulnerability: Broken Access Control + CSRF vulnerability
Patched Version: 1.2.7
Recommended Action: Update the WordPress WP Affiliate Disclosure plugin to the latest available version (at least 1.2.7).

Plugin: ShortCodes UI

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Contact Forms by Cimatti

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.1
Recommended Action: Update the WordPress Contact Forms by Cimatti plugin to the latest available version (at least 1.6.1).

Plugin: Download Top 25 Social Icons

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Layer Slider

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.

Plugin: Social Feed | All social media in one place

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Post Sliders & Post Grids

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Comments Ratings

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Email Templates

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.3
Recommended Action: Update the WordPress Email Templates plugin to the latest available version (at least 1.4.3).

Plugin: Short URL

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Travel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Basic Interactive World Map

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7
Recommended Action: Update the WordPress Basic Interactive World Map plugin to the latest available version (at least 2.7).

Plugin: Youzify

Vulnerability: Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress Youzify plugin to the latest available version (at least 1.2.3).

Plugin: Apollo13 Framework Extensions

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.9.1
Recommended Action: Update the WordPress Apollo13 Framework Extensions plugin to the latest available version (at least 1.9.1).

Plugin: Defender Security

Vulnerability: Masked Login Area View Bypass vulnerability
Patched Version: 4.2.1
Recommended Action: Update the WordPress Defender Security plugin to the latest available version (at least 4.2.1).

Plugin: Simple Job Board

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.10.6
Recommended Action: Update the WordPress Simple Job Board plugin to the latest available version (at least 2.10.6).

Plugin: Animated Rotating Words

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.5
Recommended Action: Update the WordPress Animated Rotating Words plugin to the latest available version (at least 5.5).

Plugin: Kadence WooCommerce Email Designer

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.5.12
Recommended Action: Update the WordPress Kadence WooCommerce Email Designer plugin to the latest available version (at least 1.5.12).

Plugin: Digirisk

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 6.1.0.0
Recommended Action: Update the WordPress Digirisk plugin to the latest available version (at least 6.1.0.0).

Plugin: video carousel slider with lightbox

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 1.0.1
Recommended Action: Update the WordPress video carousel slider with lightbox plugin to the latest available version (at least 1.0.1).

Plugin: SEO Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress SEO Slider plugin to the latest available version (at least 1.1.1).

Plugin: Advance Menu Manager

Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.0.7
Recommended Action: Update the WordPress Advance Menu Manager plugin to the latest available version (at least 3.0.7).

Plugin: ChatBot

Vulnerability: WordPress ChatBot plugin 4.8.6 – 4.9.6 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder vulnerability
Patched Version: 4.9.7
Recommended Action: Update the WordPress AI Engine: ChatGPT Chatbot plugin to the latest available version (at least 4.9.7).

Plugin: wpDiscuz

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 7.6.12
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.6.12).

Plugin: Funnelforms Free

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication vulnerability
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion vulnerability
Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 3.4.2
Recommended Action: Update the WordPress Funnelforms Free plugin to the latest available version (at least 3.4.2).

Plugin: Icons Font Loader

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload vulnerability
Patched Version: 1.1.3
Recommended Action: Update the WordPress Icons Font Loader plugin to the latest available version (at least 1.1.3).

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.7.3 – Unauthenticated Arbitrary File Upload vulnerability
Patched Version: 1.3.7.4
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.7.4).

Plugin: Solid Security

Vulnerability: Unauthenticated Login Page Disclosure vulnerability
Patched Version: 9.0.1
Recommended Action: Update the WordPress Better WP Security plugin to the latest available version (at least 9.0.1).

Plugin: Admin Bar & Dashboard Access Control

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.9
Recommended Action: Update the WordPress Admin Bar & Dashboard Access Control plugin to the latest available version (at least 1.2.9).

Plugin: GiveWP

Vulnerability: Cross-Site Request Forgery (CSRF) to Stripe Integration Deletion vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) to plugin installation vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) to plugin deactivation vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.33.2
Recommended Action: Update the WordPress GiveWP plugin to the latest available version (at least 2.33.2).

Plugin: EventPrime

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: EventPrime

Vulnerability: Booking Creation via CSRF vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: Popup box

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.7.2
Recommended Action: Update the WordPress Popup box plugin to the latest available version (at least 3.7.2).

Plugin: WP Meta and Date Remover

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress WP Meta and Date Remover plugin to the latest available version (at least 2.2.0).

Plugin: User Private Files

Vulnerability: Auth. Sensitive Data and Files Exposure via IDOR vulnerability
Patched Version: 2.0.5
Recommended Action: Update the WordPress User Private Files plugin to the latest available version (at least 2.0.5).

Plugin: e2pdf

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.20.20
Recommended Action: Update the WordPress E2Pdf plugin to the latest available version (at least 1.20.20).

Plugin: Memberlite Shortcodes

Vulnerability: Auth. Stored XSS via Shortcode vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Memberlite Shortcodes plugin to the latest available version (at least 1.3.9).

Plugin: EventPrime

Vulnerability: Reflected HTML Injection on keyword parameter vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: Login Screen Manager

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Login Screen Manager

Vulnerability: Unauth Stored Cross Site Scripting (XSS) via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Contest Gallery

Vulnerability: Unauth. Stored XSS via HTTP Headers vulnerability
Patched Version: 21.2.8.1
Recommended Action: Update the WordPress Contest Gallery plugin to the latest available version (at least 21.2.8.1).

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure vulnerability
Patched Version: 3.6.7
Recommended Action: Update the WordPress WP Customer Reviews plugin to the latest available version (at least 3.6.7).

Plugin: IdeaPush

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 8.53
Recommended Action: Update the WordPress IdeaPush plugin to the latest available version (at least 8.53).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.