This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including LoginPress, reCAPTCHA, Video Thumbnails and more!
Plugin: Cyklodev WP Notify
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: WP User Merger
Vulnerability: SQL Injection
Patched Version: 1.5.3
Recommended Action: Update the WordPress WP User Merger plugin to the latest available version (at least 1.5.3).
Plugin: WPSmartContracts
Vulnerability: SQL Injection
Patched Version: 1.3.12
Recommended Action: Update the WordPress WPSmartContracts plugin to the latest available version (at least 1.3.12).
Plugin: Awesome Support
Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 6.1.2
Recommended Action: Update the WordPress Awesome Support plugin to the latest available version (at least 6.1.2).
Plugin: Checkout Field Editor (Checkout Manager) for WooCommerce
Vulnerability: PHP Object Injection
Patched Version: 1.8.0
Recommended Action: Update the WordPress Checkout Field Editor (Checkout Manager) for WooCommerce plugin to the latest available version (at least 1.8.0).
Plugin: HTML Forms
Vulnerability: SQL Injection
Patched Version: 1.3.25
Recommended Action: Update the WordPress HTML Forms plugin to the latest available version (at least 1.3.25).
Plugin: LoginPress
Vulnerability: Other Vulnerability Type
Patched Version: 1.6.3
Recommended Action: Update the WordPress LoginPress plugin to the latest available version (at least 1.6.3).
Plugin: Testimonial Slider
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Find and Replace All
Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3
Recommended Action: Update the WordPress Find and Replace All plugin to the latest available version (at least 1.3).
Plugin: Image Hover Effects Css3
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 1, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Export customers list csv for WooCommerce
Vulnerability: CSV Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: reCAPTCHA
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Fancier Author Box by ThematoSoup
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Google Forms
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Analytics for WP
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Beautiful Cookie Consent Banner
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.9.1
Recommended Action: Update the WordPress Beautiful Cookie Consent Banner plugin to the latest available version (at least 2.9.1).
Plugin: 4ECPS Web Forms
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Salat Times
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.2.2
Recommended Action: Update the WordPress Salat Times plugin to the latest available version (at least 3.2.2).
Plugin: Jeeng Push Notifications
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.4
Recommended Action: Update the WordPress Jeeng Push Notifications plugin to the latest available version (at least 2.0.4).
Plugin: Video Thumbnails
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Font Awesome 4 Menus
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Download Plugin
Vulnerability: Other Vulnerability Type
Patched Version: 2.0.0
Recommended Action: Update the WordPress Download Plugin plugin to the latest available version (at least 2.0.0).
Plugin: AM-HiLi
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: OWM Weather
Vulnerability: SQL Injection
Patched Version: 5.6.9
Recommended Action: Update the WordPress OWM Weather plugin to the latest available version (at least 5.6.9).
Plugin: AgentEasy Properties
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of November 1, 2022 and is not available for download. This closure is temporary, pending a full review.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments