This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Mail SMTP Pro, Automated Editor, Mailrelay and more!
Plugin: Automated Editor
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Contact Form builder with drag & drop – Kali Forms
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: SendPulse Free Web Push
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Stout Google Calendar
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: 10Web Map Builder for Google Maps
Vulnerability: Notice Dismissal Vulnerability
Patched Version: 1.0.74
Recommended Action: Update the WordPress 10Web Map Builder for Google Maps plugin to the latest available version (at least 1.0.74).
Plugin: ProductX – Gutenberg WooCommerce Blocks
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.0.0
Recommended Action: Update the WordPress ProductX – Gutenberg WooCommerce Blocks plugin to the latest available version (at least 3.0.0).
Plugin: Pinpoint Booking System
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Simple SEO
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Hitsteps Web Analytics
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: IRivYou
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Bold Timeline Lite
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress Bold Timeline Lite plugin to the latest available version (at least 1.2.0).
Plugin: WhitePage
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Mailrelay
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: GoodBarber
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Urvanov Syntax Highlighter
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: affiliate-toolkit – WordPress Affiliate Plugin
Vulnerability: Open Redirection vulnerability
Patched Version: 3.4.0
Recommended Action: Update the WordPress affiliate-toolkit – WordPress Affiliate Plugin plugin to the latest available version (at least 3.4.0).
Plugin: Profile Extra Fields by BestWebSoft
Vulnerability: Missing Authorization to Sensitive Information Exposure vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress Profile Extra Fields by BestWebSoft plugin to the latest available version (at least 1.2.8).
Plugin: Hotjar
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of October 4, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Permalinks Customizer
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Blog Manager Light
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Customer Reviews for WooCommerce
Vulnerability: Broken Access Control vulnerability
Patched Version: 5.36.1
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.36.1).
Plugin: Geo Controller
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 8.5.3
Recommended Action: Update the WordPress Geo Controller plugin to the latest available version (at least 8.5.3).
Plugin: Booster for WooCommerce
Vulnerability: Authenticated Arbitrary WordPress Option Disclosure Vulnerability
Patched Version: 7.1.2
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 7.1.2).
Plugin: Optimize Database after Deleting Revisions
Vulnerability: Missing Authorization via ‘odb_csv_download’ vulnerability
Patched Version: 5.1
Recommended Action: Update the WordPress Optimize Database after Deleting Revisions plugin to the latest available version (at least 5.1).
Plugin: Post SMTP Mailer/Email Log
Vulnerability: Authenticated (Administrator+) SQL Injection vulnerability
Patched Version: 2.6.1
Recommended Action: Update the WordPress Post SMTP Mailer/Email Log plugin to the latest available version (at least 2.6.1).
Plugin: WP Mail SMTP Pro
Vulnerability: Missing Authorization to Information Dislcosure via is_print_page vulnerability
Patched Version: 3.8.1
Recommended Action: Update the WordPress WP Mail SMTP Pro plugin to the latest available version (at least 3.8.1).
Plugin: Redirection for Contact Form 7
Vulnerability: Broken Access Control vulnerability
Patched Version: 3.0.0
Recommended Action: Update the WordPress Redirection for Contact Form 7 plugin to the latest available version (at least 3.0.0).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments