This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Easy WP SMTP, LearnPress, Ocean Extra and more!

Plugin: WordPress Importer

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Envira Photo Gallery

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.8.4.7
Recommended Action: Update the WordPress Envira Photo Gallery plugin to the latest available version (at least 1.8.4.7).

Plugin: Easy WP SMTP

Vulnerability: PHP Object Injection
Patched Version: 1.5.0
Recommended Action: Update the WordPress Easy WP SMTP plugin to the latest available version (at least 1.5.0).

Plugin: AWP Classifieds

Vulnerability: SQL Injection
Patched Version: 4.3
Recommended Action: Update the WordPress AWP Classifieds plugin to the latest available version (at least 4.3).

Plugin: Newspaper

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 12
Recommended Action: Update the WordPress Newspaper theme to the latest available version (at least 12).

Plugin: WP Total Hacks

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 6, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Automatic User Roles Switcher

Vulnerability: Privilege Escalation
Patched Version: 1.1.2
Recommended Action: Update the WordPress Automatic User Roles Switcher plugin to the latest available version (at least 1.1.2).

Plugin: PublishPress Capabilities Pro

Vulnerability: PHP Object Injection
Patched Version: 2.5.2
Recommended Action: Update the WordPress PublishPress Capabilities Pro plugin to the latest available version (at least ).

Plugin: PublishPress Capabilities

Vulnerability: PHP Object Injection
Patched Version: 2.5.2
Recommended Action: Update the WordPress PublishPress Capabilities plugin to the latest available version (at least 2.5.2).

Plugin: Ocean Extra

Vulnerability: PHP Object Injection
Patched Version: 2.0.5
Recommended Action: Update the WordPress Ocean Extra plugin to the latest available version (at least 2.0.5).

Plugin: Smart Slider 3

Vulnerability: PHP Object Injection
Patched Version: 3.5.1.11
Recommended Action: Update the WordPress Smart Slider 3 plugin to the latest available version (at least 3.5.1.11).

Plugin: SeoSamba for WordPress Webmasters

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Official Integration for Billingo

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.4.0
Recommended Action: Update the WordPress Official Integration for Billingo plugin to the latest available version (at least 3.4.0).

Plugin: Post Slider

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Customizer Export/Import

Vulnerability: PHP Object Injection
Patched Version: 0.9.5
Recommended Action: Update the WordPress Customizer Export/Import plugin to the latest available version (at least 0.9.5).

Plugin: WP Word Count

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 6, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: LearnPress

Vulnerability: PHP Object Injection
Patched Version: 4.1.7.2
Recommended Action: Update the WordPress LearnPress plugin to the latest available version (at least 4.1.7.2).

Plugin: Sabai Discuss

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.4.14
Recommended Action: Update the WordPress Sabai Discuss plugin to the latest available version (at least 1.4.14).

Plugin: Create Block Theme

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update the WordPress Create Block Theme plugin to the latest available version (at least 1.2.2).

Plugin: WP-Polls

Vulnerability: Other Vulnerability Type
Patched Version: 2.77.0
Recommended Action: Update the WordPress WP-Polls plugin to the latest available version (at least 2.77.0).

***
Check out the WoW Archive for past Watch Out Wednesday posts.