This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Security & Malware scan by CleanTalk, Team Showcase, BetterLinks and more!
Plugin: Security & Malware scan by CleanTalk
Vulnerability: Missing Authorization vulnerability
Patched Version: 2.51
Recommended Action: Update the WordPress Security & Malware scan by CleanTalk plugin to the latest available version (at least 2.51).
Plugin: WhatsApp Share Button
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: CPO Shortcodes
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 14, 2022 and is not available for download. Reason: Security Issue.
Plugin: WP Post Columns
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of December 24, 2018 and is not available for download. Reason: Guideline Violation.
Plugin: TCD Google Maps
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Tab Ultimate
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.4
Recommended Action: Update the WordPress Tab Ultimate plugin to the latest available version (at least 1.4).
Plugin: Theme Blvd Shortcodes
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Smart Online Order for Clover
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: wpDiscuz
Vulnerability: Insecure Direct Object References (IDOR) vulnerability
Vulnerability: Content Injection vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 7.6.11
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.6.11).
Plugin: Soisy Pagamento Rateale
Vulnerability: Missing Authorization to Sensitive Information Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: EventON
Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: SALESmanago
Vulnerability: Log Injection via Weak Authentication Token vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Add Custom Body Class
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 13, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Advanced Local Pickup for WooCommerce
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Modern Footnotes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.4.17
Recommended Action: Update the WordPress Modern Footnotes plugin to the latest available version (at least 1.4.17).
Plugin: Delete Usermetas
Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress Delete Usermetas plugin to the latest available version (at least 1.2.0).
Plugin: WooCommerce Stripe Payment Gateway
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 7.6.1
Recommended Action: Update the WordPress WooCommerce Stripe Payment Gateway plugin to the latest available version (at least 7.6.1).
Plugin: WP EXtra
Vulnerability: Broken Access Control vulnerability
Patched Version: 6.3
Recommended Action: Update the WordPress WP EXtra plugin to the latest available version (at least 6.3).
Plugin: WC Captcha
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Grid Plus
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Motors – Car Dealer & Classified Ads
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Server Side Request Forgery (SSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: MW WP Form
Vulnerability: Broken Access Control vulnerability
Patched Version: 5.0.0
Recommended Action: Update the WordPress MW WP Form plugin to the latest available version (at least 5.0.0).
Plugin: Ultimate Addons for WPBakery Page Builder
Vulnerability: Local File Inclusion vulnerability
Patched Version: 3.19.15
Recommended Action: Update the WordPress Ultimate Addons for WPBakery Page Builder plugin to the latest available version (at least 3.19.15).
Plugin: Ultimate Addons for WPBakery Page Builder
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.19.15
Recommended Action: Update the WordPress Ultimate Addons for WPBakery Page Builder plugin to the latest available version (at least 3.19.15).
Plugin: ChatBot
Vulnerability: Unauthenticated Sensitive Information Exposure vulnerability
Patched Version: 4.9.1
Recommended Action: Update the WordPress AI ChatBot plugin to the latest available version (at least 4.9.1).
Plugin: Duplicate Theme
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Taggbox
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Eonet Manual User Approve
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Webpushr
Vulnerability: CSRF Leading to LFI vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor. Reported to WordPress plugins review team.
Plugin: Just Custom Fields
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Auto Login New User After Registration
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Auto Login New User After Registration
Vulnerability: CSRF leading to Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: iPanorama 360 WordPress Virtual Tour Builder
Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.8.1
Recommended Action: Update the WordPress iPanorama 360 WordPress Virtual Tour Builder plugin to the latest available version (at least 1.8.1).
Plugin: Team Showcase
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.2
Recommended Action: Update the WordPress Team Showcase plugin to the latest available version (at least 2.2).
Plugin: Booster for WooCommerce
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 7.1.3
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 7.1.3).
Plugin: Smart App Banner
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Triberr
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Appointment Calendar
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Popup by Supsystic
Vulnerability: Unauthenticated Subscriber Email Addresses Disclosure
Patched Version: 1.10.20
Recommended Action: Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.20).
Plugin: Social proof testimonials and reviews by Repuso
Vulnerability: Broken Access Control vulnerability
Patched Version: 5.00
Recommended Action: Update the WordPress Social proof testimonials and reviews by Repuso plugin to the latest available version (at least 5.00).
Plugin: BetterLinks
Vulnerability: Broken Access Control vulnerability
Patched Version: 1.6.1
Recommended Action: Update the WordPress BetterLinks plugin to the latest available version (at least 1.6.1).
Plugin: Headline Analyzer
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Archivist – Custom Archive Templates
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Internal Link Building
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Internal Link Building
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Open Graph Metabox
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Novo-Map : your WP posts on custom google maps
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Google Calendar Events
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Incomplete patch.
Plugin: Freesoul Deactivate Plugins – Plugin manager and cleanup
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.1.4
Recommended Action: Update the WordPress Freesoul Deactivate Plugins – Plugin manager and cleanup plugin to the latest available version (at least 2.1.4).
Plugin: Thumbnail Slider With Lightbox
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Image Title vulnerability
Patched Version: 1.0.1
Recommended Action: Update the WordPress Thumbnail Slider With Lightbox plugin to the latest available version (at least 1.0.1).
Plugin: MpOperationLogs
Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Theme Switcha
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.3.1
Recommended Action: Update the WordPress Theme Switcha plugin to the latest available version (at least 3.3.1).
Plugin: Skype Legacy Buttons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 16, 2018 and is not available for download. This closure is permanent. Reason: Author Request.
Plugin: History Log by click5
Vulnerability: Admin+ Time-Based Blind SQL Injection vulnerability
Patched Version: 1.0.13
Recommended Action: Update the WordPress History Log by click5 plugin to the latest available version (at least 1.0.13).
Plugin: WP Simple Table Manager
Vulnerability: Admin+ Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of October 6, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Super Testimonial Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.0
Recommended Action: Update the WordPress Super Testimonial Pro plugin to the latest available version (at least 3.0).
Plugin: Templately
Vulnerability: Arbitrary post trashing via Missing Authorization vulnerability
Patched Version: 2.2.6
Recommended Action: Update the WordPress Templately plugin to the latest available version (at least 2.2.6).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments