This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Security & Malware scan by CleanTalk, Team Showcase, BetterLinks and more!

Plugin: Security & Malware scan by CleanTalk

Vulnerability: Missing Authorization vulnerability
Patched Version: 2.51
Recommended Action: Update the WordPress Security & Malware scan by CleanTalk plugin to the latest available version (at least 2.51).

Plugin: WhatsApp Share Button

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: CPO Shortcodes

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 14, 2022 and is not available for download. Reason: Security Issue.

Plugin: WP Post Columns

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of December 24, 2018 and is not available for download. Reason: Guideline Violation.

Plugin: TCD Google Maps

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Tab Ultimate

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.4
Recommended Action: Update the WordPress Tab Ultimate plugin to the latest available version (at least 1.4).

Plugin: Theme Blvd Shortcodes

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Smart Online Order for Clover

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: wpDiscuz

Vulnerability: Insecure Direct Object References (IDOR) vulnerability
Vulnerability: Content Injection vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 7.6.11
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.6.11).

Plugin: Soisy Pagamento Rateale

Vulnerability: Missing Authorization to Sensitive Information Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: EventON

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: SALESmanago

Vulnerability: Log Injection via Weak Authentication Token vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Add Custom Body Class

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 13, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Modern Footnotes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.4.17
Recommended Action: Update the WordPress Modern Footnotes plugin to the latest available version (at least 1.4.17).

Plugin: Delete Usermetas

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.0
Recommended Action: Update the WordPress Delete Usermetas plugin to the latest available version (at least 1.2.0).

Plugin: WooCommerce Stripe Payment Gateway

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 7.6.1
Recommended Action: Update the WordPress WooCommerce Stripe Payment Gateway plugin to the latest available version (at least 7.6.1).

Plugin: WP EXtra

Vulnerability: Broken Access Control vulnerability
Patched Version: 6.3
Recommended Action: Update the WordPress WP EXtra plugin to the latest available version (at least 6.3).

Plugin: WC Captcha

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Grid Plus

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Motors – Car Dealer & Classified Ads

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Server Side Request Forgery (SSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: MW WP Form

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.0.0
Recommended Action: Update the WordPress MW WP Form plugin to the latest available version (at least 5.0.0).

Plugin: Ultimate Addons for WPBakery Page Builder

Vulnerability: Local File Inclusion vulnerability
Patched Version: 3.19.15
Recommended Action: Update the WordPress Ultimate Addons for WPBakery Page Builder plugin to the latest available version (at least 3.19.15).

Plugin: Ultimate Addons for WPBakery Page Builder

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.19.15
Recommended Action: Update the WordPress Ultimate Addons for WPBakery Page Builder plugin to the latest available version (at least 3.19.15).

Plugin: ChatBot

Vulnerability: Unauthenticated Sensitive Information Exposure vulnerability
Patched Version: 4.9.1
Recommended Action: Update the WordPress AI ChatBot plugin to the latest available version (at least 4.9.1).

Plugin: Duplicate Theme

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Taggbox

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Eonet Manual User Approve

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Webpushr

Vulnerability: CSRF Leading to LFI vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor. Reported to WordPress plugins review team.

Plugin: Just Custom Fields

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Auto Login New User After Registration

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Auto Login New User After Registration

Vulnerability: CSRF leading to Stored XSS vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: iPanorama 360 WordPress Virtual Tour Builder

Vulnerability: Auth. SQL Injection (SQLi) vulnerability
Patched Version: 1.8.1
Recommended Action: Update the WordPress iPanorama 360 WordPress Virtual Tour Builder plugin to the latest available version (at least 1.8.1).

Plugin: Team Showcase

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.2
Recommended Action: Update the WordPress Team Showcase plugin to the latest available version (at least 2.2).

Plugin: Booster for WooCommerce

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 7.1.3
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 7.1.3).

Plugin: Smart App Banner

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Triberr

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Appointment Calendar

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Popup by Supsystic

Vulnerability: Unauthenticated Subscriber Email Addresses Disclosure
Patched Version: 1.10.20
Recommended Action: Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.20).

Plugin: Social proof testimonials and reviews by Repuso

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.00
Recommended Action: Update the WordPress Social proof testimonials and reviews by Repuso plugin to the latest available version (at least 5.00).

Plugin: BetterLinks

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.6.1
Recommended Action: Update the WordPress BetterLinks plugin to the latest available version (at least 1.6.1).

Plugin: Headline Analyzer

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Archivist – Custom Archive Templates

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Internal Link Building

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Internal Link Building

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Open Graph Metabox

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Novo-Map : your WP posts on custom google maps

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Google Calendar Events

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: Incomplete patch.

Plugin: Freesoul Deactivate Plugins – Plugin manager and cleanup

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.1.4
Recommended Action: Update the WordPress Freesoul Deactivate Plugins – Plugin manager and cleanup plugin to the latest available version (at least 2.1.4).

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Image Title vulnerability
Patched Version: 1.0.1
Recommended Action: Update the WordPress Thumbnail Slider With Lightbox plugin to the latest available version (at least 1.0.1).

Plugin: MpOperationLogs

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Theme Switcha

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.3.1
Recommended Action: Update the WordPress Theme Switcha plugin to the latest available version (at least 3.3.1).

Plugin: Skype Legacy Buttons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of December 16, 2018 and is not available for download. This closure is permanent. Reason: Author Request.

Plugin: History Log by click5

Vulnerability: Admin+ Time-Based Blind SQL Injection vulnerability
Patched Version: 1.0.13
Recommended Action: Update the WordPress History Log by click5 plugin to the latest available version (at least 1.0.13).

Plugin: WP Simple Table Manager

Vulnerability: Admin+ Stored Cross-Site Scripting vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of October 6, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Super Testimonial Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.0
Recommended Action: Update the WordPress Super Testimonial Pro plugin to the latest available version (at least 3.0).

Plugin: Templately

Vulnerability: Arbitrary post trashing via Missing Authorization vulnerability
Patched Version: 2.2.6
Recommended Action: Update the WordPress Templately plugin to the latest available version (at least 2.2.6).

***
Check out the WoW Archive for past Watch Out Wednesday posts.