Watch Out Wednesday – October 26, 2022

WoW Archive
woman with surprised expression looking through binoculars, captioned watch out wednesday

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Page Builder, Avada, Simple SEO and more!

Plugin: SEO Redirection

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.1
Recommended Action: Update the WordPress SEO Redirection plugin to the latest available version (at least 9.1).

Plugin: Image Hover Effects Ultimate

Vulnerability: Other Vulnerability Type
Patched Version: 9.7.2
Recommended Action: Update the WordPress Image Hover Effects Ultimate plugin to the latest available version (at least 9.7.2).

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Arbitrary File Upload
Patched Version: 12.1.11
Recommended Action: Update the WordPress SEO Plugin by Squirrly SEO plugin to the latest available version (at least 12.1.11).

Plugin: Corona Virus (COVID-19) Banner & Live Data

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Advanced Floating Content

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Phone Orders for WooCommerce

Vulnerability: Other Vulnerability Type
Patched Version: 3.7.2
Recommended Action: Update the WordPress Phone Orders for WooCommerce plugin to the latest available version (at least 3.7.2).

Plugin: IP Blacklist Cloud

Vulnerability: SQL Injection
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: SearchWP

Vulnerability: Broken Authentication
Patched Version: 4.2.6
Recommended Action: Update the WordPress SearchWP plugin to the latest available version (at least 4.2.6).

Plugin: Traffic Manager

Vulnerability: Multiple Vulnerabilities
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Image Zoom

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WIP Custom Login

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Traffic Manager

Vulnerability: Multiple Vulnerabilities
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Auto Upload Images

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: 2kb Amazon Affiliates Store

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Quiz And Survey Master

Vulnerability: Bypass Vulnerability
Vulnerability: Sensitive Data Exposure
Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Insecure Direct Object References (IDOR)
Vulnerability: SQL Injection
Patched Version: 7.3.5
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 7.3.5).

Plugin: WP Page Builder

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.7
Recommended Action: Update the WordPress WP Page Builder plugin to the latest available version (at least 1.2.7).

Plugin: BP Better Messages

Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 1.9.10.69
Recommended Action: Update the WordPress BP Better Messages plugin to the latest available version (at least 1.9.10.69).

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.3.3
Recommended Action: Update the WordPress Advanced Order Export For WooCommerce plugin to the latest available version (at least 3.3.3).

Theme: Avada

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 7.8.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.8.2).

Plugin: Welcart e-Commerce

Vulnerability: Directory Traversal
Patched Version: 2.7.8
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.7.8).

Plugin: Simple SEO

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.8.13
Recommended Action: Update the WordPress Simple SEO plugin to the latest available version (at least 1.8.13).

Plugin: Csomagpontok és szállítási címkék WooCommerce-hez

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.9.0.3
Recommended Action: Update the WordPress Csomagpontok és szállítási címkék WooCommerce hez plugin to the latest available version (at least 1.9.0.3).

Plugin: Integration for Szamlazz.hu & WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.6.3.3
Recommended Action: Update the WordPress Integration for Szamlazz.hu & WooCommerce plugin to the latest available version (at least 5.6.3.3).

Plugin: Mantenimiento web

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 0.14
Recommended Action: Update the WordPress Mantenimiento web plugin to the latest available version (at least 0.14).

Plugin: Webmaster Tools Verification

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: ImageMagick Engine

Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Remote Code Execution (RCE)
Patched Version: N/A
Recommended Action: No patched version is available. Version 1.7.6 only added a nonce token to fix the CSRF vulnerability.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Get your glasses

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Join Now

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.