This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Page Builder, Avada, Simple SEO and more!
Plugin: SEO Redirection
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.1
Recommended Action: Update the WordPress SEO Redirection plugin to the latest available version (at least 9.1).
Plugin: Image Hover Effects Ultimate
Vulnerability: Other Vulnerability Type
Patched Version: 9.7.2
Recommended Action: Update the WordPress Image Hover Effects Ultimate plugin to the latest available version (at least 9.7.2).
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Arbitrary File Upload
Patched Version: 12.1.11
Recommended Action: Update the WordPress SEO Plugin by Squirrly SEO plugin to the latest available version (at least 12.1.11).
Plugin: Corona Virus (COVID-19) Banner & Live Data
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Advanced Floating Content
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Phone Orders for WooCommerce
Vulnerability: Other Vulnerability Type
Patched Version: 3.7.2
Recommended Action: Update the WordPress Phone Orders for WooCommerce plugin to the latest available version (at least 3.7.2).
Plugin: IP Blacklist Cloud
Vulnerability: SQL Injection
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: SearchWP
Vulnerability: Broken Authentication
Patched Version: 4.2.6
Recommended Action: Update the WordPress SearchWP plugin to the latest available version (at least 4.2.6).
Plugin: Traffic Manager
Vulnerability: Multiple Vulnerabilities
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Image Zoom
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WIP Custom Login
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Traffic Manager
Vulnerability: Multiple Vulnerabilities
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Auto Upload Images
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: 2kb Amazon Affiliates Store
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Quiz And Survey Master
Vulnerability: Bypass Vulnerability
Vulnerability: Sensitive Data Exposure
Vulnerability: Cross Site Scripting (XSS)
Vulnerability: Insecure Direct Object References (IDOR)
Vulnerability: SQL Injection
Patched Version: 7.3.5
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 7.3.5).
Plugin: WP Page Builder
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.7
Recommended Action: Update the WordPress WP Page Builder plugin to the latest available version (at least 1.2.7).
Plugin: BP Better Messages
Vulnerability: Server Side Request Forgery (SSRF)
Patched Version: 1.9.10.69
Recommended Action: Update the WordPress BP Better Messages plugin to the latest available version (at least 1.9.10.69).
Plugin: Advanced Order Export For WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.3.3
Recommended Action: Update the WordPress Advanced Order Export For WooCommerce plugin to the latest available version (at least 3.3.3).
Theme: Avada
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 7.8.2
Recommended Action: Update the WordPress Avada theme to the latest available version (at least 7.8.2).
Plugin: Welcart e-Commerce
Vulnerability: Directory Traversal
Patched Version: 2.7.8
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.7.8).
Plugin: Simple SEO
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.8.13
Recommended Action: Update the WordPress Simple SEO plugin to the latest available version (at least 1.8.13).
Plugin: Csomagpontok és szállítási címkék WooCommerce-hez
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.9.0.3
Recommended Action: Update the WordPress Csomagpontok és szállítási címkék WooCommerce hez plugin to the latest available version (at least 1.9.0.3).
Plugin: Integration for Szamlazz.hu & WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.6.3.3
Recommended Action: Update the WordPress Integration for Szamlazz.hu & WooCommerce plugin to the latest available version (at least 5.6.3.3).
Plugin: Mantenimiento web
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 0.14
Recommended Action: Update the WordPress Mantenimiento web plugin to the latest available version (at least 0.14).
Plugin: Webmaster Tools Verification
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 19, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: ImageMagick Engine
Vulnerability: Cross Site Request Forgery (CSRF)
Vulnerability: Remote Code Execution (RCE)
Patched Version: N/A
Recommended Action: No patched version is available. Version 1.7.6 only added a nonce token to fix the CSRF vulnerability.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments