Watch Out Wednesday – October 4, 2023

WoW Archive
woman with surprised expression looking through binoculars, captioned watch out wednesday

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including OpenHook, FooGallery, WP Event Manager and more!

Plugin: WP Responsive header image slide

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of May 31, 2019 and is not available for download. This closure is permanent. Reason: Author Request.

Plugin: Contact form Form For All

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of October 27, 2019 and is not available for download. Reason: Guideline Violation.

Plugin: BuddyMeet

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3.0
Recommended Action: Update the WordPress BuddyMeet plugin to the latest available version (at least 2.3.0).

Plugin: bbp style pack

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.6.8
Recommended Action: Update the WordPress bbp style pack plugin to the latest available version (at least 5.6.8).

Plugin: OpenHook

Vulnerability: Auth. Remote Code Execution (RCE) vulnerability
Patched Version: 4.3.1
Recommended Action: Update the WordPress OpenHook plugin to the latest available version (at least 4.3.1).

Plugin: Comments by Startbit

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 26, 2019 and is not available for download. Reason: Licensing/Trademark Violation.

Plugin: Advanced Custom Fields: Extended

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 0.8.9.4
Recommended Action: Update the WordPress Advanced Custom Fields: Extended plugin to the latest available version (at least 0.8.9.4).

Plugin: WP Jump Menu

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Events Rich Snippets for Google

Vulnerability: CSRF Leading to Privilege Escalation vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Cooked

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: CopyRightPro

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Add Shortcodes Actions And Filters

Vulnerability: Multiple Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Tiger Forms

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Tiger Forms plugin to the latest available version (at least 2.1.0).

Plugin: Table of Contents Plus

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2309
Recommended Action: Update the WordPress Table of Contents Plus plugin to the latest available version (at least 2309).

Plugin: Unyson

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Backend Localization

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 2, 2023 and is not available for download. This closure is permanent.

Plugin: Kv TinyMCE Editor Add Fonts

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: FooGallery

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.3.2
Recommended Action: Update the WordPress FooGallery plugin to the latest available version (at least 2.3.2).

Plugin: Contractor Contact Form Website to Workflow Tool

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Images Slideshow by 2J

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Instant CSS

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.2
Recommended Action: Update the WordPress Instant CSS plugin to the latest available version (at least 1.2.2).

Plugin: Keap Landing Pages

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Timthumb Vulnerability Scanner

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Shockingly Simple Favicon

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WWM Social Share On Image Hover

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Remove slug from custom post type

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Site Protector

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Captcha

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Captcha Bypass vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP GPX Map

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of August 17, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Hide Pages

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Contact Form

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 7.1.0
Recommended Action: Update the WordPress Modern Events Calendar Lite plugin to the latest available version (at least 7.1.0).

Plugin: Font Awesome More Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of June 27, 2019 and is not available for download. This closure is permanent. Reason: Author Request.

Plugin: TM WooCommerce Compare & Wishlist

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of September 20, 2021 and is not available for download. Reason: Guideline Violation.

Plugin: Font Awesome Integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of September 19, 2019 and is not available for download. Reason: Licensing/Trademark Violation.

Plugin: Magic Action Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of January 25, 2022 and is not available for download. Reason: Guideline Violation.

Plugin: WP Event Manager

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.1.38
Recommended Action: Update the WordPress WP Event Manager plugin to the latest available version (at least 3.1.38).

Plugin: Popup contact form

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Tiny Carousel Horizontal Slider

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Onclick Show Popup

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Simple File List

Vulnerability: Arbitrary File Deletion
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Adminify

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Popup contact form

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: The Awesome Feed – Custom Feed

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Social Metrics

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Blocks

Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Woocommerce ESTO

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. WP plugins review team was notified on 2023 July 19.

Plugin: Block Plugin Update

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Mediavine Control Panel

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Schema App Structured Data

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Get your glasses

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Join Now

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.