This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including OpenHook, FooGallery, WP Event Manager and more!
Plugin: WP Responsive header image slide
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of May 31, 2019 and is not available for download. This closure is permanent. Reason: Author Request.
Plugin: Contact form Form For All
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of October 27, 2019 and is not available for download. Reason: Guideline Violation.
Plugin: BuddyMeet
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.3.0
Recommended Action: Update the WordPress BuddyMeet plugin to the latest available version (at least 2.3.0).
Plugin: bbp style pack
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 5.6.8
Recommended Action: Update the WordPress bbp style pack plugin to the latest available version (at least 5.6.8).
Plugin: OpenHook
Vulnerability: Auth. Remote Code Execution (RCE) vulnerability
Patched Version: 4.3.1
Recommended Action: Update the WordPress OpenHook plugin to the latest available version (at least 4.3.1).
Plugin: Comments by Startbit
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 26, 2019 and is not available for download. Reason: Licensing/Trademark Violation.
Plugin: Advanced Custom Fields: Extended
Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 0.8.9.4
Recommended Action: Update the WordPress Advanced Custom Fields: Extended plugin to the latest available version (at least 0.8.9.4).
Plugin: WP Jump Menu
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Events Rich Snippets for Google
Vulnerability: CSRF Leading to Privilege Escalation vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Cooked
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: CopyRightPro
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Add Shortcodes Actions And Filters
Vulnerability: Multiple Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Tiger Forms
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.0
Recommended Action: Update the WordPress Tiger Forms plugin to the latest available version (at least 2.1.0).
Plugin: Table of Contents Plus
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2309
Recommended Action: Update the WordPress Table of Contents Plus plugin to the latest available version (at least 2309).
Plugin: Unyson
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Backend Localization
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 2, 2023 and is not available for download. This closure is permanent.
Plugin: Kv TinyMCE Editor Add Fonts
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: FooGallery
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 2.3.2
Recommended Action: Update the WordPress FooGallery plugin to the latest available version (at least 2.3.2).
Plugin: Contractor Contact Form Website to Workflow Tool
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Images Slideshow by 2J
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Instant CSS
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.2.2
Recommended Action: Update the WordPress Instant CSS plugin to the latest available version (at least 1.2.2).
Plugin: Keap Landing Pages
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Timthumb Vulnerability Scanner
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Shockingly Simple Favicon
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WWM Social Share On Image Hover
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Remove slug from custom post type
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Site Protector
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Captcha
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Vulnerability: Captcha Bypass vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP GPX Map
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of August 17, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Hide Pages
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Contact Form
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Modern Events Calendar Lite
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 7.1.0
Recommended Action: Update the WordPress Modern Events Calendar Lite plugin to the latest available version (at least 7.1.0).
Plugin: Font Awesome More Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of June 27, 2019 and is not available for download. This closure is permanent. Reason: Author Request.
Plugin: TM WooCommerce Compare & Wishlist
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of September 20, 2021 and is not available for download. Reason: Guideline Violation.
Plugin: Font Awesome Integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of September 19, 2019 and is not available for download. Reason: Licensing/Trademark Violation.
Plugin: Magic Action Box
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of January 25, 2022 and is not available for download. Reason: Guideline Violation.
Plugin: WP Event Manager
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.1.38
Recommended Action: Update the WordPress WP Event Manager plugin to the latest available version (at least 3.1.38).
Plugin: Popup contact form
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Tiny Carousel Horizontal Slider
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Onclick Show Popup
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Simple File List
Vulnerability: Arbitrary File Deletion
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP Adminify
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Popup contact form
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: The Awesome Feed – Custom Feed
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Social Metrics
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Blocks
Vulnerability: Cross Site Scripting (XSS)
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Woocommerce ESTO
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. WP plugins review team was notified on 2023 July 19.
Plugin: Block Plugin Update
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Mediavine Control Panel
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Schema App Structured Data
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments