Watch Out Wednesday – October 5, 2022

by | Oct 4, 2022 | WoW Archive

woman with surprised expression looking through binoculars, captioned watch out wednesday
woman with surprised expression looking through binoculars, captioned watch out wednesday
Watch Out Wednesday – October 5, 2022

by | Oct 4, 2022 | WoW Archive

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Super Cache, Asset CleanUp: Page Speed Booster and more!

Plugin: WP Humans.txt

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 3, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Retain Live Chat

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 3, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Post to CSV by BestWebSoft

Vulnerability: CSV Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP ALL Export Pro

Vulnerability: SQL Injection
Patched Version: 1.7.9
Recommended Action: Update the WordPress WP ALL Export Pro plugin to the latest available version (at least 1.7.9).

Plugin: WP ALL Export Pro

Vulnerability: Other Vulnerability Type
Patched Version: 1.7.9
Recommended Action: Update the WordPress WP ALL Export Pro plugin to the latest available version (at least 1.7.9).

Plugin: Kadence WooCommerce Email Designer

Vulnerability: PHP Object Injection
Patched Version: 1.5.7
Recommended Action: Update the WordPress Kadence WooCommerce Email Designer plugin to the latest available version (at least 1.5.7).

Plugin: Form Maker by 10Web

Vulnerability: SQL Injection
Patched Version: 1.15.6
Recommended Action: Update the WordPress Form Maker by 10Web plugin to the latest available version (at least 1.15.6).

Plugin: Spam protection, AntiSpam, FireWall by CleanTalk

Vulnerability: SQL Injection
Patched Version: 5.185.1
Recommended Action: Update the WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin to the latest available version (at least 5.185.1).

Plugin: WP Super Cache

Vulnerability: Other Vulnerability Type
Patched Version: 1.9
Recommended Action: Update the WordPress WP Super Cache plugin to the latest available version (at least 1.9).

Plugin: Blog2Social

Vulnerability: Server Side Request Forgery (SSRF)
Vulnerability: SQL Injection
Patched Version: 6.9.10
Recommended Action: Update the WordPress Blog2Social plugin to the latest available version (at least 6.9.10).

Plugin: CRM Perks Forms

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: WZone – Lite Version

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor since Jul 29, 2022.

Plugin: Media Library Folders

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 7.1.2
Recommended Action: Update the WordPress Media Library Folders plugin to the latest available version (at least 7.1.2).

Plugin: OSM – OpenStreetMap

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Forym

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. Notification on Envato repository: “This item is no longer available”.

Plugin: 3dady real-time web stats

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of December 14, 2018 and is not available for download. Reason: Guideline Violation.

Plugin: Contact Bank

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: LBstopattack

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 5, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: HREFLANG Tags Lite

Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Profile Builder

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.6.1
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.6.1).

Plugin: Redirection for Contact Form 7

Vulnerability: Other Vulnerability Type
Patched Version: 2.6.0
Recommended Action: Update the WordPress Redirection for Contact Form 7 plugin to the latest available version (at least 2.6.0).

Plugin: Accordions

Vulnerability: Other Vulnerability Type
Patched Version: 2.1.0
Recommended Action: Update the WordPress Accordions plugin to the latest available version (at least 2.1.0).

Plugin: Analytics Cat

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.0
Recommended Action: Update the WordPress Analytics Cat plugin to the latest available version (at least 1.1.0).

Plugin: Quiz And Survey Master

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 7.3.5
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 7.3.5).

Plugin: Analytify

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.2.3
Recommended Action: Update the WordPress Analytify plugin to the latest available version (at least 4.2.3).

Plugin: Media Library Assistant

Vulnerability: Sensitive Data Exposure
Patched Version: 3.01
Recommended Action: Update the WordPress Media Library Assistant plugin to the latest available version (at least 3.01).

Plugin: AdminPad

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.2
Recommended Action: Update the WordPress AdminPad plugin to the latest available version (at least 2.2).

Plugin: Asset CleanUp: Page Speed Booster

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3.8.5
Recommended Action: Update the WordPress Asset CleanUp: Page Speed Booster plugin to the latest available version (at least 1.3.8.5).

Plugin: Store Locator WordPress

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.6
Recommended Action: Update the WordPress Store Locator WordPress plugin to the latest available version (at least 1.4.6).

Plugin: iQ Block Country

Vulnerability: Bypass Vulnerability
Patched Version: 1.2.19
Recommended Action: Update the WordPress iQ Block Country plugin to the latest available version (at least 1.2.19).

Plugin: Advanced Ads – Ad Manager & AdSense

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.32.0
Recommended Action: Update the WordPress Advanced Ads – Ad Manager & AdSense plugin to the latest available version (at least 1.32.0).

Plugin: Booking Ultra Pro

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Booking Ultra Pro

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

Meet the Author: FocusWP
FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *