This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Super Cache, Asset CleanUp: Page Speed Booster and more!
Plugin: WP Humans.txt
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 3, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Retain Live Chat
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of October 3, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Post to CSV by BestWebSoft
Vulnerability: CSV Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP ALL Export Pro
Vulnerability: SQL Injection
Patched Version: 1.7.9
Recommended Action: Update the WordPress WP ALL Export Pro plugin to the latest available version (at least 1.7.9).
Plugin: WP ALL Export Pro
Vulnerability: Other Vulnerability Type
Patched Version: 1.7.9
Recommended Action: Update the WordPress WP ALL Export Pro plugin to the latest available version (at least 1.7.9).
Plugin: Kadence WooCommerce Email Designer
Vulnerability: PHP Object Injection
Patched Version: 1.5.7
Recommended Action: Update the WordPress Kadence WooCommerce Email Designer plugin to the latest available version (at least 1.5.7).
Plugin: Form Maker by 10Web
Vulnerability: SQL Injection
Patched Version: 1.15.6
Recommended Action: Update the WordPress Form Maker by 10Web plugin to the latest available version (at least 1.15.6).
Plugin: Spam protection, AntiSpam, FireWall by CleanTalk
Vulnerability: SQL Injection
Patched Version: 5.185.1
Recommended Action: Update the WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin to the latest available version (at least 5.185.1).
Plugin: WP Super Cache
Vulnerability: Other Vulnerability Type
Patched Version: 1.9
Recommended Action: Update the WordPress WP Super Cache plugin to the latest available version (at least 1.9).
Plugin: Blog2Social
Vulnerability: Server Side Request Forgery (SSRF)
Vulnerability: SQL Injection
Patched Version: 6.9.10
Recommended Action: Update the WordPress Blog2Social plugin to the latest available version (at least 6.9.10).
Plugin: CRM Perks Forms
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: WZone – Lite Version
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor since Jul 29, 2022.
Plugin: Media Library Folders
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 7.1.2
Recommended Action: Update the WordPress Media Library Folders plugin to the latest available version (at least 7.1.2).
Plugin: OSM – OpenStreetMap
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Forym
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. Notification on Envato repository: “This item is no longer available”.
Plugin: 3dady real-time web stats
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of December 14, 2018 and is not available for download. Reason: Guideline Violation.
Plugin: Contact Bank
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: LBstopattack
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 5, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: HREFLANG Tags Lite
Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Profile Builder
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.6.1
Recommended Action: Update the WordPress Profile Builder plugin to the latest available version (at least 3.6.1).
Plugin: Redirection for Contact Form 7
Vulnerability: Other Vulnerability Type
Patched Version: 2.6.0
Recommended Action: Update the WordPress Redirection for Contact Form 7 plugin to the latest available version (at least 2.6.0).
Plugin: Accordions
Vulnerability: Other Vulnerability Type
Patched Version: 2.1.0
Recommended Action: Update the WordPress Accordions plugin to the latest available version (at least 2.1.0).
Plugin: Analytics Cat
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.1.0
Recommended Action: Update the WordPress Analytics Cat plugin to the latest available version (at least 1.1.0).
Plugin: Quiz And Survey Master
Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 7.3.5
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 7.3.5).
Plugin: Analytify
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.2.3
Recommended Action: Update the WordPress Analytify plugin to the latest available version (at least 4.2.3).
Plugin: Media Library Assistant
Vulnerability: Sensitive Data Exposure
Patched Version: 3.01
Recommended Action: Update the WordPress Media Library Assistant plugin to the latest available version (at least 3.01).
Plugin: AdminPad
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.2
Recommended Action: Update the WordPress AdminPad plugin to the latest available version (at least 2.2).
Plugin: Asset CleanUp: Page Speed Booster
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3.8.5
Recommended Action: Update the WordPress Asset CleanUp: Page Speed Booster plugin to the latest available version (at least 1.3.8.5).
Plugin: Store Locator WordPress
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.6
Recommended Action: Update the WordPress Store Locator WordPress plugin to the latest available version (at least 1.4.6).
Plugin: iQ Block Country
Vulnerability: Bypass Vulnerability
Patched Version: 1.2.19
Recommended Action: Update the WordPress iQ Block Country plugin to the latest available version (at least 1.2.19).
Plugin: Advanced Ads – Ad Manager & AdSense
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.32.0
Recommended Action: Update the WordPress Advanced Ads – Ad Manager & AdSense plugin to the latest available version (at least 1.32.0).
Plugin: Booking Ultra Pro
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: Booking Ultra Pro
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments