Watch Out Wednesday – September 20, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including ShortPixel, PageLayer, Essential Addons for Elementor and more!

Plugin: Dropbox Folder Share

Vulnerability: Unauthenticated Server-Side Request Forgery via ‘link’ vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Horizontal scrolling announcement

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode vulnerability
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of September 18, 2019 and is not available for download. Reason: Guideline Violation.

Plugin: Allow PHP in Posts and Pages

Vulnerability: Authenticated (Subscriber+) Remote Code Execution via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of February 15, 2019 and is not available for download. Reason: Guideline Violation.

Plugin: Welcart e-Commerce

Vulnerability: Authenticated(level_5+) SQL Injection via get_logs vulnerability
Patched Version: 2.8.22
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.8.22).

Plugin: ShortPixel Image Optimizer

Vulnerability: Authenticated(Editor+) PHP Object Injection vulnerability
Patched Version: 5.4.2
Recommended Action: Update the WordPress ShortPixel Image Optimizer plugin to the latest available version (at least 5.4.2).

Plugin: Testimonial Slider Shortcode

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode vulnerability
Patched Version: 1.1.9
Recommended Action: Update the WordPress Testimonial Slider Shortcode plugin to the latest available version (at least 1.1.9).

Plugin: Enable Media Replace

Vulnerability: Authenticated(Editor+) PHP Object Injection vulnerability
Patched Version: 4.1.3
Recommended Action: Update the WordPress Enable Media Replace plugin to the latest available version (at least 4.1.3).

Plugin: PowerPress Podcasting

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL vulnerability
Patched Version: 11.0.11
Recommended Action: Update the WordPress PowerPress Podcasting plugin to the latest available version (at least 11.0.11).

Plugin: WS Facebook Like Box Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Essential Addons for Elementor

Vulnerability: Contributor+ Privilege Escalation vulnerability
Patched Version: 5.8.9
Recommended Action: Update the WordPress Essential Addons for Elementor plugin to the latest available version (at least 5.8.9).

Plugin: Essential Blocks Pro

Vulnerability: Unauthenticated PHP Object Injection via queries vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress Essential Blocks Pro plugin to the latest available version (at least 1.1.1).

Plugin: Essential Blocks for Gutenberg

Vulnerability: Unauthenticated PHP Object Injection vulnerability
Patched Version: 4.2.1
Recommended Action: Update the WordPress Essential Blocks for Gutenberg plugin to the latest available version (at least 4.2.1).

Plugin: PageLayer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.7.7
Recommended Action: Update the WordPress PageLayer plugin to the latest available version (at least 1.7.7).

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.6.7
Recommended Action: Update the WordPress WP Customer Reviews plugin to the latest available version (at least 3.6.7).

Plugin: WordPress File Upload

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 4.23.3
Recommended Action: Update the WordPress File Upload plugin to the latest available version (at least 4.23.3).

Plugin: WooCommerce CVR Payment Gateway

Vulnerability: Missing Authorization to Authenticated (Contributor+) CVR Update vulnerability
Patched Version: 6.1.0
Recommended Action: Update the WordPress WooCommerce CVR Payment Gateway plugin to the latest available version (at least 6.1.0).

Plugin: wpDiscuz

Vulnerability: Insecure Direct Object Reference to Comment Rating Increase/Decrease vulnerability
Vulnerability: Insecure Direct Object Reference to Post Rating Increase/Decrease vulnerability
Patched Version: 7.6.4
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.6.4).

Plugin: WooCommerce EAN Payment Gateway

Vulnerability: Missing Authorization to Authenticated (Contributor+) EAN Update vulnerability
Patched Version: 6.1.0
Recommended Action: Update the WordPress WooCommerce EAN Payment Gateway plugin to the latest available version (at least 6.1.0).

Plugin: Feeds for YouTube

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.1.2
Recommended Action: Update the WordPress Feeds for YouTube plugin to the latest available version (at least 2.1.2).

Plugin: Awesome Weather Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 7.1.1
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 7.1.1).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.