This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including ShortPixel, PageLayer, Essential Addons for Elementor and more!
Plugin: Dropbox Folder Share
Vulnerability: Unauthenticated Server-Side Request Forgery via ‘link’ vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: Horizontal scrolling announcement
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode vulnerability
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of September 18, 2019 and is not available for download. Reason: Guideline Violation.
Plugin: Allow PHP in Posts and Pages
Vulnerability: Authenticated (Subscriber+) Remote Code Execution via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of February 15, 2019 and is not available for download. Reason: Guideline Violation.
Plugin: Welcart e-Commerce
Vulnerability: Authenticated(level_5+) SQL Injection via get_logs vulnerability
Patched Version: 2.8.22
Recommended Action: Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.8.22).
Plugin: ShortPixel Image Optimizer
Vulnerability: Authenticated(Editor+) PHP Object Injection vulnerability
Patched Version: 5.4.2
Recommended Action: Update the WordPress ShortPixel Image Optimizer plugin to the latest available version (at least 5.4.2).
Plugin: Testimonial Slider Shortcode
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode vulnerability
Patched Version: 1.1.9
Recommended Action: Update the WordPress Testimonial Slider Shortcode plugin to the latest available version (at least 1.1.9).
Plugin: Enable Media Replace
Vulnerability: Authenticated(Editor+) PHP Object Injection vulnerability
Patched Version: 4.1.3
Recommended Action: Update the WordPress Enable Media Replace plugin to the latest available version (at least 4.1.3).
Plugin: PowerPress Podcasting
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL vulnerability
Patched Version: 11.0.11
Recommended Action: Update the WordPress PowerPress Podcasting plugin to the latest available version (at least 11.0.11).
Plugin: WS Facebook Like Box Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Essential Addons for Elementor
Vulnerability: Contributor+ Privilege Escalation vulnerability
Patched Version: 5.8.9
Recommended Action: Update the WordPress Essential Addons for Elementor plugin to the latest available version (at least 5.8.9).
Plugin: Essential Blocks Pro
Vulnerability: Unauthenticated PHP Object Injection via queries vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress Essential Blocks Pro plugin to the latest available version (at least 1.1.1).
Plugin: Essential Blocks for Gutenberg
Vulnerability: Unauthenticated PHP Object Injection vulnerability
Patched Version: 4.2.1
Recommended Action: Update the WordPress Essential Blocks for Gutenberg plugin to the latest available version (at least 4.2.1).
Plugin: PageLayer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.7.7
Recommended Action: Update the WordPress PageLayer plugin to the latest available version (at least 1.7.7).
Plugin: WP Customer Reviews
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.6.7
Recommended Action: Update the WordPress WP Customer Reviews plugin to the latest available version (at least 3.6.7).
Plugin: WordPress File Upload
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 4.23.3
Recommended Action: Update the WordPress File Upload plugin to the latest available version (at least 4.23.3).
Plugin: WooCommerce CVR Payment Gateway
Vulnerability: Missing Authorization to Authenticated (Contributor+) CVR Update vulnerability
Patched Version: 6.1.0
Recommended Action: Update the WordPress WooCommerce CVR Payment Gateway plugin to the latest available version (at least 6.1.0).
Plugin: wpDiscuz
Vulnerability: Insecure Direct Object Reference to Comment Rating Increase/Decrease vulnerability
Vulnerability: Insecure Direct Object Reference to Post Rating Increase/Decrease vulnerability
Patched Version: 7.6.4
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.6.4).
Plugin: WooCommerce EAN Payment Gateway
Vulnerability: Missing Authorization to Authenticated (Contributor+) EAN Update vulnerability
Patched Version: 6.1.0
Recommended Action: Update the WordPress WooCommerce EAN Payment Gateway plugin to the latest available version (at least 6.1.0).
Plugin: Feeds for YouTube
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.1.2
Recommended Action: Update the WordPress Feeds for YouTube plugin to the latest available version (at least 2.1.2).
Plugin: Awesome Weather Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Booster for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 7.1.1
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 7.1.1).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments