Watch Out Wednesday – September 21, 2022

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Sucuri Security, Simple File List and more!

Plugin: Simple File List

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.4.13
Recommended Action: Update the WordPress Simple File List plugin to the latest available version (at least 4.4.13).

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 4.4.12
Recommended Action: Update the WordPress Simple File List plugin to the latest available version (at least 4.4.12).

Plugin: Memberpress Downloads

Vulnerability: Arbitrary File Upload
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: Download Monitor

Vulnerability: Arbitrary File Download
Patched Version: 4.5.98
Recommended Action: Update the WordPress Download Monitor plugin to the latest available version (at least 4.5.98).

Plugin: Top Bar

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.0.4
Recommended Action: Update the WordPress Top Bar plugin to the latest available version (at least 3.0.4).

Plugin: Social Rocket

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.3.3
Recommended Action: Update the WordPress Social Rocket plugin to the latest available version (at least 1.3.3).

Plugin: Contact Form by WPForms

Vulnerability: Directory Traversal
Patched Version: 1.7.5.5
Recommended Action: Update the WordPress Contact Form by WPForms plugin to the latest available version (at least 1.7.5.5).

Plugin: reSmush.it

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 0.4.6
Recommended Action: Update the WordPress reSmush.it plugin to the latest available version (at least 0.4.6).

Plugin: Booster Plus for WooCommerce

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 5.6.1
Recommended Action: Update the WordPress Booster Plus for WooCommerce plugin to the latest available version (at least 5.6.1).

Plugin: Booster for WooCommerce

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 5.6.3
Recommended Action: Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.6.3).

Plugin: SearchWP Live Ajax Search

Vulnerability: Local File Inclusion
Patched Version: 1.6.3
Recommended Action: Update the WordPress SearchWP Live Ajax Search plugin to the latest available version (at least 1.6.3).

Plugin: CPO Shortcodes

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 14, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Taskbuilder

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.0.8
Recommended Action: Update the WordPress Taskbuilder plugin to the latest available version (at least 1.0.8).

Plugin: Awesome Filterable Portfolio

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 14, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Awesome Filterable Portfolio

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 14, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: GS Testimonial Slider

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.9.7
Recommended Action: Update the WordPress GS Testimonial Slider plugin to the latest available version (at least 1.9.7).

Plugin: Awesome Support

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 6.0.8
Recommended Action: Update the WordPress Awesome Support plugin to the latest available version (at least 6.0.8).

Plugin: Rate my Post – WP Rating System

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 3.3.5
Recommended Action: Update the WordPress Rate my Post – WP Rating System plugin to the latest available version (at least 3.3.5).

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.1.4
Recommended Action: Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the latest available version (at least 4.1.4).

Plugin: Sucuri Security

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.8.34
Recommended Action: Update the WordPress Sucuri Security plugin to the latest available version (at least 1.8.34).

Plugin: Notice Board

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: Disable User Login

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version available.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.