Watch Out Wednesday – September 27, 2023

woman with surprised expression looking through binoculars, captioned watch out wednesday

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Simple Membership, Easy Registration Forms, Ad Inserter and more!

Plugin: BEAR

Vulnerability: Multiple Missing Authorization vulnerability
Vulnerability: Multiple Cross-Site Request Forgery vulnerability
Patched Version: 1.1.4
Recommended Action: Update the WordPress BEAR plugin to the latest available version (at least 1.1.4).

Plugin: Simple Membership

Vulnerability: Authenticated Account Takeover vulnerability>
Vulnerability: Unauthenticated Membership Role Privilege Escalation vulnerability
Patched Version: 4.3.5
Recommended Action: Update the WordPress Simple Membership plugin to the latest available version (at least 4.3.5).

Plugin: Easy Registration Forms

Vulnerability: Authenticated (Subscriber+) Information Disclosure via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 12, 2021 and is not available for download. Reason: Security Issue.

Plugin: WP Mailto Links

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.1.4
Recommended Action: Update the WordPress WP Mailto Links plugin to the latest available version (at least 3.1.4).

Plugin: Ad Inserter

Vulnerability: Unauthenticated Sensitive Information Exposure via ai_ajax vulnerability
Vulnerability: Unauthenticated Sensitive Information Exposure via ai-debug-processing-fe vulnerability
Patched Version: 2.7.31
Recommended Action: Update the WordPress Ad Inserter plugin to the latest available version (at least 2.7.31).

Plugin: Copy Anything to Clipboard

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.6.5
Recommended Action: Update the WordPress Copy Anything to Clipboard plugin to the latest available version (at least 2.6.5).

Plugin: FormGet Contact Form

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of August 27, 2019 and is not available for download. This closure is permanent. Reason: Guideline Violation.

Plugin: WPvivid Backup and Migration

Vulnerability: Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal vulnerability
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 0.9.90
Recommended Action: Update the WordPress WPvivid Backup and Migration plugin to the latest available version (at least 0.9.90).

Plugin: Drag and Drop Multiple File Upload for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload for WooCommerce plugin to the latest available version (at least 1.1.1).

Plugin: iPanorama 360 WordPress Virtual Tour Builder

Vulnerability: Authenticated (Admin+) SQL injection vulnerability
Patched Version: 1.8.0
Recommended Action: Update the WordPress iPanorama 360 WordPress Virtual Tour Builder plugin to the latest available version (at least 1.8.0).

Plugin: Memberlite Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Memberlite Shortcodes plugin to the latest available version (at least 1.3.9).

Plugin: Media Library Assistant

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.11
Recommended Action: Update the WordPress Media Library Assistant plugin to the latest available version (at least 3.11).

Plugin: WP-Piwik

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.0.29
Recommended Action: Update the WordPress Connect Matomo (WP-Matomo, WP-Piwik) plugin to the latest available version (at least 1.0.29).

Plugin: Extensions for Leaflet Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.3.1
Recommended Action: Update the WordPress Extensions for Leaflet Map plugin to the latest available version (at least 3.3.1).

Plugin: Serial Codes Generator and Validator with WooCommerce Support

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.4.15
Recommended Action: Update the WordPress Serial Codes Generator and Validator with WooCommerce Support plugin to the latest available version (at least 2.4.15).

Plugin: Table of Contents Plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 2309
Recommended Action: Update the WordPress Table of Contents Plus plugin to the latest available version (at least 2309).

Plugin: wp-charts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Widget Responsive for Youtube

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.6.2
Recommended Action: Update the WordPress Widget Responsive for Youtube plugin to the latest available version (at least 1.6.2).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment Cancel reply

Scaling Your Remote Business with Eric Dingler and Stephanie Hudson

by Focus On Copy | Mar 8, 2024

Scaling your remote business may seem daunting, but it can absolutely be done. The pathway to success is paved with strategic delegation, effective communication, and leveraging the right resources. In episode 8 of the Digital Nomad Entrepreneur podcast, Eric Dingler...

How to comply with 2024 Google and Yahoo email sender requirements

by Stephanie Hudson | Jan 30, 2024

Google and Yahoo have dropped the hammer on email senders, which will quite likely impact the email marketing done by you and your clients. To me, this is a bit like a helmet law; it seems crazy that a motorcycle rider needs a LAW to make them wear a helmet when...

Understanding and Optimizing Your XML Sitemap to Boost SEO

by Stephanie Hudson | Jan 23, 2024

In a crowded sea of websites competing for attention, an XML Sitemap can be a beacon for search engines to find and understand your content. You probably create a sitemap for your clients when you build a new website, but are you getting the most out of this easily...

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Get your glasses

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Join Now

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business.

First Name*

Last Name*

Email Address*

Time Zone*

We'll do our best to send emails at times convenient for you.

Email

This field is for validation purposes and should be left unchanged.

37221