This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Simple Membership, Easy Registration Forms, Ad Inserter and more!
Plugin: BEAR
Vulnerability: Multiple Missing Authorization vulnerability
Vulnerability: Multiple Cross-Site Request Forgery vulnerability
Patched Version: 1.1.4
Recommended Action: Update the WordPress BEAR plugin to the latest available version (at least 1.1.4).
Plugin: Simple Membership
Vulnerability: Authenticated Account Takeover vulnerability>
Vulnerability: Unauthenticated Membership Role Privilege Escalation vulnerability
Patched Version: 4.3.5
Recommended Action: Update the WordPress Simple Membership plugin to the latest available version (at least 4.3.5).
Plugin: Easy Registration Forms
Vulnerability: Authenticated (Subscriber+) Information Disclosure via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 12, 2021 and is not available for download. Reason: Security Issue.
Plugin: WP Mailto Links
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.1.4
Recommended Action: Update the WordPress WP Mailto Links plugin to the latest available version (at least 3.1.4).
Plugin: Ad Inserter
Vulnerability: Unauthenticated Sensitive Information Exposure via ai_ajax vulnerability
Vulnerability: Unauthenticated Sensitive Information Exposure via ai-debug-processing-fe vulnerability
Patched Version: 2.7.31
Recommended Action: Update the WordPress Ad Inserter plugin to the latest available version (at least 2.7.31).
Plugin: Copy Anything to Clipboard
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.6.5
Recommended Action: Update the WordPress Copy Anything to Clipboard plugin to the latest available version (at least 2.6.5).
Plugin: FormGet Contact Form
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of August 27, 2019 and is not available for download. This closure is permanent. Reason: Guideline Violation.
Plugin: WPvivid Backup and Migration
Vulnerability: Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal vulnerability
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 0.9.90
Recommended Action: Update the WordPress WPvivid Backup and Migration plugin to the latest available version (at least 0.9.90).
Plugin: Drag and Drop Multiple File Upload for WooCommerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload for WooCommerce plugin to the latest available version (at least 1.1.1).
Plugin: iPanorama 360 WordPress Virtual Tour Builder
Vulnerability: Authenticated (Admin+) SQL injection vulnerability
Patched Version: 1.8.0
Recommended Action: Update the WordPress iPanorama 360 WordPress Virtual Tour Builder plugin to the latest available version (at least 1.8.0).
Plugin: Memberlite Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Memberlite Shortcodes plugin to the latest available version (at least 1.3.9).
Plugin: Media Library Assistant
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.11
Recommended Action: Update the WordPress Media Library Assistant plugin to the latest available version (at least 3.11).
Plugin: WP-Piwik
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.0.29
Recommended Action: Update the WordPress Connect Matomo (WP-Matomo, WP-Piwik) plugin to the latest available version (at least 1.0.29).
Plugin: Extensions for Leaflet Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.3.1
Recommended Action: Update the WordPress Extensions for Leaflet Map plugin to the latest available version (at least 3.3.1).
Plugin: Serial Codes Generator and Validator with WooCommerce Support
Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.4.15
Recommended Action: Update the WordPress Serial Codes Generator and Validator with WooCommerce Support plugin to the latest available version (at least 2.4.15).
Plugin: Table of Contents Plus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 2309
Recommended Action: Update the WordPress Table of Contents Plus plugin to the latest available version (at least 2309).
Plugin: wp-charts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.
Plugin: Widget Responsive for Youtube
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.6.2
Recommended Action: Update the WordPress Widget Responsive for Youtube plugin to the latest available version (at least 1.6.2).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments