This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Simple Membership, Easy Registration Forms, Ad Inserter and more!

Plugin: BEAR

Vulnerability: Multiple Missing Authorization vulnerability
Vulnerability: Multiple Cross-Site Request Forgery vulnerability
Patched Version: 1.1.4
Recommended Action: Update the WordPress BEAR plugin to the latest available version (at least 1.1.4).

Plugin: Simple Membership

Vulnerability: Authenticated Account Takeover vulnerability>
Vulnerability: Unauthenticated Membership Role Privilege Escalation vulnerability
Patched Version: 4.3.5
Recommended Action: Update the WordPress Simple Membership plugin to the latest available version (at least 4.3.5).

Plugin: Easy Registration Forms

Vulnerability: Authenticated (Subscriber+) Information Disclosure via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of November 12, 2021 and is not available for download. Reason: Security Issue.

Plugin: WP Mailto Links

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.1.4
Recommended Action: Update the WordPress WP Mailto Links plugin to the latest available version (at least 3.1.4).

Plugin: Ad Inserter

Vulnerability: Unauthenticated Sensitive Information Exposure via ai_ajax vulnerability
Vulnerability: Unauthenticated Sensitive Information Exposure via ai-debug-processing-fe vulnerability
Patched Version: 2.7.31
Recommended Action: Update the WordPress Ad Inserter plugin to the latest available version (at least 2.7.31).

Plugin: Copy Anything to Clipboard

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 2.6.5
Recommended Action: Update the WordPress Copy Anything to Clipboard plugin to the latest available version (at least 2.6.5).

Plugin: FormGet Contact Form

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed as of August 27, 2019 and is not available for download. This closure is permanent. Reason: Guideline Violation.

Plugin: WPvivid Backup and Migration

Vulnerability: Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal vulnerability
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 0.9.90
Recommended Action: Update the WordPress WPvivid Backup and Migration plugin to the latest available version (at least 0.9.90).

Plugin: Drag and Drop Multiple File Upload for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload for WooCommerce plugin to the latest available version (at least 1.1.1).

Plugin: iPanorama 360 WordPress Virtual Tour Builder

Vulnerability: Authenticated (Admin+) SQL injection vulnerability
Patched Version: 1.8.0
Recommended Action: Update the WordPress iPanorama 360 WordPress Virtual Tour Builder plugin to the latest available version (at least 1.8.0).

Plugin: Memberlite Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Memberlite Shortcodes plugin to the latest available version (at least 1.3.9).

Plugin: Media Library Assistant

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.11
Recommended Action: Update the WordPress Media Library Assistant plugin to the latest available version (at least 3.11).

Plugin: WP-Piwik

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.0.29
Recommended Action: Update the WordPress Connect Matomo (WP-Matomo, WP-Piwik) plugin to the latest available version (at least 1.0.29).

Plugin: Extensions for Leaflet Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 3.3.1
Recommended Action: Update the WordPress Extensions for Leaflet Map plugin to the latest available version (at least 3.3.1).

Plugin: Serial Codes Generator and Validator with WooCommerce Support

Vulnerability: Admin+ Stored XSS vulnerability
Patched Version: 2.4.15
Recommended Action: Update the WordPress Serial Codes Generator and Validator with WooCommerce Support plugin to the latest available version (at least 2.4.15).

Plugin: Table of Contents Plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 2309
Recommended Action: Update the WordPress Table of Contents Plus plugin to the latest available version (at least 2309).

Plugin: wp-charts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: None
Recommended Action: No patched version available.

Plugin: Widget Responsive for Youtube

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.6.2
Recommended Action: Update the WordPress Widget Responsive for Youtube plugin to the latest available version (at least 1.6.2).

***
Check out the WoW Archive for past Watch Out Wednesday posts.