Watch Out Wednesday – September 28, 2022

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Sucuri Security, Simple File List and more!

Plugin: Pop-Up Chop Chop

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Oceanwp sticky header

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Social Media Follow Buttons Bar

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Manage Notification E-mails

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: TH Advance Product Search

Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor since Aug 2, 2022.

Plugin: TH Advance Product Search

Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor since Aug 2, 2022.

Plugin: WP Page Widget

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Activity Log

Vulnerability: CSV Injection
Patched Version: 2.8.4
Recommended Action: Update the WordPress Activity Log plugin to the latest available version (at least 2.8.4).

Plugin: Comment Guestbook

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: wpForo Forum

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Other Vulnerability Type
Patched Version: 1.3.6.5
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.6.5).

Plugin: Frontend File Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 21.4
Recommended Action: Update the WordPress Frontend File Manager plugin to the latest available version (at least 21.4).

Plugin: Frontend File Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 21.4
Recommended Action: Update the WordPress Frontend File Manager plugin to the latest available version (at least 21.4).

Plugin: miniOrange Discord Integration

Vulnerability: Other Vulnerability Type
Patched Version: 2.1.6
Recommended Action: Update the WordPress miniOrange Discord Integration plugin to the latest available version (at least 2.1.6).

Plugin: Helpful

Vulnerability: Sensitive Data Exposure
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 26, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Meks Easy Social Share

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.8
Recommended Action: Update the WordPress Meks Easy Social Share plugin to the latest available version (at least 1.2.8).

Plugin: Tutor LMS

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.10
Recommended Action: Update the WordPress Tutor LMS plugin to the latest available version (at least 2.0.10).

Plugin: wpForo Forum

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: wpForo Forum

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: FontMeister

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kraken.io Image Optimizer

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Seriously Simple Podcasting

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.16.1
Recommended Action: Update the WordPress Seriously Simple Podcasting plugin to the latest available version (at least 2.16.1).

Plugin: SEO Redirection

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.1
Recommended Action: Update the WordPress SEO Redirection plugin to the latest available version (at least 9.1).

Plugin: Backup Scheduler

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: MailOptin

Vulnerability: Other Vulnerability Type
Patched Version: 1.2.50.0
Recommended Action: Update the WordPress MailOptin plugin to the latest available version (at least 1.2.50.0).

Plugin: Tabs

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.7.2
Recommended Action: Update the WordPress Tabs plugin to the latest available version (at least 3.7.2).

Plugin: 3D Tag Cloud

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Demon image annotation

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.8
Recommended Action: Update the WordPress Demon image annotation plugin to the latest available version (at least 4.8).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Other Vulnerability Type
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Sensitive Data Exposure
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Export Post Info

Vulnerability: CSV Injection
Patched Version: 1.2.1
Recommended Action: Update the WordPress Export Post Info plugin to the latest available version (at least 1.2.1).

Plugin: Passster – Password Protection

Vulnerability: Other Vulnerability Type
Patched Version: 3.5.5.5.2
Recommended Action: Update the WordPress Passster – Password Protection plugin to the latest available version (at least 3.5.5.5.2).

Plugin: WP Custom Cursors

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Custom Cursors

Vulnerability: SQL Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: FavIcon Switcher

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Custom Cursors

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

Jump on our email list to get weekly tips for getting the most out of your FocusWP team, including task inspo, sample ticket briefs, pricing suggestions, and even email swipe files to help you effortlessly sell to your clients.

We will also occasionally share cool tools we are obsessed with, educational resources, and useful tips to help you run a profitable digital business. 

We'll do our best to send emails at times convenient for you.
This field is for validation purposes and should be left unchanged.