Watch Out Wednesday – September 28, 2022

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Sucuri Security, Simple File List and more!

Plugin: Pop-Up Chop Chop

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Oceanwp sticky header

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Social Media Follow Buttons Bar

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Manage Notification E-mails

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: TH Advance Product Search

Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor since Aug 2, 2022.

Plugin: TH Advance Product Search

Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor since Aug 2, 2022.

Plugin: WP Page Widget

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Activity Log

Vulnerability: CSV Injection
Patched Version: 2.8.4
Recommended Action: Update the WordPress Activity Log plugin to the latest available version (at least 2.8.4).

Plugin: Comment Guestbook

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: wpForo Forum

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Other Vulnerability Type
Patched Version: 1.3.6.5
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.6.5).

Plugin: Frontend File Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 21.4
Recommended Action: Update the WordPress Frontend File Manager plugin to the latest available version (at least 21.4).

Plugin: Frontend File Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 21.4
Recommended Action: Update the WordPress Frontend File Manager plugin to the latest available version (at least 21.4).

Plugin: miniOrange Discord Integration

Vulnerability: Other Vulnerability Type
Patched Version: 2.1.6
Recommended Action: Update the WordPress miniOrange Discord Integration plugin to the latest available version (at least 2.1.6).

Plugin: Helpful

Vulnerability: Sensitive Data Exposure
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 26, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Meks Easy Social Share

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.8
Recommended Action: Update the WordPress Meks Easy Social Share plugin to the latest available version (at least 1.2.8).

Plugin: Tutor LMS

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.10
Recommended Action: Update the WordPress Tutor LMS plugin to the latest available version (at least 2.0.10).

Plugin: wpForo Forum

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: wpForo Forum

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: FontMeister

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kraken.io Image Optimizer

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Seriously Simple Podcasting

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.16.1
Recommended Action: Update the WordPress Seriously Simple Podcasting plugin to the latest available version (at least 2.16.1).

Plugin: SEO Redirection

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.1
Recommended Action: Update the WordPress SEO Redirection plugin to the latest available version (at least 9.1).

Plugin: Backup Scheduler

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: MailOptin

Vulnerability: Other Vulnerability Type
Patched Version: 1.2.50.0
Recommended Action: Update the WordPress MailOptin plugin to the latest available version (at least 1.2.50.0).

Plugin: Tabs

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.7.2
Recommended Action: Update the WordPress Tabs plugin to the latest available version (at least 3.7.2).

Plugin: 3D Tag Cloud

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Demon image annotation

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.8
Recommended Action: Update the WordPress Demon image annotation plugin to the latest available version (at least 4.8).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Other Vulnerability Type
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Sensitive Data Exposure
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Export Post Info

Vulnerability: CSV Injection
Patched Version: 1.2.1
Recommended Action: Update the WordPress Export Post Info plugin to the latest available version (at least 1.2.1).

Plugin: Passster – Password Protection

Vulnerability: Other Vulnerability Type
Patched Version: 3.5.5.5.2
Recommended Action: Update the WordPress Passster – Password Protection plugin to the latest available version (at least 3.5.5.5.2).

Plugin: WP Custom Cursors

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Custom Cursors

Vulnerability: SQL Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: FavIcon Switcher

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Custom Cursors

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

***
Check out the WoW Archive for past Watch Out Wednesday posts.

About the Author

FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Watch Out Wednesday – March 15, 2023

Watch Out Wednesday – March 15, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including GiveWP, Popup Maker, UpdraftPlus, and more! Plugin: Webmention Vulnerability: Reflected Cross-Site Scripting vulnerability Patched Version: 4.0.9 Recommended Action: Update the...

Watch Out Wednesday – March 8, 2023

Watch Out Wednesday – March 8, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WP Clean Up, Yoast SEO, GTmetrix for WordPress, and more! Plugin: Ever Compare Vulnerability: Arbitrary Plugin Activation via CSRF vulnerability Patched Version: None Recommended...

Watch Out Wednesday – March 1, 2023

Watch Out Wednesday – March 1, 2023

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Accordions, Admin Block Country, asMember, and more! Plugin: Conditional Checkout Fields for WooCommerce Vulnerability: Broken Authentication vulnerability Patched Version: None...

See our site in 3D!

Subscribe to our newsletter and we’ll send you a pair of FocusWP 3D glasses!

Join our free, private Facebook group to network with like minded business owners and pick up tons of useful tips and resources.

Get Focused

The geeks at FocusWP are constantly on alert for new vulnerabilities and nefarious characters in the world of WordPress and we send out a list of our top concerns every Wednesday so you know what to "Watch Out" for, without doing any legwork.

You can also subscribe to our "Tips & Tricks" newsletter, which is a semi-regular email with cool tools, educational resources, and useful tips to make your digital life a little easier.