This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Sucuri Security, Simple File List and more!

Plugin: Pop-Up Chop Chop

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Oceanwp sticky header

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Social Media Follow Buttons Bar

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Manage Notification E-mails

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: TH Advance Product Search

Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor since Aug 2, 2022.

Plugin: TH Advance Product Search

Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor since Aug 2, 2022.

Plugin: WP Page Widget

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Activity Log

Vulnerability: CSV Injection
Patched Version: 2.8.4
Recommended Action: Update the WordPress Activity Log plugin to the latest available version (at least 2.8.4).

Plugin: Comment Guestbook

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: wpForo Forum

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Other Vulnerability Type
Patched Version: 1.3.6.5
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.6.5).

Plugin: Frontend File Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 21.4
Recommended Action: Update the WordPress Frontend File Manager plugin to the latest available version (at least 21.4).

Plugin: Frontend File Manager

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 21.4
Recommended Action: Update the WordPress Frontend File Manager plugin to the latest available version (at least 21.4).

Plugin: miniOrange Discord Integration

Vulnerability: Other Vulnerability Type
Patched Version: 2.1.6
Recommended Action: Update the WordPress miniOrange Discord Integration plugin to the latest available version (at least 2.1.6).

Plugin: Helpful

Vulnerability: Sensitive Data Exposure
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 26, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Meks Easy Social Share

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.8
Recommended Action: Update the WordPress Meks Easy Social Share plugin to the latest available version (at least 1.2.8).

Plugin: Tutor LMS

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.10
Recommended Action: Update the WordPress Tutor LMS plugin to the latest available version (at least 2.0.10).

Plugin: wpForo Forum

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: wpForo Forum

Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).

Plugin: FontMeister

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Kraken.io Image Optimizer

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Seriously Simple Podcasting

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.16.1
Recommended Action: Update the WordPress Seriously Simple Podcasting plugin to the latest available version (at least 2.16.1).

Plugin: SEO Redirection

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.1
Recommended Action: Update the WordPress SEO Redirection plugin to the latest available version (at least 9.1).

Plugin: Backup Scheduler

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: MailOptin

Vulnerability: Other Vulnerability Type
Patched Version: 1.2.50.0
Recommended Action: Update the WordPress MailOptin plugin to the latest available version (at least 1.2.50.0).

Plugin: Tabs

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.7.2
Recommended Action: Update the WordPress Tabs plugin to the latest available version (at least 3.7.2).

Plugin: 3D Tag Cloud

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Demon image annotation

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.8
Recommended Action: Update the WordPress Demon image annotation plugin to the latest available version (at least 4.8).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Other Vulnerability Type
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Customer Reviews for WooCommerce

Vulnerability: Sensitive Data Exposure
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).

Plugin: Export Post Info

Vulnerability: CSV Injection
Patched Version: 1.2.1
Recommended Action: Update the WordPress Export Post Info plugin to the latest available version (at least 1.2.1).

Plugin: Passster – Password Protection

Vulnerability: Other Vulnerability Type
Patched Version: 3.5.5.5.2
Recommended Action: Update the WordPress Passster – Password Protection plugin to the latest available version (at least 3.5.5.5.2).

Plugin: WP Custom Cursors

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Custom Cursors

Vulnerability: SQL Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: FavIcon Switcher

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Custom Cursors

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.

***
Check out the WoW Archive for past Watch Out Wednesday posts.