This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Sucuri Security, Simple File List and more!
Plugin: Pop-Up Chop Chop
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Oceanwp sticky header
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Social Media Follow Buttons Bar
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Manage Notification E-mails
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: TH Advance Product Search
Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor since Aug 2, 2022.
Plugin: TH Advance Product Search
Vulnerability: Broken Authentication
Patched Version: N/A
Recommended Action: No patched version is available. Ignored by the vendor since Aug 2, 2022.
Plugin: WP Page Widget
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Activity Log
Vulnerability: CSV Injection
Patched Version: 2.8.4
Recommended Action: Update the WordPress Activity Log plugin to the latest available version (at least 2.8.4).
Plugin: Comment Guestbook
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: wpForo Forum
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).
Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Vulnerability: Other Vulnerability Type
Patched Version: 1.3.6.5
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.6.5).
Plugin: Frontend File Manager
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 21.4
Recommended Action: Update the WordPress Frontend File Manager plugin to the latest available version (at least 21.4).
Plugin: Frontend File Manager
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 21.4
Recommended Action: Update the WordPress Frontend File Manager plugin to the latest available version (at least 21.4).
Plugin: miniOrange Discord Integration
Vulnerability: Other Vulnerability Type
Patched Version: 2.1.6
Recommended Action: Update the WordPress miniOrange Discord Integration plugin to the latest available version (at least 2.1.6).
Plugin: Helpful
Vulnerability: Sensitive Data Exposure
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 26, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Meks Easy Social Share
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 1.2.8
Recommended Action: Update the WordPress Meks Easy Social Share plugin to the latest available version (at least 1.2.8).
Plugin: Tutor LMS
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.0.10
Recommended Action: Update the WordPress Tutor LMS plugin to the latest available version (at least 2.0.10).
Plugin: wpForo Forum
Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).
Plugin: wpForo Forum
Vulnerability: Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update the WordPress wpForo Forum plugin to the latest available version (at least 2.0.6).
Plugin: FontMeister
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Kraken.io Image Optimizer
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Seriously Simple Podcasting
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 2.16.1
Recommended Action: Update the WordPress Seriously Simple Podcasting plugin to the latest available version (at least 2.16.1).
Plugin: SEO Redirection
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.1
Recommended Action: Update the WordPress SEO Redirection plugin to the latest available version (at least 9.1).
Plugin: Backup Scheduler
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: MailOptin
Vulnerability: Other Vulnerability Type
Patched Version: 1.2.50.0
Recommended Action: Update the WordPress MailOptin plugin to the latest available version (at least 1.2.50.0).
Plugin: Tabs
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 3.7.2
Recommended Action: Update the WordPress Tabs plugin to the latest available version (at least 3.7.2).
Plugin: 3D Tag Cloud
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Demon image annotation
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.8
Recommended Action: Update the WordPress Demon image annotation plugin to the latest available version (at least 4.8).
Plugin: Customer Reviews for WooCommerce
Vulnerability: Other Vulnerability Type
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).
Plugin: Customer Reviews for WooCommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).
Plugin: Customer Reviews for WooCommerce
Vulnerability: Sensitive Data Exposure
Patched Version: 5.3.6
Recommended Action: Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version (at least 5.3.6).
Plugin: Export Post Info
Vulnerability: CSV Injection
Patched Version: 1.2.1
Recommended Action: Update the WordPress Export Post Info plugin to the latest available version (at least 1.2.1).
Plugin: Passster – Password Protection
Vulnerability: Other Vulnerability Type
Patched Version: 3.5.5.5.2
Recommended Action: Update the WordPress Passster – Password Protection plugin to the latest available version (at least 3.5.5.5.2).
Plugin: WP Custom Cursors
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Custom Cursors
Vulnerability: SQL Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: FavIcon Switcher
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Custom Cursors
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review.
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments