This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Better Elementor Addons, Maintenance Switch, All-in-One WP Migration Extensions, Responsive Gallery Grid and more!

Plugin: Easy Newsletter Signups

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Surfer

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the version.

Plugin: WP Bannerize Pro

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP-dTree

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Smarty for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WP Migration Plugin DB & Files – WP Synchro

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Responsive Gallery Grid

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.14
Recommended Action: Update the WordPress Photo Gallery Slideshow & Masonry Tiled Gallery plugin to the latest available version (at least 1.0.14).

Plugin: HollerBox

Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.3.3
Recommended Action: Update the WordPress HollerBox plugin to the latest available version (at least 2.3.3).

Plugin: Better Elementor Addons

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: authLdap

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: authLdap

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Sermon’e – Sermons Online

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: RSVPMarker

Vulnerability: SQL Injection vulnerability
Patched Version: 10.6.7
Recommended Action: Update the WordPress RSVPMarker plugin to the latest available version (at least 10.6.7).

Plugin: Multi-column Tag Map

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Remove/hide Author, Date, Category Like Entry-Meta

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Ovic Product Bundle

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Login and Logout Redirect

Vulnerability: Open Redirection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: GTranslate

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via Multiple Parameters vulnerability
Patched Version: 3.0.4
Recommended Action: Update the WordPress GTranslate plugin to the latest available version (at least 3.0.4).

Plugin: Prevent files / folders access

Vulnerability: Admin+ Arbitrary File Upload vulnerability
Patched Version: 2.5.2
Recommended Action: Update the WordPress Prevent files / folders access plugin to the latest available version (at least 2.5.2).

Plugin: Metform Elementor Contact Form Builder

Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode vulnerability
Patched Version: 3.3.2
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.3.2).

Plugin: Popup box

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.7.2
Recommended Action: Update the WordPress Popup box plugin to the latest available version (at least 3.7.2).

Plugin: All-in-One WP Migration Google Drive Extension

Vulnerability: Unauth. Access Token Manipulation vulnerability
Patched Version: 2.80
Recommended Action: Update the WordPress All-in-One WP Migration Google Drive Extension plugin to the latest available version (at least 2.80).

Plugin: All-in-One WP Migration Dropbox Extension

Vulnerability: Unauth. Access Token Manipulation vulnerability
Patched Version: 3.76
Recommended Action: Update the WordPress All-in-One WP Migration Dropbox Extension plugin to the latest available version (at least 3.76).

Plugin: All-in-One WP Migration OneDrive Extension

Vulnerability: Unauth. Access Token Manipulation vulnerability
Patched Version: 1.67
Recommended Action: Update the WordPress All-in-One WP Migration OneDrive Extension plugin to the latest available version (at least 1.67).

Plugin: All-in-One WP Migration Box Extension

Vulnerability: Unauth. Access Token Manipulation vulnerability
Patched Version: 1.54
Recommended Action: Update the WordPress All-in-One WP Migration Box Extension plugin to the latest available version (at least 1.54).

***
Check out the WoW Archive for past Watch Out Wednesday posts.