This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including Better Elementor Addons, Maintenance Switch, All-in-One WP Migration Extensions, Responsive Gallery Grid and more!
Plugin: Easy Newsletter Signups
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Surfer
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the version.
Plugin: WP Bannerize Pro
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: WP-dTree
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Smarty for WordPress
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: WP Migration Plugin DB & Files – WP Synchro
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Responsive Gallery Grid
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.14
Recommended Action: Update the WordPress Photo Gallery Slideshow & Masonry Tiled Gallery plugin to the latest available version (at least 1.0.14).
Plugin: HollerBox
Vulnerability: Cross Site Scripting (XSS)
Patched Version: 2.3.3
Recommended Action: Update the WordPress HollerBox plugin to the latest available version (at least 2.3.3).
Plugin: Better Elementor Addons
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: authLdap
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: authLdap
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: Sermon’e – Sermons Online
Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. This closure is temporary, pending a full review.
Plugin: RSVPMarker
Vulnerability: SQL Injection vulnerability
Patched Version: 10.6.7
Recommended Action: Update the WordPress RSVPMarker plugin to the latest available version (at least 10.6.7).
Plugin: Multi-column Tag Map
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Remove/hide Author, Date, Category Like Entry-Meta
Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Ovic Product Bundle
Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.
Plugin: Login and Logout Redirect
Vulnerability: Open Redirection vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.
Plugin: GTranslate
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via Multiple Parameters vulnerability
Patched Version: 3.0.4
Recommended Action: Update the WordPress GTranslate plugin to the latest available version (at least 3.0.4).
Plugin: Prevent files / folders access
Vulnerability: Admin+ Arbitrary File Upload vulnerability
Patched Version: 2.5.2
Recommended Action: Update the WordPress Prevent files / folders access plugin to the latest available version (at least 2.5.2).
Plugin: Metform Elementor Contact Form Builder
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode vulnerability
Patched Version: 3.3.2
Recommended Action: Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 3.3.2).
Plugin: Popup box
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.7.2
Recommended Action: Update the WordPress Popup box plugin to the latest available version (at least 3.7.2).
Plugin: All-in-One WP Migration Google Drive Extension
Vulnerability: Unauth. Access Token Manipulation vulnerability
Patched Version: 2.80
Recommended Action: Update the WordPress All-in-One WP Migration Google Drive Extension plugin to the latest available version (at least 2.80).
Plugin: All-in-One WP Migration Dropbox Extension
Vulnerability: Unauth. Access Token Manipulation vulnerability
Patched Version: 3.76
Recommended Action: Update the WordPress All-in-One WP Migration Dropbox Extension plugin to the latest available version (at least 3.76).
Plugin: All-in-One WP Migration OneDrive Extension
Vulnerability: Unauth. Access Token Manipulation vulnerability
Patched Version: 1.67
Recommended Action: Update the WordPress All-in-One WP Migration OneDrive Extension plugin to the latest available version (at least 1.67).
Plugin: All-in-One WP Migration Box Extension
Vulnerability: Unauth. Access Token Manipulation vulnerability
Patched Version: 1.54
Recommended Action: Update the WordPress All-in-One WP Migration Box Extension plugin to the latest available version (at least 1.54).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments