Watch Out Wednesday – September 7, 2022

by | Sep 6, 2022 | WoW Archive

woman with surprised expression looking through binoculars, captioned watch out wednesday
woman with surprised expression looking through binoculars, captioned watch out wednesday
Watch Out Wednesday – September 7, 2022

by | Sep 6, 2022 | WoW Archive

This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WordPress Core, Booking Calendar, Ninja Forms and more!

WordPress Core

Vulnerability: Cross Site Scripting (XSS)
Vulnerability: SQL Injection
Patched Version: 6.0.2
Recommended Action: Update the WordPress to the latest available version (at least 6.0.2 or another patched version).

Plugin: Booking Calendar

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.2.2
Recommended Action: Update the WordPress Booking Calendar plugin to the latest available version (at least 9.2.2).

Plugin: Ketchup Restaurant Reservations

Vulnerability: SQL Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Ketchup Restaurant Reservations

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Scripts Organizer

Vulnerability: Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update the WordPress Scripts Organizer plugin to the latest available version (at least 3.0).

Plugin: SEO Smart Links

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 5, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Ninja Forms

Vulnerability: PHP Object Injection
Patched Version: 3.6.13
Recommended Action: Update the WordPress Ninja Forms plugin to the latest available version (at least 3.6.13).

Plugin: WP Popup Builder

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of 29. august, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Popup Builder

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of 29. august, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: All In One SEO Pack

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.2.4
Recommended Action: Update the WordPress All In One SEO Pack plugin to the latest available version (at least 4.2.4).

Plugin: WP Shamsi

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: History Timeline

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Mega Addons For WPBakery Page Builder

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Torro Forms

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Meet My Team

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Pop-up

Vulnerability: Privilege Escalation
Patched Version: 1.1.6
Recommended Action: Update the WordPress Pop-up plugin to the latest available version (at least 1.1.6).

Plugin: WP Cerber Security

Vulnerability: Bypass Vulnerability
Patched Version: 9.1
Recommended Action: Update the WordPress to the latest available version (at least 9.1).

Plugin: Captcha Code

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Blossom Recipe Maker

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: GetResponse for WordPress

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.

Plugin: WHA Crossword

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: WHA Crossword

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Word Search Puzzles game

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Word Search Puzzles game

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: CallRail Phone Call Tracking

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: MP3 jPlayer

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Easy Org Chart

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 29, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: WP Shop

Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.

Plugin: Bitcoin Satoshi Tools

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: Bitcoin / Altcoin Faucet

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary, pending a full review.

Plugin: add2fav

Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.

Plugin: WP-PostRatings

Vulnerability: Other Vulnerability Type
Patched Version: 1.90
Recommended Action: Update the WordPress WP-PostRatings plugin to the latest available version (at least 1.90).

***
Check out the WoW Archive for past Watch Out Wednesday posts.

Meet the Author: FocusWP
FocusWP provides educational and informational resources to help you improve your business and serve your clients. Go get 'em, Boss!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *