This Week’s Watch Out Wednesday shows the latest WordPress vulnerabilities including WordPress Core, Booking Calendar, Ninja Forms and more!
WordPress Core
Vulnerability: Cross Site Scripting (XSS)
Vulnerability: SQL Injection
Patched Version: 6.0.2
Recommended Action: Update the WordPress to the latest available version (at least 6.0.2 or another patched version).
Plugin: Booking Calendar
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 9.2.2
Recommended Action: Update the WordPress Booking Calendar plugin to the latest available version (at least 9.2.2).
Plugin: Ketchup Restaurant Reservations
Vulnerability: SQL Injection
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Ketchup Restaurant Reservations
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Scripts Organizer
Vulnerability: Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update the WordPress Scripts Organizer plugin to the latest available version (at least 3.0).
Plugin: SEO Smart Links
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of September 5, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Ninja Forms
Vulnerability: PHP Object Injection
Patched Version: 3.6.13
Recommended Action: Update the WordPress Ninja Forms plugin to the latest available version (at least 3.6.13).
Plugin: WP Popup Builder
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of 29. august, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Popup Builder
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of 29. august, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: All In One SEO Pack
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 4.2.4
Recommended Action: Update the WordPress All In One SEO Pack plugin to the latest available version (at least 4.2.4).
Plugin: WP Shamsi
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: History Timeline
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Mega Addons For WPBakery Page Builder
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Torro Forms
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Meet My Team
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Pop-up
Vulnerability: Privilege Escalation
Patched Version: 1.1.6
Recommended Action: Update the WordPress Pop-up plugin to the latest available version (at least 1.1.6).
Plugin: WP Cerber Security
Vulnerability: Bypass Vulnerability
Patched Version: 9.1
Recommended Action: Update the WordPress to the latest available version (at least 9.1).
Plugin: Captcha Code
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Blossom Recipe Maker
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: GetResponse for WordPress
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: No patched version is available.
Plugin: WHA Crossword
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: WHA Crossword
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Word Search Puzzles game
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Word Search Puzzles game
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: CallRail Phone Call Tracking
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: MP3 jPlayer
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Easy Org Chart
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of July 29, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: WP Shop
Vulnerability: Other Vulnerability Type
Patched Version: N/A
Recommended Action: Deactivate and delete. No reply from the vendor.
Plugin: Bitcoin Satoshi Tools
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: Bitcoin / Altcoin Faucet
Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: N/A
Recommended Action: Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary, pending a full review.
Plugin: add2fav
Vulnerability: Cross Site Scripting (XSS)
Patched Version: N/A
Recommended Action: No patched version available.
Plugin: WP-PostRatings
Vulnerability: Other Vulnerability Type
Patched Version: 1.90
Recommended Action: Update the WordPress WP-PostRatings plugin to the latest available version (at least 1.90).
***
Check out the WoW Archive for past Watch Out Wednesday posts.
0 Comments