Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: AJAX Thumbnail Rebuild
Vulnerability: Missing Authorization
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version
Plugin: Emails & Newsletters with Jackmail
Vulnerability: Authenticated (Subscriber+) CSV Injecton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP BrowserUpdate
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version
Plugin: WP Directory Kit
Vulnerability: Open Redirect
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Mass Email To users
Vulnerability: Unauthenticated Reflected Cross-Site Scripting via ‘entrant’
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Add to Feedly
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 6.0
Recommended Action: Update to version 6.0, or a newer patched version
Plugin: Newsletter Popup
Vulnerability: Cross-Site Request Forgery to Record Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-FormAssembly
Vulnerability: Limited Server Side Request Forgery via ‘formassembly’ shortcode
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Newsletter Popup
Vulnerability: Unauthenticted Stored Cross-Site Scripting via ‘nl_data’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CM WordPress Search And Replace Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: ClickFunnels
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Woo Search
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.78
Recommended Action: Update to version 2.78, or a newer patched version
Plugin: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Vulnerability: Authenticated (edit_popups+) SQL Injection
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Author+) Server-Side Request Forgery via URL
Patched Version: 2.10.24
Recommended Action: Update to version 2.10.24, or a newer patched version
Plugin: Loginizer
Vulnerability: Reflected Cross-Site Scripting via ‘limit_session[count]’
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: AnyWhere Elementor
Vulnerability: Sensitive Information Exposure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: WP Inventory Manager
Vulnerability: Reflected Cross-Site Scripting via ‘message’
Patched Version: 2.1.0.13
Recommended Action: Update to version 2.1.0.13, or a newer patched version
Plugin: Custom 404 Pro
Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version
Plugin: WP-CORS
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.2.2
Recommended Action: Update to version 0.2.2, or a newer patched version
Plugin: WP Docs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Login rebuilder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: WP Directory Kit
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via wdk_resultitem
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: SEO ALert
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Directory Kit
Vulnerability: Cross-Site Request Forgery to Plugin Settings Change/Delete, Demo Import, Directory Kit Modification/Deletion via admin_page_display
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: 3.1.1.4.1
Patched Version: 3.1.1.4.2
Recommended Action: Update to version 3.1.1.4.2, or a newer patched version
Plugin: PPOM – Product Addons & Custom Fields for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 32.0.6
Recommended Action: Update to version 32.0.6, or a newer patched version
Plugin: Search Analytics for WP
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Open Redirect
Patched Version: 3.3.10
Recommended Action: Update to version 3.3.10, or a newer patched version
Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin
Vulnerability: Authenticated(Administator+) Directory Traversal
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version
Plugin: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Vulnerability: Open Redirect via state parameter
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Maintenance Switch
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Bet
Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.0.29
Recommended Action: Update to version 2.0.29, or a newer patched version
Plugin: WP Directory Kit
Vulnerability: Missing Authorization to Plugin Installation, Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_public_action
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: WooCommerce Multivendor Marketplace – REST API
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Authenticated(Administrator+) Blind Server Side Request Forgery via check_url
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: User IP and Location
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Thumbs Rating
Vulnerability: Race Condition
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Logo Scheduler – Great for holidays, events, and more
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: PPOM – Product Addons & Custom Fields for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 32.0.7
Recommended Action: Update to version 32.0.7, or a newer patched version
Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version
Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version
Plugin: Plugins List
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
Vulnerability: Missing Authorization on ‘make’ function
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Vulnerability: Gutenberg Blocks <= 2.2.5
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
