Watch Out Wednesday – October 11, 2023

Plugin: affiliate-toolkit – WordPress Affiliate Plugin

Vulnerability: Open Redirect via atkpout.php
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slick Contact Forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Reflected Cross-Site Scripting via section_id
Patched Version: 5.2.4.2
Recommended Action: Update to version 5.2.4.2, or a newer patched version

Plugin: Urvanov Syntax Highlighter

Vulnerability: Cross-Site Request Forgery via init_ajax
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IRivYou – Add reviews from AliExpress and Amazon to woocommerce

Vulnerability: Cross-Site Request Forgery via saveOptionsReviewsPlugin
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Geo Controller

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.5.3
Recommended Action: Update to version 8.5.3, or a newer patched version

Plugin: Profile Extra Fields by BestWebSoft

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Smart Cookie Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Bold Timeline Lite

Vulnerability: Missing Authorization to Admin Notice Dismissal
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Hotjar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Subscriber+) Information Disclosure via Shortcode
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.3.3
Recommended Action: Update to version 6.3.3, or a newer patched version

Plugin: GEO my WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.36.1
Recommended Action: Update to version 5.36.1, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization in Reviews Exporter
Patched Version: 5.36.1
Recommended Action: Update to version 5.36.1, or a newer patched version