Watch Out Wednesday – June 5, 2024

Plugin: Page Builder Gutenberg Blocks – CoBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles
Patched Version: 3.1.10
Recommended Action: Update to version 3.1.10, or a newer patched version

Plugin: Responsive Owl Carousel for Elementor

Vulnerability: Local File Inclusion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Simple Like Page Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Admin Notices Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Comparison Slider

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AffiEasy

Vulnerability: Cross-Site Request Forgery to Various Actions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Content Blocks (Custom Post Widget)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via content_block Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 4.10.32
Recommended Action: Update to version 4.10.32, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via slitems Attribute
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Social Link Pages: link-in-bio landing pages for your social media profiles

Vulnerability: Missing Authorization to Arbitrary Page Creation and Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: WP-DB-Table-Editor

Vulnerability: Missing Authorization to Authenticated(Contributor+) Database Access
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Responsive Touch Slider <= 3.9.9
Patched Version: 3.9.10
Recommended Action: Update to version 3.9.10, or a newer patched version

Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Security

Vulnerability: Cross-Site Request Forgery
Patched Version: 19.1.11
Recommended Action: Update to version 19.1.11, or a newer patched version

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Reservation Form Shortcode
Patched Version: 2.2.26
Recommended Action: Update to version 2.2.26, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Title Widget
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version

Plugin: Font Farsi

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP To Do

Vulnerability: Cross-Site Request Forgery via wptodo_addcomment
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Claudio Sanches – Checkout Cielo for WooCommerce

Vulnerability: Insufficient Verification of Data Authenticity to Order Payment Status Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation Widget
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: HTML5 Video Player – Best WordPress Video Player Plugin and Block

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.5.27
Recommended Action: Update to version 2.5.27, or a newer patched version

Plugin: Fluid Notification Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: tagDiv Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via button Shortcode
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: Authorize.net Payment Gateway For WooCommerce

Vulnerability: Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.976
Recommended Action: Update to version 1.3.976, or a newer patched version

Plugin: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 2.7.20
Recommended Action: Update to version 2.7.20, or a newer patched version

Plugin: Comparison Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Attachments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.52
Recommended Action: Update to version 2.5.52, or a newer patched version

Plugin: Remote Content Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP To Do

Vulnerability: Cross-Site Request Forgery via wptodo_manage()
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Text Field
Patched Version: 1.5.108
Recommended Action: Update to version 1.5.108, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Insecure Direct Object Reference to Arbitrary Attachment Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: WPB Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Gum Elementor Addon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Price Table and Post Slider Widgets
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Responsive video embed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version

Plugin: List categories

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.31
Recommended Action: Update to version 3.31, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm-all-packages Shortcode
Patched Version: 3.2.91
Recommended Action: Update to one of the following versions, or a newer patched version: 3.2.91, 3.2.92

Plugin: Comparison Slider

Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget
Patched Version: 4.10.32
Recommended Action: Update to version 4.10.32, or a newer patched version

Plugin: Cowidgets – Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via heading_tag Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP To Do

Vulnerability: Cross-Site Request Forgery via wptodo_settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Monitor

Vulnerability: Missing Authorization
Patched Version: 4.9.14
Recommended Action: Update to version 4.9.14, or a newer patched version

Plugin: Content Blocks (Custom Post Widget)

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPUpper Share Buttons

Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Missing Authorization to Information Expsoure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login Logout Register Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘llrmloginlogout’ Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Feed
Patched Version: 5.9.22
Recommended Action: Update to version 5.9.22, or a newer patched version

Plugin: Frontend Registration – Contact Form 7

Vulnerability: Authenticated (Editor+) Privilege Escalation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Global Tooltip
Patched Version: 4.10.32
Recommended Action: Update to version 4.10.32, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Back to Top Widget
Patched Version: 1.3.976
Recommended Action: Update to version 1.3.976, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Tables & Table Charts (Premium) <= 6.3.2
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version

Plugin: Testimonial Carousel For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP To Do

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elements For Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Multiple Widget Attributes
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: Yumpu ePaper publishing

Vulnerability: Missing Authorization to PDF Upload, Publishing, and API Key Modification
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: QQWorld Auto Save Images

Vulnerability: Missing Authorization to Arbitrary Post Content Retrieval
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Nafeza Prayer Time

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpForo Forum

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Social Login Lite For WooCommerce

Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: wpDataTables (Premium)

Vulnerability: Tables & Table Charts (Premium) <= 6.3.1
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version