Watch Out Wednesday – August 28, 2024

Plugin: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive Function
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: User Private Files – WordPress File Sharing Plugin

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Private File Access
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: Themify Builder

Vulnerability: Missing Authorization to Authenticated (Contributor+) Post Duplication
Patched Version: 7.6.2
Recommended Action: Update to version 7.6.2, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.10.37
Recommended Action: Update to version 2.10.37, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File Upload
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: WPML

Vulnerability: Authenticated(Contributor+) Remote Code Execution via Twig Server-Side Template Injection
Patched Version: 4.6.13
Recommended Action: Update to version 4.6.13, or a newer patched version