Watch Out Wednesday – October 2, 2024

Plugin: WP MultiTasking – WP Utilities

Vulnerability: WP Utilities <= 0.1.17
Patched Version: 0.1.18
Recommended Action: Update to version 0.1.18, or a newer patched version

Plugin: Absolute Reviews

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Criteria Name
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Group Module
Patched Version: 2.8.3.7
Recommended Action: Update to version 2.8.3.7, or a newer patched version

Plugin: Simple Popup Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GTM Server Side

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.20
Recommended Action: Update to version 2.1.20, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.28
Recommended Action: Update to version 1.15.28, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.3.3
Recommended Action: Update to version 5.9.3.3, or a newer patched version

Plugin: 012 Ps Multi Languages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Monitor

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Shop Enable
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version

Plugin: EU/UK VAT Manager for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.14
Recommended Action: Update to version 2.12.14, or a newer patched version

Plugin: king_IE

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (GiveWP Manager+) SQL Injection via order Parameter
Patched Version: 3.16.2
Recommended Action: Update to version 3.16.2, or a newer patched version

Plugin: Super Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced File Manager

Vulnerability: Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Store Hours for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.22
Recommended Action: Update to version 4.3.22, or a newer patched version

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Themedy Toolbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: WP-WebAuthn

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wwa_login_form Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced File Manager

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: OSM – OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version

Plugin: GF Custom Style

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Enquiry for WooCommerce, WooCommerce product catalog

Vulnerability: Authenticated (Author+) PHP Object Injection in enquiry_detail.php
Patched Version: 2.2.33.34
Recommended Action: Update to version 2.2.33.34, or a newer patched version

Plugin: Mapplic Lite

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.16.2
Recommended Action: Update to version 3.16.2, or a newer patched version

Plugin: EU/UK VAT Manager for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.12.14
Recommended Action: Update to version 2.12.14, or a newer patched version

Plugin: Simple LDAP Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Advanced File Manager

Vulnerability: Authenticated (Subscriber+) Limited File Upload
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Common Tools for Site

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bulk NoIndex & NoFollow Toolkit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.16
Recommended Action: Update to version 2.16, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Media Grid Widget
Patched Version: 4.10.53
Recommended Action: Update to version 4.10.53, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Limited Unauthenticated Authentication Bypass to Account Takeover
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: Sight – Professional Image Gallery and Portfolio

Vulnerability: Missing Authorization to Sensitive Information Exposure in handler_post_title
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 5.7.35
Recommended Action: Update to version 5.7.35, or a newer patched version

Plugin: WordPress Visitors

Vulnerability: Unauthenticated Stored Cross-Site Scripting via HTTP Header
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.