Watch Out Wednesday – May 29, 2024

Home » Watch Out Wednesday – May 29, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Hash Form – Drag & Drop Form Builder

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: ShareThis Share Buttons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sharethis-inline-buttons Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WordPress Jitsi Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Awesome Contact Form7 for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via AEP Contact Form 7 Widget
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Similarity

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via CSV Import
Patched Version: 3.4.2.14
Recommended Action: Update to version 3.4.2.14, or a newer patched version

Plugin: Elementor ImageBox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: WPB Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Schema App Structured Data

Vulnerability: Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 4.2.6.7
Recommended Action: Update to version 4.2.6.7, or a newer patched version

Plugin: Print-O-Matic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Directory Traversal
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: WP Ultimate Post Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-text Shortcode
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Missing Authorization
Patched Version: 6.7.0
Recommended Action: Update to version 6.7.0, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Insufficient Authorization Checks to Block Usual
Patched Version: 3.9.13
Recommended Action: Update to version 3.9.13, or a newer patched version

Plugin: Country State City Dropdown CF7

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar, Header Meta Content, Scroll Navigation, Pricing Table, & Flip Box
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version

Plugin: Prayer

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Gallery Block
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Testimonial Carousel For Elementor

Vulnerability: Missing Authorization to Limited Setting Update
Patched Version: 10.2.1
Recommended Action: Update to version 10.2.1, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Advanced iFrame

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2024.4
Recommended Action: Update to version 2024.4, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated(Contributor+) Remote Code Execution via template import
Patched Version: 1.5.91
Recommended Action: Update to version 1.5.91, or a newer patched version

Plugin: Alemha watermarker

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Missing Authorization
Patched Version: 4.0.26
Recommended Action: Update to version 4.0.26, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Hardcoded Credentials
Patched Version: 3.30
Recommended Action: Update to version 3.30, or a newer patched version

Plugin: Web Directory Free

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Push Notification for Post and BuddyPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.94
Recommended Action: Update to version 1.94, or a newer patched version

Plugin: Woocommerce – Recent Purchases

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.8.26
Recommended Action: Update to version 1.8.26, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Form Submission Admin Email Bypass
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 8.7.00.004
Recommended Action: Update to version 8.7.00.004, or a newer patched version

Plugin: Easy Digital Downloads – Recent Purchases

Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Inquiry cart

Plugin: WordPress Jitsi Shortcode

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Share Buttons Adder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Server Side Request Forgery
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ProfilePress User Panel Widget
Patched Version: 4.15.9
Recommended Action: Update to version 4.15.9, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version

Plugin: Expert Invoice

Plugin: WP Flow Plus

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Contributor+) Stored Cross=Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: LayerSlider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ls_search_form Shortcode
Patched Version: 7.11.1
Recommended Action: Update to version 7.11.1, or a newer patched version

Plugin: Videojs HTML5 Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via videojs_video Shortcode
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: Toolbar Extras for Elementor & More – WordPress Admin Bar Enhanced

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.7.18
Recommended Action: Update to version 5.7.18, or a newer patched version

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.4.3.2
Recommended Action: Update to version 1.4.3.2, or a newer patched version

Plugin: ND Shortcodes

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Unauthenticated Blind Server-Side Request Forgery
Patched Version: 2.2.24
Recommended Action: Update to version 2.2.24, or a newer patched version

Plugin: WordPress + Microsoft Office 365 / Azure AD | LOGIN

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via pintra Shortcode
Patched Version: 28.0
Recommended Action: Update to version 28.0, or a newer patched version

Plugin: WPKoi Templates for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters
Patched Version: 2.5.11
Recommended Action: Update to version 2.5.11, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.7.11
Recommended Action: Update to version 6.7.11, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Authenticated(Subscriber+) Sensitive Information Exposure
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Missing Authorization
Patched Version: 2.4.44
Recommended Action: Update to version 2.4.44, or a newer patched version

Plugin: Realbig For WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Reviews and Rating – Google Reviews

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.13.1
Recommended Action: Update to version 2.13.1, or a newer patched version

Plugin: LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.10.10
Recommended Action: Update to version 1.10.10, or a newer patched version

Plugin: jQuery T(-) Countdown Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via tminus Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Search & Replace

Vulnerability: Authenticated (Administrator+) SQL injection
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Elegant Addons for elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Switcher, Slider, and Iconbox Widgets
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Memberpress

Vulnerability: Authenticated (Contributor+) Blind Server-Side Request Forgery via mepr-user-file Shortcode
Patched Version: 1.11.30
Recommended Action: Update to version 1.11.30, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Unauthenticated Stored Cross-Site Scripting via User Agent
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: RomethemeForm For Elementor

Vulnerability: Missing Authorization via export_entries, rtformnewform, and rtformupdate
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.5.46.7212
Recommended Action: Update to version 7.5.46.7212, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Similarity

Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Oxygen Builder

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 4.8.3
Recommended Action: Update to version 4.8.3, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pagepiling Widget
Patched Version: 3.14.2
Recommended Action: Update to version 3.14.2, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.8.3.3
Recommended Action: Update to version 3.8.3.3, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: PHP Object Injection via extractDynamicValues
Patched Version: 5.1.16
Recommended Action: Update to version 5.1.16, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Event post

Vulnerability: Missing Authorization
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: Pray For Me

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Events Calendar

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Events Access
Patched Version: 6.4.0.1
Recommended Action: Update to version 6.4.0.1, or a newer patched version

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Unauthenticated SQL Injection via listingfields Parameter
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version

Plugin: Custom Fonts – Host Your Fonts Locally

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Hash Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Themify Builder

Vulnerability: Open Redirect via ‘tb_redirect_fail’
Patched Version: 7.5.8
Recommended Action: Update to version 7.5.8, or a newer patched version

Plugin: Stripe Payment forms for WordPress – WP Full Pay

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.0.18
Recommended Action: Update to version 7.0.18, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.63
Recommended Action: Update to version 3.3.63, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.26.1
Recommended Action: Update to version 1.6.26.1, or a newer patched version

Plugin: SVGator – Add Animated SVG Easily

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Swiss Toolkit For WP

Vulnerability: Authenticated (Contributor+) Authentication Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Social Pixel

Plugin: Elegant Addons for elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML tags
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) SQL Injection via data[post_ids][0]
Patched Version: 1.5.108
Recommended Action: Update to version 1.5.108, or a newer patched version

Plugin: ARforms

Vulnerability: Premium WordPress Form Builder <= 6.4.0
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: Lightbox & Modal Popup WordPress Plugin – FooBox Premium

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.28
Recommended Action: Update to version 2.7.28, or a newer patched version

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.16.2
Recommended Action: Update to version 2.16.2, or a newer patched version

Plugin: Amen

Plugin: WP Booking

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: SiteOrigin Widgets Bundle

Vulnerability:
Patched Version: 1.61.0
Recommended Action: Update to version 1.61.0, or a newer patched version

Plugin: Pie Register – Social Sites Login (Add on)

Vulnerability: Social Sites Login (Add on) <= 1.7.7
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Propovoice: All-in-One Client Management System

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.6.3
Recommended Action: Update to version 1.7.6.3, or a newer patched version

Plugin: Popup Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.33
Recommended Action: Update to version 1.1.33, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: XServer Migrator

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.6.2.1
Recommended Action: Update to version 1.6.2.1, or a newer patched version

Plugin: iframe

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Opal Estate Pro – Property Management and Submission

Plugin: PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.21.6
Recommended Action: Update to version 3.21.6, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contibutor+) Stored Cross-Site Scripting via Hover Card
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version

Plugin: WP Font Awesome Share Icons

Plugin: YITH WooCommerce Ajax Search

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Login with phone number

Vulnerability: Authentication Bypass due to Missing Empty Value Check
Patched Version: 1.7.27
Recommended Action: Update to version 1.7.27, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Improper Missing Encryption Exception Handling to Authentication Bypass
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: iframe

Vulnerability: Authenticated (Contributor+ Stored Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: WP TripAdvisor Review Slider

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 12.7
Recommended Action: Update to version 12.7, or a newer patched version

Plugin: Primary Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: AZAN Plugin

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Block
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version

Plugin: WP DSGVO Tools (GDPR)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1.33
Recommended Action: Update to version 3.1.33, or a newer patched version

Plugin: Prayer

Vulnerability: Cross-Site Request Forgery to Email Settings Update
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Pray For Me

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly

Vulnerability: Missing Authorization via ttbm_new_place_save
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: WP-ViperGB

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: FooGallery Premium

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version

Plugin: Hash Form – Drag & Drop Form Builder

Vulnerability: Unauthenticated Arbitrary File Upload to Remote Code Execution
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.0.37
Recommended Action: Update to version 9.0.37, or a newer patched version

Plugin: WPZOOM Addons for Elementor (Templates, Widgets)

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.1.38
Recommended Action: Update to version 1.1.38, or a newer patched version

Plugin: Memberpress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via arglist Parameter
Patched Version: 1.11.30
Recommended Action: Update to version 1.11.30, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version

Plugin: SVGMagic

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Menu and Shape Divider
Patched Version: 4.10.32
Recommended Action: Update to version 4.10.32, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via custom_attributes
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Email Log

Vulnerability: Unauthenticated Hook Injection
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.