Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: W3 Total Cache
Vulnerability: Password Hash Extraction
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version
Plugin: Coditor – Code Editor
Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: W3 Total Cache
Vulnerability: Sensitive Information Exposure
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version
Plugin: Advanced Contact form 7 DB
Vulnerability: SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Import / Export Customizer Settings
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Cool Timeline (Horizontal & Vertical Timeline)
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Team Showcase
Vulnerability: Object Injection
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Radio Buttons for Taxonomies
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Validation Bypass via Email Field
Patched Version: 3.4.27.1
Recommended Action: Update to version 3.4.27.1, or a newer patched version
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.64
Recommended Action: Update to version 1.9.64, or a newer patched version
Plugin: Custom Field Template
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Product Catalog Simple
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version
Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Menu Swapper
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Team Showcase
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version
Plugin: Coming Soon & Maintenance Mode Page & Under Construction
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.58
Recommended Action: Update to version 1.58, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: SQL Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: W3 Total Cache
Vulnerability: Insecure Cryptography to Sensitive Information Disclosure
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version
Plugin: Lightweight Sidebar Manager
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Easy Testimonials
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: Team Showcase
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version
Plugin: Coupon Creator
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons
Vulnerability: Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.28
Recommended Action: Update to version 3.4.28, or a newer patched version
Plugin: Coming Soon & Maintenance Mode Page & Under Construction
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.58
Recommended Action: Update to version 1.58, or a newer patched version
Plugin: Team Showcase
Vulnerability: Object Injection
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: 10WebAnalytics
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: WP Hotel Booking
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.10.2
Recommended Action: Update to version 1.10.2, or a newer patched version
Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version
Plugin: Top 10 – WordPress Popular posts by WebberZone
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Cross-Site Request Forgery to Plugin Installation
Patched Version: 3.4.27.1
Recommended Action: Update to version 3.4.27.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
