Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Fastest Cache
Vulnerability: Authenticated (Admin+) Directory Traversal to Arbitrary File Deletion
Patched Version: 0.9.1.7
Recommended Action: Update to version 0.9.1.7, or a newer patched version
Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection
Vulnerability: Hidden Login Bypass
Patched Version: 7.9.1
Recommended Action: Update to version 7.9.1, or a newer patched version
Plugin: WP Maintenance Mode & Site Under Construction
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Captchinoo, admin login page protection with Google recaptcha
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Smooth Page Scroll Up/Down Buttons
Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Visitor Traffic Real Time Statistics
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version
Plugin: WP Maintenance Mode & Site Under Construction
Vulnerability: Improper Authorization
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: RSS for Yandex Turbo
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version
Plugin: Tree Sitemap (Pages, Posts & Categories list)
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Accordion
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.30
Recommended Action: Update to version 2.2.30, or a newer patched version
Plugin: Smooth Page Scroll Up/Down Buttons
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Store Locator Plus® for WordPress
Vulnerability: Authenticated Privilege Escalation
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version
Plugin: WP Content Copy Protection & No Right Click
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Limit Login Attempts (Spam Protection)
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: WP Maintenance Mode & Site Under Construction
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Captchinoo, admin login page protection with Google recaptcha
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: RSS for Yandex Turbo
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version
Plugin: WP Maintenance Mode & Site Under Construction
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Car Seller – Auto Classifieds Script
Vulnerability: Auto Classifieds Script <= 2.1.0
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Select All Categories and Taxonomies, Change Checkbox to Radio Buttons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Tree Sitemap (Pages, Posts & Categories list)
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version
Plugin: WP Content Copy Protection & No Right Click
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Thrive Optimize
Vulnerability: Arbitrary Options Update
Patched Version: 1.4.13.3
Recommended Action: Update to version 1.4.13.3, or a newer patched version
Plugin: Login as User or Customer
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Redirect 404 to parent
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Limit Login Attempts (Spam Protection)
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version
Plugin: WPGraphQL
Vulnerability: Denial of Service
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Login as User or Customer
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Visitor Traffic Real Time Statistics
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Happy Addons for Elementor Pro
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.17.0
Recommended Action: Update to version 1.17.0, or a newer patched version
Plugin: Store Locator Plus® for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.13.8
Recommended Action: Update to version 5.13.8, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
