Watch Out Wednesday – August 18, 2021

Home » Watch Out Wednesday – August 18, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Calendar_plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Artillery (MASS EMAIL)

Plugin: Simple Popup Newsletter

Plugin: WP SEO Tags

Plugin: Email Artillery (MASS EMAIL)

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Security Question

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Opal Estate

Plugin: 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version

Plugin: WP Songbook

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.19.2
Recommended Action: Update to version 2.19.2, or a newer patched version

Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More

Vulnerability: Missing Capabilities Check
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: CBX Bookmark & Favorite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Scribble Maps

Plugin: Email Artillery (MASS EMAIL)

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.44
Recommended Action: Update to version 2.0.44, or a newer patched version

Plugin: Fileviewer

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rucy

Plugin: Smart Email Alerts

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Opal Estate

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Artillery (MASS EMAIL)

Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Plugmatter Pricing Table Lite

Plugin: Moova for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Custom Post Type Relations

Plugin: Simple Behance Portfolio

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Multifactor Bypass
Patched Version: 8.9.3
Recommended Action: Update to version 8.9.3, or a newer patched version

Plugin: Afterpay Gateway for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Sidebar Adder 2

Plugin: Software License Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version

Plugin: Event Espresso – Event Registration & Ticketing Sales

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.10.12
Recommended Action: Update to version 4.10.12, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: 5.0.3
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: WooCommerce Etsy Integration

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Media Usage

Plugin: Securimage-WP-Fixed

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Gutenberg Blocks for Post Grid <= 2.4.9
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: Multiplayer Games

Plugin: jQuery Tagline Rotator

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal

Plugin: SP Project & Document Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.26
Recommended Action: Update to version 4.26, or a newer patched version

Plugin: Per page add to head

Vulnerability: No subtitle
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Per page add to head

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: typofr

Plugin: PDF.js Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: WP-Backgrounds Lite

Plugin: Sell Media

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: MF Gig Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Fountain

Plugin: Language Bar Flags

Vulnerability: Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: RAYS Grid

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Access Bypass Control
Patched Version: 8.9.3
Recommended Action: Update to version 8.9.3, or a newer patched version

Plugin: Shopp

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Advanced Ticket System, Elite Support Helpdesk

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.64
Recommended Action: Update to version 1.0.64, or a newer patched version

Plugin: Scout bazar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.