Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Compact WP Audio Player
Vulnerability: Setting Change via Cross-Site Request Forgery
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: GamePress – The Game Database Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP HTML Author Bio
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: eID Easy
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: Wp Cookie Choice
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Request a Quote
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.57
Recommended Action: Update to version 1.6.57, or a newer patched version
Plugin: WP DSGVO Tools (GDPR)
Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version
Plugin: Game Server Status
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: St-Daily-Tip
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sociable
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.1.3.1
Recommended Action: Update to version 4.1.3.1, or a newer patched version
Plugin: BulletProof Security
Vulnerability: Sensitive Information Disclosure
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version
Plugin: WordPress PDF Light Viewer Plugin
Vulnerability: Authenticated Command Injection
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: 微信打赏(Wechat Reward)
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PlanSo Forms
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Polo Video Gallery – Best wordpress video gallery plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: StreamCast – Radio Player for WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: Frontend Uploader
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Compact WP Audio Player
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: YITH Maintenance Mode
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Buddyboss Platform
Vulnerability: SQL Injection
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Special Text Boxes
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.9.110
Recommended Action: Update to version 5.9.110, or a newer patched version
Plugin: SEO Redirection Plugin – 301 Redirect Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.9
Recommended Action: Update to version 7.9, or a newer patched version
Plugin: jQuery Reply to Comment
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Scroll Baner
Vulnerability: Cross-Site Request Forgery to Remote Code Execution and/or Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Feeds For Twitter
Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Video Gallery – Vimeo and YouTube Gallery
Vulnerability: Vimeo and YouTube Gallery < 1.1.5
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Podcast Subscribe Buttons
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Header Enhancement
Vulnerability: Missing Authorization
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: One User Avatar | User Profile Picture
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: PDF Viewer Block for Gutenberg
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: One User Avatar | User Profile Picture
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: YITH Easy Login & Register Popup for WooCommerce
Vulnerability: Authentication Bypass via Password Reset
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Find My Blocks – Locate blocks on your site
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Customer Service Software & Support Ticket System
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.10.4
Recommended Action: Update to version 5.10.4, or a newer patched version
Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.7.13
Recommended Action: Update to version 1.7.13, or a newer patched version
Plugin: Responsive WordPress Slider
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HTML5 Audio Player- Best WordPress Audio Player Plugin
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: MainWP Child Reports
Vulnerability: Admin+ SQL Injection
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
