Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Credova Financial
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Arbitrary File Upload
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Scripting
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Authenticated Stored Cross Site Scripting
Patched Version: 5.22.3
Recommended Action: Update to version 5.22.3, or a newer patched version
Plugin: Booking.com Product Helper
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Contributor+ Stored Cross-Site Scripting via File Thumbnail
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Contributor+ Arbitrary Thumbnail Removal
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version
Plugin: Coming Soon, Under Construction & Maintenance Mode By Dazzler
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Translate WordPress – Google Language Translator
Vulnerability: Google Language Translator <= 6.0.11
Patched Version: 6.0.12
Recommended Action: Update to version 6.0.12, or a newer patched version
Plugin: Perfect Survey
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Batch Cat
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu
Vulnerability: Missing Authorization
Patched Version: 6.9.1
Recommended Action: Update to version 6.9.1, or a newer patched version
Plugin: JS Job Manager
Vulnerability: Arbitrary Plugin Installation/Activation
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Sensitive Data Exposure
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version
Plugin: Cardinity Payment Gateway for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: WP Survey Plus
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: World Travel Information
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JobSearch WP Job Board
Vulnerability: Missing Authorization to Settings Change
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Image Source Control Lite – Show Image Credits and Captions
Vulnerability: Insecure Direct Object Reference
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Far Future Expiry Header
Vulnerability: Plugin’s Settings Update via Cross-Site Request Forgery
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Log Reset
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version
Plugin: Stripe for WooCommerce
Vulnerability: 3.3.9
Patched Version: 3.3.10
Recommended Action: Update to version 3.3.10, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Missing Authorization on jobsearch_update_job_import_schedule_call() function
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: TWChat – Send or receive messages from users
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Events Made Easy
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.2.24
Recommended Action: Update to version 2.2.24, or a newer patched version
Plugin: WPeMatico RSS Feed Fetcher
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version
Plugin: Logo Slider and Showcase
Vulnerability: Settings Update
Patched Version: 1.3.37
Recommended Action: Update to version 1.3.37, or a newer patched version
Plugin: Perfect Survey
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.9.41
Recommended Action: Update to version 1.9.9.41, or a newer patched version
Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu
Vulnerability: Arbitrary Image Upload
Patched Version: 6.9.0
Recommended Action: Update to version 6.9.0, or a newer patched version
Plugin: TWChat – Send or receive messages from users
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: WP-Recall – Registration, Profile, Commerce & More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 16.24.48
Recommended Action: Update to version 16.24.48, or a newer patched version
Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Accept Donations with PayPal & Stripe
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Accept Donations with PayPal & Stripe
Vulnerability: No subtitle
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version
Plugin: Perfect Survey
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
Vulnerability: Multiple Admin+ Cross Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Perfect Survey
Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.9.41
Recommended Action: Update to version 1.9.9.41, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Full Path Disclosure
Patched Version: 17.3
Recommended Action: Update to version 17.3, or a newer patched version
Plugin: Ivory Search – WordPress Search Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: Booking.com Banner Creator
Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Themify Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
