Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Catch Themes Demo Import
Vulnerability: Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Falang multilanguage for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version
Plugin: Core Tweaks WP Setup
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Open Redirect
Patched Version: 3.7.2.4
Recommended Action: Update to version 3.7.2.4, or a newer patched version
Plugin: Slider Factory – Responsive Photo Slider, Image Slider, Video Slider, Carousel Slideshow
Vulnerability: Missing Authorization
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Simple Job Board
Vulnerability: No subtitle
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: HashThemes Demo Importer
Vulnerability: Missing Authorization to Database Wipe
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Bulk Datetime Change
Vulnerability: Missing Authorisation
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version
Plugin: Reviews Plus
Vulnerability: Denial of Service
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated SQL Injection
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.2.1
Recommended Action: Update to version 2.11.2.1, or a newer patched version
Plugin: Media Tags
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MAZ Loader – Preloader Builder for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: About Author Box
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: No subtitle
Patched Version: 3.0.39
Recommended Action: Update to version 3.0.39, or a newer patched version
Plugin: Ninja Tables – Easy Data Table Builder
Vulnerability: Admin+ Stored Cross-Site Cross-Site Scripting
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version
Plugin: Template Kit – Import
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Editable Table Simple Fast FrontEnd From Sql tables
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BetterLinks – An Advanced Solution for Affiliate Link Management, Link Shortening, Link Tracking, Link Branding & Marketing
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Video Lessons Manager – WordPress LMS Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Ecommerce – Two Factor Authentication
Vulnerability: Two Factor Authentication <= 1.0.4
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites
Vulnerability: SQL Injection via orderby, order Parameters
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version
Plugin: Download Monitor
Vulnerability: Admin+ SQL Injection via orderby parameter
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: WP Spell Check
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version
Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Object Injection
Patched Version: 3.3.24
Recommended Action: Update to version 3.3.24, or a newer patched version
Plugin: Notification – Custom Notifications and Alerts for WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.0.0
Recommended Action: Update to version 8.0.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.