Watch Out Wednesday – October 27, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Catch Themes Demo Import

Vulnerability: Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Falang multilanguage for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: Core Tweaks WP Setup

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Open Redirect
Patched Version: 3.7.2.4
Recommended Action: Update to version 3.7.2.4, or a newer patched version

Plugin: Slider Factory – Responsive Photo Slider, Image Slider, Video Slider, Carousel Slideshow

Vulnerability: Missing Authorization
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Simple Job Board

Vulnerability: No subtitle
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: HashThemes Demo Importer

Vulnerability: Missing Authorization to Database Wipe
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Bulk Datetime Change

Vulnerability: Missing Authorisation
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version

Plugin: Reviews Plus

Vulnerability: Denial of Service
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated SQL Injection
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.2.1
Recommended Action: Update to version 2.11.2.1, or a newer patched version

Plugin: Media Tags

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MAZ Loader – Preloader Builder for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: About Author Box

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: No subtitle
Patched Version: 3.0.39
Recommended Action: Update to version 3.0.39, or a newer patched version

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Admin+ Stored Cross-Site Cross-Site Scripting
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Template Kit – Import

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Editable Table Simple Fast FrontEnd From Sql tables

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BetterLinks – An Advanced Solution for Affiliate Link Management, Link Shortening, Link Tracking, Link Branding & Marketing

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Video Lessons Manager – WordPress LMS Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Ecommerce – Two Factor Authentication  

Vulnerability: Two Factor Authentication <= 1.0.4
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: SQL Injection via orderby, order Parameters
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Download Monitor

Vulnerability: Admin+ SQL Injection via orderby parameter
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: WP Spell Check

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Object Injection
Patched Version: 3.3.24
Recommended Action: Update to version 3.3.24, or a newer patched version

Plugin: Notification – Custom Notifications and Alerts for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.0.0
Recommended Action: Update to version 8.0.0, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress