Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Converter for Media – Optimize images | Convert WebP & AVIF
Vulnerability: Unauthenticated Open Redirect
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Qubely – Advanced Gutenberg Blocks
Vulnerability: Missing Authorization to Arbitrary Post Deletion
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version
Plugin: Protect WP Admin
Vulnerability: Unauthenticated Plugin Deactivation
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: Smart SEO Tool – SEO优化插件
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: Registrations for the Events Calendar – Event Registration Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Dynamic Widgets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: Reflected Cross-Site Scripting via effects
Patched Version: 9.7.1
Recommended Action: Update to version 9.7.1, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.1.9
Recommended Action: Update to version 5.0.1.9, or a newer patched version
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Reflected Cross-Site Scripting via updraft_restore
Patched Version: 1.16.69
Recommended Action: Update to version 1.16.69, or a newer patched version
Plugin: Mobile Events Manager
Vulnerability: Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: WP125
Vulnerability: Cross-Site Request Forgery to Arbitrary Ad Deletion
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Code Snippets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.14.3
Recommended Action: Update to version 2.14.3, or a newer patched version
Plugin: Ultimate FAQ Accordion Plugin
Vulnerability: Missing Authorization to Arbitrary FAQ Creation
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: WP Post Page Clone
Vulnerability: Missing Authorization to Post Disclosure
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: SQL Injection
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: Orders Tracking for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version
Plugin: LabTools
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version
Plugin: WP Extra File Types
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version
Plugin: Advanced Custom Fields: Extended
Vulnerability: Admin+ SQL Injection
Patched Version: 0.8.8.7
Recommended Action: Update to version 0.8.8.7, or a newer patched version
Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
Vulnerability: SQL Injection & Reflected Cross-Site Scripting
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version
Plugin: Domain Check
Vulnerability: Reflected Cross-Site Scripting via domain
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version
Plugin: Event Tickets and Registration
Vulnerability: Open Redirect
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version
Plugin: Insight Core
Vulnerability: Authenticated PHP Object Injection & Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Affiliates Manager
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Products Filter for WooCommerce <= 1.2.6.2
Patched Version: 1.2.6.3
Recommended Action: Update to version 1.2.6.3, or a newer patched version
Plugin: Cookie Notification Plugin for WordPress – WP Cookie User Info
Vulnerability: SQL Injection
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds
Vulnerability: Settings Update to Stored Cross-Site Scripting
Patched Version: 11.0.7
Recommended Action: Update to version 11.0.7, or a newer patched version
Plugin: AF Companion – Build Stylish WordPress Websites in Minutes – No Coding, Just Click and Go! Starter Sites Importer for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
