Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Core: WordPress
Vulnerability: SQL Injection via WP_Meta_Query
Patched Version: 4.1.34
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: IP2Location Country Blocker
Vulnerability: Ban Bypass
Patched Version: 2.26.5
Recommended Action: Update to version 2.26.5, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Adaptive Images for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.69
Recommended Action: Update to version 0.6.69, or a newer patched version
Plugin: Ultimate Reviews
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Rearrange Woocommerce Products
Vulnerability: Subscriber+ SQL Injection
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
Vulnerability: WPLegalPages <= 2.7.0
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: SEUR Oficial
Vulnerability: Authenticated Arbitrary File Download
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Unauthenticated Arbitrary Ticket Deletion
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Block for Apple Maps
Vulnerability: Uncontrolled Resource Consumption
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Translate WordPress with GTranslate
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.7
Recommended Action: Update to version 2.9.7, or a newer patched version
Plugin: Responsive Contact Form Builder & Lead Generation Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Ivory Search – WordPress Search Plugin
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched Version: 5.4.1
Recommended Action: Update to version 5.4.1, or a newer patched version
Plugin: IP2Location Country Blocker
Vulnerability: Subscriber+ Arbitrary Country Ban
Patched Version: 2.26.5
Recommended Action: Update to version 2.26.5, or a newer patched version
Plugin: Mortgage Calculators WP
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.53
Recommended Action: Update to version 1.53, or a newer patched version
Core: WordPress
Vulnerability: Super Admin Multi-Site Installation Object Injection
Patched Version: 3.7.37
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.37, 3.8.37, 3.9.35, 4.0.34, 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3
Plugin: IP2Location Country Blocker
Vulnerability: Arbitrary Country Ban via Cross-Site Request Forgery
Patched Version: 2.26.6
Recommended Action: Update to version 2.26.6, or a newer patched version
Plugin: CLUEVO LMS, E-Learning Platform
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Core: WordPress
Vulnerability: Authenticated (Author+) Stored Cross Site Scripting
Patched Version: 3.7.37
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.37, 3.8.37, 3.9.35, 4.0.34, 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3
Plugin: Powerkit – Supercharge your WordPress Site
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version
Plugin: RVM – Responsive Vector Maps
Vulnerability: Responsive Vector Maps <= 6.4.1
Patched Version: 6.4.2
Recommended Action: Update to version 6.4.2, or a newer patched version
Plugin: WP-DownloadManager
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.68.7
Recommended Action: Update to version 1.68.7, or a newer patched version
Plugin: Ultimate Product Catalog
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.26
Recommended Action: Update to version 5.0.26, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
