Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Stored Cross-Site Scripting via Profile
Patched Version: 4.7.7
Recommended Action: Update to version 4.7.7, or a newer patched version
Plugin: NewStatPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Form Store to DB
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Ibtana – WordPress Website Builder
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.1.4.9
Recommended Action: Update to version 1.1.4.9, or a newer patched version
Plugin: WHMCS Bridge
Vulnerability: No subtitle
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version
Plugin: Waitlist Woocommerce ( Back in stock notifier )
Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: The Buffer Button
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SpiderCalendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.65
Recommended Action: Update to version 1.6.65, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Missing Authorization Checks
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version
Plugin: Magee Shortcodes
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Futurio Extra
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: No subtitle
Patched Version: 2.2.15
Recommended Action: Update to version 2.2.15, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version
Plugin: WP Import Export Lite
Vulnerability: Unauthenticated Sensitive Data Disclosure
Patched Version: 3.9.16
Recommended Action: Update to version 3.9.16, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Missing Authorization
Patched Version: 6.4.2
Recommended Action: Update to version 6.4.2, or a newer patched version
Plugin: WP-Appbox
Vulnerability: Local File Inclusion
Patched Version: 4.3.18
Recommended Action: Update to version 4.3.18, or a newer patched version
Plugin: PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: RSVP and Event Management
Vulnerability: Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 5.5.2
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Reflected Cross-Site Scripting via Import Tool
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Reflected Cross-Site Scripting via lang & pid Parameters
Patched Version: 3.1.31
Recommended Action: Update to version 3.1.31, or a newer patched version
Plugin: User Registration, Login & Landing Pages – LeadMagic
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Translation Exchange – Translate Your WordPress Site In Minutes!
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mitsol Social Post Feed
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version
Plugin: PPOM – Product Addons & Custom Fields for WooCommerce
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 24.0
Recommended Action: Update to version 24.0, or a newer patched version
Plugin: FeedWordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2022.0123
Recommended Action: Update to version 2022.0123, or a newer patched version
Plugin: MapPress Maps for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.73.4
Recommended Action: Update to version 2.73.4, or a newer patched version
Plugin: Popup | Custom Popup Builder
Vulnerability: Denial of Service
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: PHP Everywhere
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.9.149
Recommended Action: Update to version 1.9.9.149, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version
Plugin: Random Banner
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes
Vulnerability: Coming Soon & Maintenance Plugin <= 4.0.18
Patched Version: 4.0.19
Recommended Action: Update to version 4.0.19, or a newer patched version
Plugin: Image Photo Gallery Final Tiles Grid
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: WP-DownloadManager
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.68.7
Recommended Action: Update to version 1.68.7, or a newer patched version
Plugin: Five Star Business Profile and Schema
Vulnerability: Subscriber+ Page Creation & Settings Update to Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Simple Newsletter Plugin – Noptin
Vulnerability: Open Redirect
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Login/Signup Popup ( Inline Form + Woocommerce )
Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Remove Footer Credit
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: Ad Invalid Click Protector (AICP)
Vulnerability: SQL Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Arbitrary File Upload
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version
Plugin: PowerPack Lite for Beaver Builder
Vulnerability: No subtitle
Patched Version: 1.2.9.3
Recommended Action: Update to version 1.2.9.3, or a newer patched version
Plugin: AccessPress Social Icons
Vulnerability: Backdoor
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Themify Portfolio Post
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Side Cart Woocommerce | Woocommerce Cart
Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version
Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.9.149
Recommended Action: Update to version 1.9.9.149, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
