Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Local File Inclusion
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: Email Template Designer – WP HTML Mail
Vulnerability: Missing Authorization on Rest Route
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Support Board
Vulnerability: Authenticated SQL Injection
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Authenticated SQL Injection via order & orderby Parameters
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: Testimonial WordPress Plugin – AP Custom Testimonial
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Testimonial WordPress Plugin – AP Custom Testimonial
Vulnerability: SQL Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 13.0.6
Recommended Action: Update to version 13.0.6, or a newer patched version
Plugin: WP Debugging
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.8
Recommended Action: Update to version 2.11.8, or a newer patched version
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Database Backup for WordPress
Vulnerability: Admin+ SQL Injection
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Lean WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Duplicate Page or Post
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Local File Inclusion and PHAR Deserialization
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: Access Demo Importer
Vulnerability: Cross-Site Request Forgery to Data Reset
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Catch Web Tools
Vulnerability: Missing Authorization
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Coming soon and Maintenance mode
Vulnerability: Cross-Site request Forgery to Arbitrary Email Send
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Directory Traversal to Arbitrary File Deletion
Patched Version: 0.8.9.1
Recommended Action: Update to version 0.8.9.1, or a newer patched version
Plugin: Simple Membership
Vulnerability: Cross-Site Request Forgery to Arbitrary Member Deletion
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: Float menu – awesome floating side menu
Vulnerability: Arbitrary Menu Deletion via Cross-Site Request Forgery
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: AnyComment
Vulnerability: Race Condition
Patched Version: 0.2.18
Recommended Action: Update to version 0.2.18, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via AJAX action
Patched Version: 1.3.7.5
Recommended Action: Update to version 1.3.7.5, or a newer patched version
Plugin: Advanced Database Cleaner
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: SQL Injection
Patched Version: 5.0.1.6
Recommended Action: Update to version 5.0.1.6, or a newer patched version
Plugin: Anti-Malware Security and Brute-Force Firewall
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.20.94
Recommended Action: Update to version 4.20.94, or a newer patched version
Plugin: Coming soon and Maintenance mode
Vulnerability: Missing Authorization to Arbitrary Email Send
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version
Plugin: Classic Editor +
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated SQL Injection
Patched Version: 3.2.34
Recommended Action: Update to version 3.2.34, or a newer patched version
Plugin: AdSanity
Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Super Forms – Drag & Drop Form Builder
Vulnerability: Drag & Drop Form Builder WordPress <= 6.0.3
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version
Plugin: AnyComment
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.2.18
Recommended Action: Update to version 0.2.18, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
