Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 0.9.69
Recommended Action: Update to version 0.9.69, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Unauthenticated Admin Account Creation
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: Price Table
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Responsive Menu
Vulnerability: Missing Authorization to Settings Update & Stored Cross-Site Scripting
Patched Version: 3.1.7.1
Recommended Action: Update to version 3.1.7.1, or a newer patched version
Plugin: Cost Calculator
Vulnerability: Authenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WHMCS Bridge
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4b
Recommended Action: Update to version 6.4b, or a newer patched version
Plugin: Crazy Bone
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Arbitrary Image Renaming
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version
Plugin: WordPress GDPR
Vulnerability: No subtitle
Patched Version: 1.9.27
Recommended Action: Update to version 1.9.27, or a newer patched version
Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: [GWA] AutoResponder
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Add Subtitle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cost Calculator
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Post Snippets – Custom WordPress Code Snippets Customizer
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress
Vulnerability: Google Analytics and Google Shopping plugin for WooCommerce <= 4.6.1 Authenticated SQL Injection
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.20
Recommended Action: Update to version 4.20, or a newer patched version
Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.2.3
Recommended Action: Update to version 11.2.3, or a newer patched version
Plugin: Perfect Brands for WooCommerce
Vulnerability: Server Information Disclosure
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: WP User – Custom Registration Forms, Login and User Profile
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version
Plugin: Asgaros Forum
Vulnerability: SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map
Vulnerability: Arbitrary Post Deletion and Plugin Settings Update via Cross-Site Request Forgery
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: Blackhole for Bad Bots
Vulnerability: Arbitrary IP Address Blocking via IP Spoofing
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.176
Recommended Action: Update to version 1.8.176, or a newer patched version
Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.176
Recommended Action: Update to version 1.8.176, or a newer patched version
Plugin: Fotobook
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Perfect Brands for WooCommerce
Vulnerability: Unauthorized Brand Creation
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Customize WordPress Emails and Alerts – Better Notifications for WP
Vulnerability: Email Address Disclosure
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Use Any Font | Custom Font Uploader
Vulnerability: Unauthenticated Arbitrary CSS Appending
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: Pricing Tables WordPress Plugin – Easy Pricing Tables
Vulnerability: Arbitrary Post Removal via Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: TI WooCommerce Wishlist
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.40.1
Recommended Action: Update to version 1.40.1, or a newer patched version
Plugin: Embed Swagger
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: [GWA] AutoResponder
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page View Count
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version
Plugin: Responsive Contact Form Builder & Lead Generation Plugin
Vulnerability: Arbitrary Settings Change
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: StatCounter – Free Real Time Visitor Stats
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: WP Email Users
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Review Slider
Vulnerability: SQL Injection
Patched Version: 11.0
Recommended Action: Update to version 11.0, or a newer patched version
Plugin: WordPress GDPR
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.27
Recommended Action: Update to version 1.9.27, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
