Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.9.6
Recommended Action: Update to version 8.9.6, or a newer patched version
Plugin: Advanced Product Labels for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.3.7
Recommended Action: Update to version 1.2.3.7, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Malicious SVG
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: wpDiscuz <= 7.3.11 Sensitive Information Disclosure
Patched Version: 7.3.12
Recommended Action: Update to version 7.3.12, or a newer patched version
Plugin: Smart Forms – when you need more than just a contact form
Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 2.6.71
Recommended Action: Update to version 2.6.71, or a newer patched version
Plugin: Relevanssi – A Better Search (Pro)
Vulnerability: Missing Authorization
Patched Version: 2.16.5
Recommended Action: Update to version 2.16.5, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Authenticated Stored Cross-Site Scripting via Shortcode
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version
Plugin: LoginPress | wp-login Custom Login Page Customizer
Vulnerability: Reflected Cross-Site Scripting via redirect-page Parameter
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version
Plugin: Social Media Feather | social media sharing
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.1.23
Recommended Action: Update to version 3.1.23, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Edit/Delete event via IDOR
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Authenticated (or Cross-Site Request Forgery) Blind SQL Injection
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: Video Conferencing with Zoom
Vulnerability: E-mail Address Disclosure
Patched Version: 3.8.17
Recommended Action: Update to version 3.8.17, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Event deletion via Cross-Site Request Forgery
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version
Plugin: YOP Poll
Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 6.3.5
Recommended Action: Update to version 6.3.5, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 13.1.5
Recommended Action: Update to version 13.1.5, or a newer patched version
Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: SQL Injection
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Unauthenticated SQL Injection via bwg_tag_id_bwg_thumbnails_0 Parameter
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: E2Pdf – Export Pdf Tool for WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.16.45
Recommended Action: Update to version 1.16.45, or a newer patched version
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version
Plugin: ووکامرس فارسی
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9.8
Recommended Action: Update to version 5.9.8, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Subscriber+ User Avatar Override
Patched Version: 1.2.3.1
Recommended Action: Update to version 1.2.3.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
