Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Mega Menu Plugin for WordPress – AP Mega Menu
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version
Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version
Plugin: Simple Link Directory
Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version
Plugin: Contact Form X
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Database Peek
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sermon Browser
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPC Smart Wishlist for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version
Plugin: Delete Old Orders
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar
Vulnerability: SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version
Plugin: Advanced Booking Calendar
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version
Plugin: Mapping multiple URLs redirect same page
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Amelia < 1.0.47
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version
Plugin: Photoswipe Masonry Gallery
Vulnerability: No subtitle
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version
Plugin: Bulk Creator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version
Plugin: BackUpWordPress
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version
Plugin: Mistape
Vulnerability: Backdoor
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Membership
Vulnerability: Cross-Site Request Forgery to Arbitrary Transaction Deletion
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: Pz-LinkCard
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.5.2
Recommended Action: Update to version 2.4.5.2, or a newer patched version
Plugin: Online Payment for Bank Mellat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Pricing Table Builder – AP Pricing Tables Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: AI Infographic Maker
Vulnerability: SQL Injection
Patched Version: 4.3.8
Recommended Action: Update to version 4.3.8, or a newer patched version
Plugin: dTabs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress File Upload
Vulnerability: Authenticated (Contributor+) Path Traversal
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version
Plugin: OSMapper
Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: String locator
Vulnerability: Authenticated Arbitrary File Read
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version
Plugin: Narnoo Distributor
Vulnerability: Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Amelia < 1.0.47
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version
Plugin: FormCraft – Form Builder
Vulnerability: Server Side Request Forgery
Patched Version: 3.8.28
Recommended Action: Update to version 3.8.28, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.1.12
Recommended Action: Update to version 11.1.12, or a newer patched version
Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email
Vulnerability: Unauthenticated Arbitrary Options Deletion
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: SQL Injection
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
