Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Favicon by RealFaviconGenerator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.23
Recommended Action: Update to version 1.3.23, or a newer patched version
Plugin: Convert to Blocks
Vulnerability: Prototype Pollution
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: iQ Block Country
Vulnerability: Admin+ Arbitrary File Deletion via Zip Slip
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version
Plugin: Podcast Importer SecondLine
Vulnerability: SQL Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Export All URLs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: WP Downgrade | Specific Core Version
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Loco Translate
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: SQL Injection
Patched Version: 7.5.18.727
Recommended Action: Update to version 7.5.18.727, or a newer patched version
Plugin: Yoo Slider – Image Slider & Video Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Export All URLs
Vulnerability: Cross-Site Request Forgery to Sensitive Data Export
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: Advanced Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: Ad Injection
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Article Directory
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘publish_terms_text’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Menu – Create Mobile-Friendly Menu
Vulnerability: Missing Authorization Checks
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version
Plugin: Salon Booking System
Vulnerability: Sensitive Data Disclosure
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version
Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
Vulnerability: SQL Injection
Patched Version: 6.930
Recommended Action: Update to version 6.930, or a newer patched version
Plugin: Yoo Slider – Image Slider & Video Slider
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Easy Social Icons
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Email Address Disclosure
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: Salon Booking System
Vulnerability: Sensitive Information Disclosure
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Reflected Cross-Site Scripting via sub_page Parameter
Patched Version: 0.9.70
Recommended Action: Update to version 0.9.70, or a newer patched version
Plugin: Advanced Booking Calendar
Vulnerability: Authenticated SQL Injection
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Product Table for WooCommerce by CodeAstrology (wooproducttable.com)
Vulnerability: Missing Authorization
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Download Manager
Vulnerability: Unauthenticated Brute Force of File Master Key
Patched Version: 3.2.39
Recommended Action: Update to version 3.2.39, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
