Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box
Vulnerability: Cross-Site Request Forgery
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Arbitrary File Upload
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: EXMAGE – WordPress Image Links
Vulnerability: Admin+ Blind SSRF
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Insecure Direct Object Reference
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box
Vulnerability: Sensitive Information Disclosure
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version
Plugin: MapSVG
Vulnerability: SQL Injection
Patched Version: 6.2.20
Recommended Action: Update to version 6.2.20, or a newer patched version
Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fancy Product Designer
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version
Plugin: Ubigeo de Perú para Woocommerce y WordPress
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: SQL Injection
Patched Version: 13.1.0.6
Recommended Action: Update to version 13.1.0.6, or a newer patched version
Plugin: Personal Dictionary – Vocabulary Games, Memory Games
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Visual Slide Box Builder
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fast Flow
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version
Plugin: Custom Cart Link for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin
Vulnerability: Multiple Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Sensitive Information Exposure
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Open Close WooCommerce Store – Best Business Schedules Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: Advanced uploader
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Videos sync PDF
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BMI BMR Calculator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Books & Papers
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.20220219
Recommended Action: Update to version 0.20220219, or a newer patched version
Plugin: Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.2.54
Recommended Action: Update to version 1.2.54, or a newer patched version
Plugin: SEMA API
Vulnerability: SQL Injection
Patched Version: 4.02
Recommended Action: Update to version 4.02, or a newer patched version
Plugin: WP Video Gallery
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Booking Calendar
Vulnerability: PHP Object Injection via Shortcode
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Web To Print Shop : uDraw
Vulnerability: Unauthenticated Arbitrary File Access
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Admin Menu Editor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RSFirewall!
Vulnerability: IP Address Spoofing
Patched Version: 1.1.25
Recommended Action: Update to version 1.1.25, or a newer patched version
Plugin: th23 Social
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event List
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.8.8
Recommended Action: Update to version 0.8.8, or a newer patched version
Plugin: BadgeOS
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: LifterLMS Paypal
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: External Media without Import
Vulnerability: Authenticated (Subscriber+) Blind Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.16.5
Recommended Action: Update to version 1.16.5, or a newer patched version
Plugin: Wbcom Designs – BuddyPress Member Reviews
Vulnerability: Arbitrary Plugin Installation, Activation and Deactivation
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: Custom TinyMCE Shortcode Button
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking and Scheduling Calendar Plugin – Webba Booking
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.22
Recommended Action: Update to version 4.2.22, or a newer patched version
Plugin: Advanced Image Sitemap
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IgniteUp – Coming Soon and Maintenance Mode
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: AGIL(Automatic Grid Image Listing)
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easily Generate Rest API Url
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Daily Prayer Time
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2022.03.01
Recommended Action: Update to version 2022.03.01, or a newer patched version
Plugin: Avada (Fusion) Builder
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version
Plugin: Multiple Shipping Address Woocommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Autolinks
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: 3.6.2
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: Ad Invalid Click Protector (AICP)
Vulnerability: Cross-Site Request Forgery to Arbitrary Ban Deletion
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Popup by Supsystic
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.10.9
Recommended Action: Update to version 1.10.9, or a newer patched version
Plugin: Product Filter For WooCommerce Product
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Documentor – Create Product Documentation
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Bulk Edit and Create User Profiles – WP Sheet Editor
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.14
Recommended Action: Update to version 1.5.14, or a newer patched version
Plugin: Tipsacarrier
Vulnerability: Missing Authorization to Order Disclosure
Patched Version: 1.5.0.5
Recommended Action: Update to version 1.5.0.5, or a newer patched version
Plugin: SiteSuperCharger
Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: BulletProof Security
Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version
Plugin: Slide Anything – Responsive Content / HTML Slider and Carousel
Vulnerability: Editor+ Cross-Site Scripting
Patched Version: 2.3.44
Recommended Action: Update to version 2.3.44, or a newer patched version
Plugin: WP Maintenance
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.0.6
Recommended Action: Update to version 6.0.6, or a newer patched version
Plugin: Sitemap by click5
Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 1.0.36
Recommended Action: Update to version 1.0.36, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version
Plugin: WP Social Buttons
Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
