Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: WP JS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Coru LFMember
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: Content Mask
Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 1.8.4.1
Recommended Action: Update to version 1.8.4.1, or a newer patched version
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: Hermit 音乐播放器
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Coru LFMember
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Subscribe
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version
Plugin: Codup WooCommerce Dynamic Pricing Table View
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.1.5
Recommended Action: Update to version 1.2.1.5, or a newer patched version
Plugin: 3CX Free Live Chat, Calls & WhatsApp
Vulnerability: Local File Inclusion
Patched Version: 9.4.3
Recommended Action: Update to version 9.4.3, or a newer patched version
Plugin: OAuth client Single Sign On for WordPress ( OAuth 2.0 SSO )
Vulnerability: Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Subscribe To Comments Reloaded
Vulnerability: Cross-Site Request Forgery
Patched Version: 220502
Recommended Action: Update to version 220502, or a newer patched version
Plugin: Hermit 音乐播放器
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN
Vulnerability: Cross-Site Scripting
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version
Plugin: XML Sitemap Generator for Google
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: RSVPMaker
Vulnerability: Unauthenticated SQL Injection
Patched Version: 9.2.7
Recommended Action: Update to version 9.2.7, or a newer patched version
Plugin: Curtain
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Check & Log Email – Easy Email Testing & Mail logging
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Footer Text
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ravpage
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.18
Recommended Action: Update to version 2.18, or a newer patched version
Plugin: Better Click To Tweet
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version
Plugin: Enable SVG
Vulnerability: Cross-Site Scripting via SVG
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: WP Contacts Manager
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Breeze – WordPress Cache Plugin
Vulnerability: Unprotected AJAX Actions
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Admin+ Stored Cross-Site Scripting via breadcrumbs
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: WP-Invoice – Web Invoice and Billing
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Pro Features Lock Bypass
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: StaffList
Vulnerability: Authenticated SQL Injection
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Arbitrary Redirect
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Hermit 音乐播放器
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tabs Responsive – With WooCommerce Product Tabs Extension
Vulnerability: Editor+ Stored Cross-Site Scripting
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: All-in-One WP Migration and Backup
Vulnerability: Directory Traversal to File Deletion on Windows Hosts
Patched Version: 7.59
Recommended Action: Update to version 7.59, or a newer patched version
Plugin: Nirweb support
Vulnerability: SQL Injection
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Hermit 音乐播放器
Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
