Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Image Slider
Vulnerability: Subscriber+ SQL Injection
Patched Version: 1.1.121
Recommended Action: Update to version 1.1.121, or a newer patched version
Plugin: Filr – Secure document library
Vulnerability: Missing Authorization
Patched Version: 1.2.2.1
Recommended Action: Update to version 1.2.2.1, or a newer patched version
Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting via Site Search
Patched Version: 1.15.1
Recommended Action: Update to version 1.15.1, or a newer patched version
Plugin: Webriti SMTP Mail
Vulnerability: Cross-Site Request Forgery to options update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Promotion Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jupiter X Core
Vulnerability: Authenticated Arbitrary Plugin Deactivation and Settings Modification
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Genki Pre-Publish Reminder
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Member Hero
Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OnePress Social Locker
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Core Control
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Tainacan
Vulnerability: Cross-Site Scripting
Patched Version: 0.18.10
Recommended Action: Update to version 0.18.10, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.41
Recommended Action: Update to one of the following versions, or a newer patched version: 3.2.41, 3.2.5
Plugin: VS Contact Form
Vulnerability: Captcha Bypass
Patched Version: 11.6
Recommended Action: Update to version 11.6, or a newer patched version
Plugin: Themify – WooCommerce Product Filter
Vulnerability: WooCommerce Product Filter <= 1.3.7
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: WP-chgFontSize
Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RB Internal Links
Vulnerability: Cross-Site Request Forgery to Settings update and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-CRM – Customer Relations Management for WordPress
Vulnerability: CSV injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rating by BestWebSoft
Vulnerability: Rating Denial of Service
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Appointment Hour Booking – WordPress Booking Plugin
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version
Plugin: Ocean Extra
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: Sticky Popup
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MailerLite – Signup forms (official)
Vulnerability: Signup forms <= 1.5.3
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Custom Share Buttons with Floating Sidebar
Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: Image Slider
Vulnerability: Cross-Site Request Forgery to Post Duplication
Patched Version: 1.1.123
Recommended Action: Update to version 1.1.123, or a newer patched version
Plugin: CRM WordPress Plugin – RepairBuddy
Vulnerability: SQL Injection
Patched Version: 3.73
Recommended Action: Update to version 3.73, or a newer patched version
Plugin: One Click Plugin Updater
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Latest Tweets Widget
Vulnerability: Arbitrary Settings Update via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: New User Email Set Up
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Passwords Manager
Vulnerability: Cross-Site Scripting via pwdms_csv_category parameter
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: WP SVG Icons
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HC Custom WP-Admin URL
Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Keep Backup Daily
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: WP Admin Style
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sideblog WordPress Plugin
Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HC Custom WP-Admin URL
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: a3 Portfolio
Vulnerability: Cross-Site Request Forgery to Settings Changes
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Slideshow CK
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version
Plugin: Change Uploaded File Permissions
Vulnerability: Cross-Site Request Forgery to Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Static Page eXtended
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quick Subscribe
Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Peter’s Collaboration E-mails
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jupiter X Core
Vulnerability: Authenticated Privilege Escalation
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Carousel CK
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Export any WordPress data to XML/CSV
Vulnerability: Authenticated SQL Injection
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Gallery for Social Photo
Vulnerability: Cross-Site Request Forgery to Post Duplication
Patched Version: 1.0.0.29
Recommended Action: Update to version 1.0.0.29, or a newer patched version
Plugin: KiviCare – Clinic & Patient Management System (EHR)
Vulnerability: SQL Injection
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: Email Users
Vulnerability: Arbitrary Settings Update via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery for Social Photo
Vulnerability: Subscriber+ SQL Injection
Patched Version: 1.0.0.27
Recommended Action: Update to version 1.0.0.27, or a newer patched version
Plugin: RSVP and Event Tickets, Event Management, Events Calendar Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 3.8.5
Recommended Action: Update to version 3.8.5, or a newer patched version
Plugin: Code Snippets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.14.4
Recommended Action: Update to version 2.14.4, or a newer patched version
Plugin: Second Street
Vulnerability: Stored Cross-Site Scripting via organization_id
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version
Plugin: Auto Delete Posts
Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Log WP_Mail
Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Seamless Donations is Sunset
Vulnerability: Cross-Site Scripting
Patched Version: 5.1.13
Recommended Action: Update to version 5.1.13, or a newer patched version
Plugin: Private Files
Vulnerability: Cross-Site Request Forgery to Disable Protection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LaTeX for WordPress
Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shapely Companion
Vulnerability: Unprotected AJAX Action to Content Import
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Simple Membership
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Newsletter – Send awesome emails from WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.4.5
Recommended Action: Update to version 7.4.5, or a newer patched version
Plugin: Like Button Rating ♥ LikeBtn
Vulnerability: Arbitrary e-mail Sending
Patched Version: 2.6.45
Recommended Action: Update to version 2.6.45, or a newer patched version
Plugin: Jupiter X Core
Vulnerability: Information Disclosure, Modification, and Denial of Service
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: postTabs
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 13.2.0
Recommended Action: Update to version 13.2.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
