Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Skitter Slideshow
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Admin+ SQL Injection
Patched Version: 17.0.5
Recommended Action: Update to version 17.0.5, or a newer patched version
Plugin: HTML2WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login with TOTP (Google Authenticator, Microsoft Authenticator)
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Add Post URL
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Server-Side Request Forgery
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: Modula Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: Cimy Header Image Rotator
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Limit Login Attempts
Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 4.0.72
Recommended Action: Update to version 4.0.72, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 6.3.0
Recommended Action: Update to version 6.3.0, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Cross-Site Request Forgery to Field Import and PHP Object Injection
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version
Plugin: Login using WordPress Users ( WP as SAML IDP )
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version
Plugin: Nested Pages
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.21
Recommended Action: Update to version 3.1.21, or a newer patched version
Plugin: Pricing Tables WordPress Plugin – Easy Pricing Tables
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Export any WordPress data to XML/CSV
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Login with TOTP (Google Authenticator, Microsoft Authenticator)
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version
Plugin: Easy SVG Support
Vulnerability: Cross-Site Scripting via SVG Upload
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: HTML2WP
Vulnerability: Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Qubely – Advanced Gutenberg Blocks
Vulnerability: Missing Authorization
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: 3D Product configurator for WooCommerce
Vulnerability: Arbitrary File Deletion
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Download Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.43
Recommended Action: Update to version 3.2.43, or a newer patched version
Plugin: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.22.10
Recommended Action: Update to version 4.22.10, or a newer patched version
Plugin: Backup, Restore and Migrate your sites with XCloner
Vulnerability: Unauthenticated Plugin Settings Reset
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version
Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version
Plugin: WordPress Security – Firewall, Malware Scanner, Secure Login and Backup
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: SAML Single Sign On – SSO Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.21
Recommended Action: Update to version 4.9.21, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: No subtitle
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version
Plugin: New User Approve
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: HTML2WP
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Co-Authors Plus
Vulnerability: 3.5.1
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version
Plugin: Social Share Buttons by Supsystic
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Menu Cart for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version
Plugin: Ultimate WooCommerce CSV Importer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PDF Invoices & Packing Slips for WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 2.15
Recommended Action: Update to version 2.15, or a newer patched version
Plugin: Simple Single Sign On
Vulnerability: Insecure OAuth Implementation to Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wp-championship
Vulnerability: Multiple Cross-Site Request Forgery Vulnerabilities
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version
Plugin: NextCellent Gallery – NextGEN Legacy
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Trade Runner
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version
Plugin: My Content Management
Vulnerability: Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Image Gallery – Grid Gallery
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: core plugin for kitestudio themes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: MyCSS
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Menu Cart
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version
Plugin: Malware Scanner
Vulnerability: Cross-Site Scripting
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Currency Switcher for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Contact Form DB – Elementor
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Browser and Operating System Finder
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Site Offline or Coming Soon
Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
