Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Vulnerability: Stored Cross Site Scripting
Patched Version: 3.1.28
Recommended Action: Update to version 3.1.28, or a newer patched version
Plugin: Pagebar2
Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: 2.66
Recommended Action: Update to version 2.66, or a newer patched version
Plugin: Sharebar
Vulnerability: Cross-Site Request Forgery to Settings Update & Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Import CSV Files
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version
Plugin: Very Simple Breadcrumb
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dyslexiefont Free
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version
Plugin: Export to Text
Vulnerability: Unauthenticated Post Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bold Page Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via Element URL
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: WP Accessibility Helper (WAH)
Vulnerability: Reflected Cross-Site Scripting via wahi
Patched Version: 0.6.0.7
Recommended Action: Update to version 0.6.0.7, or a newer patched version
Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Admin Management Xtended
Vulnerability: Cross-Site Request Forgery to Post Status Update
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Send PDF for Contact Form 7
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version
Plugin: Photo Gallery by Supsystic
Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version
Plugin: Rename wp-login.php
Vulnerability: Cross-Site Request Forgery & Unauthenticated Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wbcom Designs – BuddyPress Group Reviews
Vulnerability: Unauthorized AJAX Actions due to Nonce Bypass
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Hot Linked Image Cacher
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Multisite Content Copier/Updater
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Simple Page Ordering
Vulnerability: Open Redirect
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: Interactive Medical Drawing of Human Body
Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Pricing Deals for WooCommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: WP Duplicate Page
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Button Widget Smartsoft
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SP Project & Document Manager
Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 4.57
Recommended Action: Update to version 4.57, or a newer patched version
Plugin: FoxyShop
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version
Plugin: iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more
Vulnerability: Server-Side Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Best Contact Management Software for WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Special Text Boxes
Vulnerability: Cross-Site Scripting
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: LinkedIn Company Updates
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: CDI – Collect and Deliver Interface for Woocommerce
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 5.1.10
Recommended Action: Update to version 5.1.10, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated (Admin+) HTML Injection
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version
Plugin: Cache Images
Vulnerability: Missing Authorization
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Shortcut Macros
Vulnerability: Missing Authorization to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PDF Invoices & Packing Slips for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.16.0
Recommended Action: Update to version 2.16.0, or a newer patched version
Plugin: W3 Total Cache
Vulnerability: Information Exposure
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: Comment License
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: MainWP Dashboard: WordPress Management without the SaaS
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Sensitive Information Disclosure
Patched Version: 2.21.0
Recommended Action: Update to version 2.21.0, or a newer patched version
Plugin: Power BI Embedded for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: WP OER
Vulnerability: Cross-Site Scripting
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version
Plugin: Download Manager
Vulnerability: Contributor+ Cross-Site Scripting
Patched Version: 3.2.47
Recommended Action: Update to version 3.2.47, or a newer patched version
Plugin: Thumbnail For Excerpts
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HC Custom WP-Admin URL
Vulnerability: Missing Authorization to Login URL Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version
Plugin: Awin Data Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Cache Images
Vulnerability: Cross-Site Request Forgery to Image Upload
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: WP-Paginate
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: Page Link Manager
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Awin Data Feed
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: MashShare – Social Media Share Buttons, Social Share Icons
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin
Vulnerability: Unprotected AJAX Actions
Patched Version: 3.15.9
Recommended Action: Update to version 3.15.9, or a newer patched version
Plugin: FLV Embed
Vulnerability: Cross-Site Request Forgery to Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS
Vulnerability: SQL Injection
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: WooCommerce – Product Importer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Code Injection
Patched Version: 3.0.34.2
Recommended Action: Update to one of the following versions, or a newer patched version: 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11
Plugin: OnePress Opt-In Panda
Vulnerability: Missing Authorization on AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Opt-in
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brizy – Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via Element Content
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Lana Email Tester
Vulnerability: Missing Authorization to Mail Relay & Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
