Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: a3 Responsive Slider
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Data Tables Generator by Supsystic
Vulnerability: Cross-Site Scripting
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version
Plugin: Download Monitor
Vulnerability: Authenticated Arbitrary File Download
Patched Version: 4.5.91
Recommended Action: Update to version 4.5.91, or a newer patched version
Plugin: Contact Form 7 Captcha
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.2
Recommended Action: Update to version 0.1.2, or a newer patched version
Plugin: Post Comments as bbPress Topics
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Request a Quote
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: GTM Server Side
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Simple Page Transition
Vulnerability: Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Page Generator
Vulnerability: Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: Name Directory
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.25.4
Recommended Action: Update to version 1.25.4, or a newer patched version
Plugin: eBay Dropshipping and Affiliate by Wooshark
Vulnerability: Unprotected AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: W-DALIL
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login with WHMCS
Vulnerability: Authentication Bypass
Patched Version: 1.11.4
Recommended Action: Update to version 1.11.4, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version
Plugin: Freshdesk (official)
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: DX Share Selection
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: The School Management Pro
Vulnerability: Remote Code Execution
Patched Version: 9.9.7
Recommended Action: Update to version 9.9.7, or a newer patched version
Plugin: Dropdown Menu Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Header Footer Code Manager
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.24
Recommended Action: Update to version 1.1.24, or a newer patched version
Plugin: 404s
Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: Login with Cognito
Vulnerability: Authentication Bypass
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Sensitive File Disclosure
Patched Version: 4.58
Recommended Action: Update to version 4.58, or a newer patched version
Plugin: Simple Post Notes
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Accept Stripe Payments
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.64
Recommended Action: Update to version 2.0.64, or a newer patched version
Plugin: Page Generator
Vulnerability: Cross-Site Request Forgery to Arbitrary Keywords Deletion/Duplication
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: Advanced Database Cleaner
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: Loading Page with Loading Screen
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.83
Recommended Action: Update to version 1.0.83, or a newer patched version
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Authenticated (Administrator+) Arbitrary Code Execution
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: Download Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.44
Recommended Action: Update to version 3.2.44, or a newer patched version
Plugin: WordPress OpenID Connect Client
Vulnerability: Authentication Bypass
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Re:amaze Helpdesk & Live Chat
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Cross-Site Scripting
Patched Version: 2.6.10
Recommended Action: Update to version 2.6.10, or a newer patched version
Plugin: OAuth Single Sign On – SSO (OAuth Client)
Vulnerability: Cross-Site Scripting
Patched Version: 6.23.0
Recommended Action: Update to version 6.23.0, or a newer patched version
Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.75
Recommended Action: Update to version 5.5.75, or a newer patched version
Plugin: Insights from Google PageSpeed
Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: Download Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.44
Recommended Action: Update to version 3.2.44, or a newer patched version
Plugin: Ad Inserter Pro
Vulnerability: Arbitrary File Modification
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version
Plugin: Request a Quote
Vulnerability: CSV Injection
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: Football Live Scores
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Free Live Chat Support
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: Custom Product Tabs for WooCommerce
Vulnerability: Subscriber+ Settings Update
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version
Plugin: Our Services Showcase
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dropshipping and affiliates for Amazon and woocommerce
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jquery Validation For Contact Form 7
Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version
Plugin: OAuth 2.0 client for SSO
Vulnerability: Authentication Bypass
Patched Version: 1.11.4
Recommended Action: Update to version 1.11.4, or a newer patched version
Plugin: OAuth Single Sign On – SSO (OAuth Client)
Vulnerability: Authentication Bypass
Patched Version: 6.22.6
Recommended Action: Update to version 6.22.6, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
