Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP phpMyAdmin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.0.4
Recommended Action: Update to version 5.2.0.4, or a newer patched version
Plugin: Add Hierarchy (parent) to post
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version
Plugin: WP OAuth Server ( Login with WordPress )
Vulnerability: Authentication Bypass
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: Debug Bar – Enable WP_DEBUG from admin dashboard
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.86
Recommended Action: Update to version 1.86, or a newer patched version
Plugin: MailerLite – Signup forms (official)
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: ActiveDEMAND
Vulnerability: Missing Authorization Checks
Patched Version: 0.2.28
Recommended Action: Update to version 0.2.28, or a newer patched version
Plugin: Social Slider Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Social Slider Feed
Vulnerability: Missing Authorization to Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Fast Flow
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version
Plugin: Profile & Dashboard fields [Modify/Disable/Remove]
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version
Plugin: API info for Plugins & Themes from WP.ORG
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version
Plugin: Social Slider Feed
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Images Asynchronous Load
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.06
Recommended Action: Update to version 1.06, or a newer patched version
Plugin: WordPress Button Plugin MaxButtons
Vulnerability: Shortcode-Based Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version
Plugin: Auto-hyperlink URLs
Vulnerability: Tab Nabbing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Slider Feed
Vulnerability: Authenticated (Scubscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version
Plugin: Team – Team Members Showcase Plugin
Vulnerability: WordPress Team Member Showcase Plugin <= 4.1.1
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: Simple SEO
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.92
Recommended Action: Update to version 1.7.92, or a newer patched version
Plugin: Rich Reviews by Starfish
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version
Plugin: Highlight Searched Terms in Results
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version
Plugin: Yotpo Reviews for WooCommerce (Unofficial)
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download buttons for Youtube videos
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version
Plugin: Ninja Job Board – Ultimate WordPress Job Board Plugin
Vulnerability: Information Disclosure
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: SEO Redirection Plugin – 301 Redirect Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version
Plugin: Banner Cycler
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Open Redirect
Patched Version: 3.3.17
Recommended Action: Update to version 3.3.17, or a newer patched version
Plugin: WP Edit Menu
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Hotel Booking
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.6
Recommended Action: Update to version 1.10.6, or a newer patched version
Plugin: WordPress Button Plugin MaxButtons
Vulnerability: Cross-Site Request Forgery
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version
Plugin: ЮKassa для WooCommerce
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: LinkWorth Plugin
Vulnerability: Cross-Site Request Forgery to Plugin Setting Update
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: Student Result or Employee Database
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: Simple Job Board
Vulnerability: Information Disclosure
Patched Version: 2.9.10
Recommended Action: Update to version 2.9.10, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.7.1
Recommended Action: Update to version 1.4.7.1, or a newer patched version
Plugin: Built-in Widgets Query extend (Custom Post Types & more)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.06
Recommended Action: Update to version 1.06, or a newer patched version
Plugin: ЮKassa для WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 7.9.7
Recommended Action: Update to version 7.9.7, or a newer patched version
Plugin: WordPress Button Plugin MaxButtons
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version
Plugin: All custom fields & groups
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version
Plugin: Breadcrumbs Shortcode
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version
Plugin: Require & Limit Categories, Tags, Featured Image and taxonomies
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version
Plugin: Lana Downloads Manager
Vulnerability: Authenticated Arbitrary File Download
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Enable SVG, WebP, and ICO Upload
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: WP Sticky Button – Click to Chat
Vulnerability: Missing Authorization to Arbitrary Settings Update
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Comment Fields [Modify/Disable/Remove]
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version
Plugin: VR Calendar
Vulnerability: Authenticated (Administrator+) Local File Inclusion
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Unauthenticated Backup Download
Patched Version: 1.4.7.1
Recommended Action: Update to version 1.4.7.1, or a newer patched version
Plugin: Affiliate For WooCommerce
Vulnerability: Authenticated Insecure Direct Object Reference
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version
Plugin: Enable SVG, WebP, and ICO Upload
Vulnerability: Arbitrary File Upload
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Better Search Replace
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Add Custom Post Type into Post Query
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version
Plugin: Affiliate For WooCommerce
Vulnerability: Missing Authorization
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version
Plugin: Find Slow Functions & Actions & Filters & Hooks (Debug Bar)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.41
Recommended Action: Update to version 1.41, or a newer patched version
Plugin: WP phpMyAdmin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.2.0.4
Recommended Action: Update to version 5.2.0.4, or a newer patched version
Plugin: Redirect By Cookie
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.07
Recommended Action: Update to version 1.07, or a newer patched version
Plugin: Automatic pages for Privacy Policy, Terms, About, Contact us
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.42
Recommended Action: Update to version 1.42, or a newer patched version
Plugin: Student Result or Employee Database
Vulnerability: Missing Authorization
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: WP Edit Menu
Vulnerability: Missing Authorization to Post Deletion
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Fluent Support – Helpdesk & Customer Support Ticket System
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Builder forms Addon For WordPress < 5.7
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version
Plugin: BxSlider WP
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: External url as post Featured Image (thumbnail)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.03
Recommended Action: Update to version 2.03, or a newer patched version
Plugin: Social Slider Feed
Vulnerability: Missing Authorization
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Remove tabs and fields from WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.69
Recommended Action: Update to version 1.69, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Arbitrary File Deletion
Patched Version: 3.2.51
Recommended Action: Update to version 3.2.51, or a newer patched version
Plugin: Download Manager
Vulnerability: IP Blocking Bypass
Patched Version: 3.2.50
Recommended Action: Update to version 3.2.50, or a newer patched version
Plugin: Floating Div
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
