Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Hide & Security Enhancer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Resize Image After Upload
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Mailchimp for WooCommerce
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: String locator
Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Export All URLs
Vulnerability: Arbitrary File Deletion
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Simple Telegram
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Order Export For WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version
Plugin: Download Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.54
Recommended Action: Update to version 3.2.54, or a newer patched version
Plugin: Announcement & Notification Banner – Bulletin
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: Mobile Assistant Connector
Vulnerability: SQL Injection
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: WordPress HTTPS (SSL)
Vulnerability: Missing Authorization to Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jupiter X Core
Vulnerability: Missing Authorization Checks
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Mailchimp for WooCommerce
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: PostmagThemes Demo Import
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version
Plugin: Stop Spam Comments
Vulnerability: Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPIDE – File Manager & Code Editor
Vulnerability: Authenticated (Administrator+) Arbitrary File Read
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Contempo Real Estate Custom Posts
Vulnerability: Unauthorized File Upload
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version
Plugin: amCharts: Charts and Maps
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: WPIDE – File Manager & Code Editor
Vulnerability: Authenticated (Admininstrator+) Local File Inclusion
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.7.7
Recommended Action: Update to version 1.5.7.7, or a newer patched version
Plugin: Floating Action Button
Vulnerability: Missing Authorization
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Protect WP Admin
Vulnerability: Cross-Site Scripting
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: Custom Product Tabs Lite for WooCommerce
Vulnerability: Authenticated (Store Manager+) Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.5.7.7
Recommended Action: Update to version 1.5.7.7, or a newer patched version
Plugin: Cyclone Slider
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sensei LMS – Online Courses, Quizzes, & Learning
Vulnerability: Information Disclosure
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: Authentciated (Admin+) SQL Injection via orderby
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version
Plugin: WooPayments: Integrated WooCommerce Payments
Vulnerability: Payment Bypass
Patched Version: 3.9.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.9.4, 4.0.3, 4.1.1, 4.2.2, 4.3.1, 4.4.1, 4.5.1
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: Authenticated (Admin+) SQL Injection via orderby
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version
Plugin: Social Slider Feed
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: PDF Invoices & Packing Slips for WooCommerce
Vulnerability: 3.0.0
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: WP Taxonomy Import
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing
Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Pop-up
Vulnerability: Missing authorization to Settings Change
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Auto Post, Auto Publish and Schedule to Twitter, LinkedIn and Social Media – WP to Buffer
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Sensei LMS – Online Courses, Quizzes, & Learning
Vulnerability: Missing Authorization
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: WPIDE – File Manager & Code Editor
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Advanced Custom Fields Frontend Forms – ACF Forms – ACF Post Form – ACF Registration Form – ACF Content Form – ACF Profile Form
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Post to Social Media – WordPress to Hootsuite
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Netroics Blog Posts Grid
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Twitter Bootstrap Slider
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.12.5
Recommended Action: Update to version 3.12.5, or a newer patched version
Plugin: Minimal Coming Soon – Coming Soon Page
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.35
Recommended Action: Update to version 2.35, or a newer patched version
Plugin: WP-MUI – Mass User Input – Add and Export WP Users Quickly
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 17.0.5
Recommended Action: Update to version 17.0.5, or a newer patched version
Plugin: Testimonial – Testimonial Slider and Showcase Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
