Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Socializer – Simple & Easy Social Media Share Icons
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version
Plugin: Gallery PhotoBlocks
Vulnerability: Missing Authorization Checks
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Float to Top Button
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Make Connector
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.9.18
Recommended Action: Update to version 2.9.18, or a newer patched version
Plugin: Search Exclude
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Titan Anti-spam & Security
Vulnerability: IP Spoofing to Protection Bypass
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) PHAR Deserialization
Patched Version: 3.2.50
Recommended Action: Update to version 3.2.50, or a newer patched version
Plugin: Accordion
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.43
Recommended Action: Update to version 2.2.43, or a newer patched version
Plugin: Classified Core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version
Plugin: BadgeOS
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.7.1.3
Recommended Action: Update to version 3.7.1.3, or a newer patched version
Plugin: MashShare – Social Media Share Buttons, Social Share Icons
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: WP-UserOnline
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.88.1
Recommended Action: Update to version 2.88.1, or a newer patched version
Plugin: OneTone Companion
Vulnerability: Open Mailer
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Vulnerability: Resource Exhaustion
Patched Version: 1.9.10.58
Recommended Action: Update to version 1.9.10.58, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version
Plugin: Scroll To Top
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Float to Top Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All-in-One Video Gallery
Vulnerability: 2.6.0
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Mobile Events Manager
Vulnerability: Authenticated (Administrator+) CSV Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Directory Traversal
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Authenticated (Administrator+) Path Traversal
Patched Version: 0.9.76
Recommended Action: Update to version 0.9.76, or a newer patched version
Plugin: WordPress Ping Optimizer
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.35.1.3.0
Recommended Action: Update to version 2.35.1.3.0, or a newer patched version
Plugin: All-in-One WP Migration and Backup
Vulnerability: Unauthenticated Reflected Cross-Site Scripting
Patched Version: 7.63
Recommended Action: Update to version 7.63, or a newer patched version
Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
Vulnerability: Missing Authorization
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: OAuth client Single Sign On for WordPress ( OAuth 2.0 SSO )
Vulnerability: Missing Authorization
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: WP Hotel Booking
Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Vulnerability: Authorization Bypass
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version
Plugin: Classified Listing Pro – Classified ads & Business Directory Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.20
Recommended Action: Update to version 2.0.20, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: WP Server Health Stats
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: BuddyPress xProfile Checkout Manager for WooCommerce
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Craw Data
Vulnerability: Server Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WBW Currency Switcher for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
