Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Core: WordPress
Vulnerability: Authenticated SQL Injection
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2
Plugin: wp-forecast
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.0
Recommended Action: Update to version 8.0, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via Text Editor
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version
Plugin: Access Code Feeder
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Better Font Awesome
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Better Font Awesome
Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Form Builder CP
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.32
Recommended Action: Update to version 1.2.32, or a newer patched version
Plugin: Ultimate SMS Notifications for WooCommerce
Vulnerability: CSV Injection
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Visual Composer Website Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via ‘Title’
Patched Version: 45.0.1
Recommended Action: Update to version 45.0.1, or a newer patched version
Plugin: Better Font Awesome
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via Plugin Deactivation and Deletion Errors
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via Caption
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version
Plugin: Visual Composer Website Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via ‘Text Block’
Patched Version: 45.0.1
Recommended Action: Update to version 45.0.1, or a newer patched version
Plugin: WPtouch – Make your WordPress Website Mobile-Friendly
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.44
Recommended Action: Update to version 4.3.44, or a newer patched version
Plugin: Better Delete Revision
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Calendar – Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: SEO Scout: Content Optimization, Keyword Research, Rank Tracking + SEO Testing
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 3dady real-time web stats
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gettext override translations
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Missing Authorization to Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via Image URL
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version
Plugin: WP Users Exporter
Vulnerability: CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Poll, Survey, Questionnaire and Voting system
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: Accommodation System
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slickr Flickr
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Site Offline Or Coming Soon Or Maintenance Mode
Vulnerability: Maintenance Mode Bypass
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 0.9.77
Recommended Action: Update to version 0.9.77, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via ‘caption’
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version
Plugin: Launcher: Coming Soon & Maintenance Mode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: Event Calendar – Calendar
Vulnerability: Missing Authorization to Event Modification
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Core: WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2
Plugin: Zephyr Project Manager
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: About Rentals
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: About Me
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple File List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.12
Recommended Action: Update to version 4.4.12, or a newer patched version
Plugin: Alphabetic Pagination
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Options Update
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Add User Role
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
