Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: User Enumeration Bypass
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version
Core: WordPress
Vulnerability: All known versions
Patched Version: No patched version available
Recommended Action: No known patch available. Review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance.
Plugin: WHA Crossword
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MP3-jPlayer
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ketchup Restaurant Reservations
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Torro Forms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CM Download Manager – Document and File Management
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: Authenticated Stored Cross-Site Scripting via Title & Description
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version
Plugin: GetResponse for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.21
Recommended Action: Update to version 5.5.21, or a newer patched version
Plugin: SVG Support
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: WordPress Countdown Widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.9.2
Recommended Action: Update to version 3.1.9.2, or a newer patched version
Plugin: SEO Smart Links
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Countdown Widget
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.1.9.2
Recommended Action: Update to version 3.1.9.2, or a newer patched version
Plugin: Slider Hero with Video Background, Animation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.4.4
Recommended Action: Update to version 8.4.4, or a newer patched version
Plugin: Bitcoin / Altcoin Faucet
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mega Addons For WPBakery Page Builder
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Shamsi – افزونه تاریخ شمسی و فارسی ساز وردپرس
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: Rate My Post – Star Rating Plugin by FeedbackWP
Vulnerability: Race Condition
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: Generate PDF using Contact Form 7
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version
Plugin: Login Block IPs
Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Org Chart
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: History Timeline for Biography, Company History & Event Timeline
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CallRail Phone Call Tracking
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.4.10
Recommended Action: Update to version 0.4.10, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 3.2.55
Recommended Action: Update to version 3.2.55, or a newer patched version
Plugin: Scripts Organizer
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Authenticated (Admin+) Arbitrary File Read via Directory Traversal
Patched Version: 5.5.4.1
Recommended Action: Update to version 5.5.4.1, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 21.4
Recommended Action: Update to version 21.4, or a newer patched version
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: Authenticated Stored Cross-Site Scripting via Video Link
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version
Plugin: WP Shop
Vulnerability: Missing Authentication to Settings Change and Order Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ldap WP Login / Active Directory Integration
Vulnerability: Missing Authorization
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Captcha Code
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version
Plugin: Blossom Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version
Plugin: Word Search Puzzles game
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: add2fav
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Welcart e-Commerce
Vulnerability: Information Disclosure via Arbitrary File Read
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version
Plugin: Pop-up
Vulnerability: Privilege Escalation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Authenticated (Administrator+) Blind Server-Side Request Forgery
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: BackupBuddy
Vulnerability: 8.7.4.1
Patched Version: 8.7.5
Recommended Action: Update to version 8.7.5, or a newer patched version
Plugin: Word Search Puzzles game
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Meet My Team
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ketchup Restaurant Reservations
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordLift – AI powered SEO – Schema
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.37.2
Recommended Action: Update to version 3.37.2, or a newer patched version
Plugin: WP-PostRatings
Vulnerability: Race Condition
Patched Version: 1.90
Recommended Action: Update to version 1.90, or a newer patched version
Plugin: WHA Crossword
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Goolytics – Simple Google Analytics
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Restricted Site Access
Vulnerability: Access Bypass via IP Spoofing
Patched Version: 7.3.2
Recommended Action: Update to version 7.3.2, or a newer patched version
Plugin: Login Block IPs
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated (Administrator+) PHP Objection Injection
Patched Version: 3.6.13
Recommended Action: Update to version 3.6.13, or a newer patched version
Plugin: Bitcoin Satoshi Tools : Faucets, Visitor Rewarder, Satoshi Games, Referral Program
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: Authenticated Stored Cross-Site Scripting via Media URL
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version
Plugin: WP Popup Builder – Popup Forms and Marketing Lead Generation
Vulnerability: Missing Authorization and Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: WP Popup Builder – Popup Forms and Marketing Lead Generation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
