Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version
Plugin: Quick Restaurant Menu
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘rawdata’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: OSM – OpenStreetMap
Vulnerability: OpenStreetMap <= 6.0
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘layouts’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Missing Authorization
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version
Plugin: Contact Bank – Contact Form Builder for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.185.1
Recommended Action: Update to version 5.185.1, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘pages’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 6.9.10
Recommended Action: Update to version 6.9.10, or a newer patched version
Plugin: Beebee Mini
Vulnerability: Unauthorized File Upload via ACF
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘notice’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: FontMeister – The Font Management Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post to CSV by BestWebSoft
Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Related Posts for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Table Generator
Vulnerability: Missing Authorization to Table Modification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Super Cache
Vulnerability: Unauthenticated Cache Poisoning
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: BuddyForms Moderation ( Former: Review Logic )
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version
Plugin: HREFLANG Tags Lite
Vulnerability: Missing Authorization to Data Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Vendors
Vulnerability: Insecure Direct Object Reference to Note Creation
Patched Version: 2.1.66
Recommended Action: Update to version 2.1.66, or a newer patched version
Plugin: Retain Live Chat
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Humans.txt
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Store Locator WordPress
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: wp-Monalisa
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Insecure Direct Object Reference
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 6.9.10
Recommended Action: Update to version 6.9.10, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Redirection for Contact Form 7
Vulnerability: Missing Authorization
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: Asset CleanUp: Page Speed Booster
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.8.5
Recommended Action: Update to version 1.3.8.5, or a newer patched version
Plugin: CRM Perks Forms – WordPress Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Media Library Assistant
Vulnerability: Information Disclosure
Patched Version: 3.01
Recommended Action: Update to version 3.01, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: 5.0.7
Patched Version: 5.0.8
Recommended Action: Update to version 5.0.8, or a newer patched version
Plugin: Plugin LBstopattack
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Analytics Cat – Google Analytics Made Easy
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Advanced Ads – Ad Manager & AdSense
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.32.0
Recommended Action: Update to version 1.32.0, or a newer patched version
Plugin: Kadence WooCommerce Email Designer
Vulnerability: PHP Object Injection
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: Product Vendors
Vulnerability: Insecure Direct Object Reference to Vendor Commission Percentage Update
Patched Version: 2.1.69
Recommended Action: Update to version 2.1.69, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting in post_oxi_settings function
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Rock Convert
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Product Vendors
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.1.66
Recommended Action: Update to version 2.1.66, or a newer patched version
Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version
Plugin: WP All Export Pro
Vulnerability: Authenticated Remote Code Execution
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: WZone – Lite Version
Vulnerability: Lite <= 3.1
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IP Blacklist Cloud
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP All Export Pro
Vulnerability: Authenticated SQL Injection
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Media Library Folders
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Unauthenticated CSV Injection
Patched Version: 3.1.0.2
Recommended Action: Update to version 3.1.0.2, or a newer patched version
Plugin: AdminPad
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Casso – Tự động xác nhận thanh toán chuyển khoản ngân hàng
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated Arbitrary Options Update
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘pages’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘license’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.1.7.2
Recommended Action: Update to version 4.1.7.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
