Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Portfolio Gallery
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 5 Anker Connect
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Accessibility
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Core: WordPress
Vulnerability: Shared User Instance Weakness
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version
Plugin: RD Station
Vulnerability: Cross-Site Request Forgery to Plugin Log Deletion
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: ALD – AliExpress Dropshipping and Fulfillment for WooCommerce Premium
Vulnerability: AliExpress Dropshipping and Fulfillment for WooCommerce Premium <= 1.1.0
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Core: WordPress
Vulnerability: Open Redirect
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version
Plugin: Page View Count
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Core: WordPress
Vulnerability: Information Disclosure (Multi-Part Email Leak)
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: WP Attachments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: Product Stock Manager
Vulnerability: Missing Authorization and Cross-Site Request Forgery
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Core: WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Customizer
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload via Path Traversal
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version
Core: WordPress
Vulnerability: Authenticated Cross-Site Scripting in Various Blocks
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Core: WordPress
Vulnerability: Authenticated Information Disclosure via REST-API
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: ElasticPress
Vulnerability: Prototype Pollution
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: WPB Show Core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wp-Hide
Vulnerability: Missing Authorization to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Import and export users and customers
Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 1.20.5
Recommended Action: Update to version 1.20.5, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.72
Recommended Action: Update to version 3.0.72, or a newer patched version
Plugin: Complianz Premium – GDPR/CCPA Cookie Consent
Vulnerability: SQL Injection via Translations
Patched Version: 6.3.6
Recommended Action: Update to version 6.3.6, or a newer patched version
Plugin: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Role Based Pricing for WooCommerce
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Account Manager for WooCommerce
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Authenticated (Contributor+) Information Disclosure
Patched Version: 6.0.3
Recommended Action: Update to version 6.0.3, or a newer patched version
Plugin: 3com – Asesor de Cookies para normativa española
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Reflected Cross-Site Scripting via SQL Injection
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Role Based Pricing for WooCommerce
Vulnerability: Missing Authorization to PHAR Deserialization
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Booking Calendar – Event Calendar
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: CSV Injection
Patched Version: 4.3.13
Recommended Action: Update to version 4.3.13, or a newer patched version
Plugin: ImageMagick Engine
Vulnerability: Cross-Site Request Forgery to Remote Command Execution
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Mihdan: Public Post Preview
Vulnerability: Missing Authorization
Patched Version: 1.9.10
Recommended Action: Update to version 1.9.10, or a newer patched version
Plugin: WooCommerce Dropshipping Premium
Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Highlight Focus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: AB Press Optimizer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Cross-Site Request Forgery via wp-trackback.php
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via wp-mail.php
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.72
Recommended Action: Update to version 3.0.72, or a newer patched version
Core: WordPress
Vulnerability: Information Disclosure (Email Address)
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Core: WordPress
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Comments
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Core: WordPress
Vulnerability: SQL Injection via WP_Date_Query
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
