Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Login for Google Apps
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: Eventify™ – Simple Events
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated SQL Injection via cg_Fields
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Loginizer
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Add to home screen WP Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated SQL Injection via user_id
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_option_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via wp_user_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Advanced Booking Calendar
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Real Estate
Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: 1app Business Forms
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Basic Contact Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 20221201
Recommended Action: Update to version 20221201, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_multiple_files_for_post
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: WordPress Filter Gallery Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.1.6
Recommended Action: Update to version 0.1.6, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_copy_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Slider by 10Web – Responsive Image Slider
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.2.53
Recommended Action: Update to version 1.2.53, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_copy_start
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Contest Gallery Pro
Vulnerability: Authenticated (Administrator+) SQL Injection via wp_user_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Advanced Booking Calendar
Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chained Quiz
Vulnerability: Cross-Site Request Forgery to Arbitrary Quiz Deletion and Copying
Patched Version: 1.3.2.5
Recommended Action: Update to version 1.3.2.5, or a newer patched version
Plugin: ElasticPress
Vulnerability: Remote Code Execution
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version
Plugin: WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log
Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Authorization Bypass
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Authenticated (Subscriber+) Information Disclosure and PHAR deserialization
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version
Plugin: ACF Quick Edit Fields
Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Post Teaser
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chained Quiz
Vulnerability: Reflected Cross-Site Scripting via datef
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version
Plugin: WP-Ban
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.69.1
Recommended Action: Update to version 1.69.1, or a newer patched version
Plugin: Autoptimize
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2022.6
Recommended Action: Update to version 2022.6, or a newer patched version
Plugin: GD bbPress Attachments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: 1app Business Forms
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Teaser
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chained Quiz
Vulnerability: Reflected Cross-Site Scripting via emailf
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via option_id GET
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Bulk Delete Users by Email
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_order
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Bulk Delete Users by Email
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI Powered Starter Templates by Kadence WP
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version
Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more
Vulnerability: Authenticated (Admin+) Arbitrary File Deletion
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_row
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more
Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version
Plugin: ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Privilege Escalation
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version
Plugin: Custom Content by Country (by Shield Security)
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.321
Recommended Action: Update to version 1.3.321, or a newer patched version
Plugin: WP User – Custom Registration Forms, Login and User Profile
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chained Quiz
Vulnerability: Reflected Cross-Site Scripting via ip
Patched Version: 1.3.2.4
Recommended Action: Update to version 1.3.2.4, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Mailchimp API Key
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version
Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more
Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Cross-Site Request Forgery to Question Deletion
Patched Version: 1.3.2.5
Recommended Action: Update to version 1.3.2.5, or a newer patched version
Plugin: All-in-One Addons for Elementor – WidgetKit
Vulnerability: WidgetKit <= 2.4.3
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Reflected Cross-Site Scripting via ipf
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Missing Authorization
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version
Plugin: Supra CSV
Vulnerability: Stored Cross-Site Scripting via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Mail Log
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Export Users Data CSV
Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: WP Google Review Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.6
Recommended Action: Update to version 11.6, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_id
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Reflected Cross-Site Scripting via date
Patched Version: 1.3.2.4
Recommended Action: Update to version 1.3.2.4, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Reflected Cross-Site Scripting via pointsf
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version
Plugin: IWS – Geo Form Fields
Vulnerability: Geo Form Fields <= 1.0
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Welcart e-Commerce
Vulnerability: Information Disclosure via Arbitrary File Read
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Facebook App ID
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version
Plugin: Booster Plus for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Reflected Cross-Site Scripting via dnf
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via upload[]
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Cross-Site Request Forgery to Submitted Response Deletion
Patched Version: 1.3.2.5
Recommended Action: Update to version 1.3.2.5, or a newer patched version
Plugin: iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Reflected Cross-Site Scripting via dn
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version
Plugin: ImageInject
Vulnerability: Authenticated (Admin+) Stored XSS
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Apptivo Business Site CRM
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.14
Recommended Action: Update to version 3.0.14, or a newer patched version
Plugin: Kwayy HTML Sitemap
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scipting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Plugin Logic
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: SQL Injection via option_id
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version
Plugin: UpdraftCentral Dashboard
Vulnerability: Server-Side Request Forgery
Patched Version: 0.8.24
Recommended Action: Update to version 0.8.24, or a newer patched version
Plugin: Build App Online
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via addCountS
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
