Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Spiffy Calendar
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.9.2
Recommended Action: Update to version 4.9.2, or a newer patched version
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.62
Recommended Action: Update to version 3.2.62, or a newer patched version
Plugin: ActiveCampaign for WooCommerce
Vulnerability: Missing Authorization to Error Log Deletion
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: 404 to Start
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wp Social Login and Register Social Counter
Vulnerability: Authenticated (Subscriber+) Information Disclosure
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: WP CSV to Database – Insert CSV file content into WordPress database
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GS Insever Portfolio
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Portfolio – WordPress Portfolio Plugin
Vulnerability: Cross-Site Request Forgery in rtport_spare_me
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version
Plugin: Table of Contents Plus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2212
Recommended Action: Update to version 2212, or a newer patched version
Plugin: Vision – Interactive Image Map Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: SlimStat Analytics
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: Bg Bible References
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Status Notifier Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.1
Recommended Action: Update to version 1.10.1, or a newer patched version
Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: Mesmerize Companion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.135
Recommended Action: Update to version 1.6.135, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.9.3
Recommended Action: Update to version 1.3.9.3, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version
Plugin: Sidebar Widgets by CodeLights
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: iPages Flipbook For WordPress
Vulnerability: Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.9.4
Recommended Action: Update to version 1.3.9.4, or a newer patched version
Plugin: Multi Step Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version
Plugin: WP-Table Reloaded
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Events Calendar Plugin – connectDaily
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: iPanorama 360 – Advanced Virtual Tour Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.30
Recommended Action: Update to version 1.6.30, or a newer patched version
Plugin: WPtouch – Make your WordPress Website Mobile-Friendly
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 4.3.45
Recommended Action: Update to version 4.3.45, or a newer patched version
Plugin: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Swifty Page Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP CSV
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ibtana – WordPress Website Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.8.8
Recommended Action: Update to version 1.1.8.8, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: PT Addons for Elementor Lite
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Swifty Page Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version
Plugin: ActiveCampaign for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version
Plugin: Mega Addons For WPBakery Page Builder
Vulnerability: Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mautic Integration for WooCommerce
Vulnerability: Cross-Site Request Forgery leading to Arbitrary Options Update
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Missing Authorization to Subscriber+ Arbitrary Post Creation
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version
Plugin: WP Pipes
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: ImageLinks Interactive Image Builder for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Mediamatic – Media Library Folders
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPtouch – Make your WordPress Website Mobile-Friendly
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 4.3.45
Recommended Action: Update to version 4.3.45, or a newer patched version
Plugin: Metricool
Vulnerability: Authenticated (Administrator+) Stored Stored Cross-Site Scripting
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version
Plugin: Mediamatic – Media Library Folders
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PT Addons for Elementor Lite
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Vulnerability: CSV Injection
Patched Version: 2.2.20
Recommended Action: Update to version 2.2.20, or a newer patched version
Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 8.6.1
Recommended Action: Update to version 8.6.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
