Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Google Analytics
Patched Version: 8.9.1
Recommended Action: Update to version 8.9.1, or a newer patched version
Plugin: Survey Maker
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: RSSImport
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.13.45
Recommended Action: Update to version 7.13.45, or a newer patched version
Plugin: Subscribe2 – Form, Email Subscribers & Newsletters
Vulnerability: Cross-Site Request Forgery
Patched Version: 10.38
Recommended Action: Update to version 10.38, or a newer patched version
Plugin: WP Spell Check
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.13
Recommended Action: Update to version 9.13, or a newer patched version
Plugin: Meteor Slides
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: EU Cookie Law for GDPR/CCPA
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Click to Chat – HoliThemes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.18.1
Recommended Action: Update to version 3.18.1, or a newer patched version
Plugin: User Post Gallery – UPG
Vulnerability: UPG <= 2.19
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Accordion – Responsive Accordion FAQ Builder and Product FAQ
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.45
Recommended Action: Update to version 3.3.45, or a newer patched version
Plugin: Waiting: One-click countdowns
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Waiting: One-click countdowns
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Font Awesome
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: Easy Appointments
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Form Settings
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version
Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.4.9.9
Recommended Action: Update to version 1.4.9.9, or a newer patched version
Plugin: Widgets for WooCommerce Products on Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Authenticated (Administrator+) CSV Injection
Patched Version: 1.2.3.10
Recommended Action: Update to version 1.2.3.10, or a newer patched version
Plugin: Events Made Easy
Vulnerability: Missing Authorization
Patched Version: 2.3.17
Recommended Action: Update to version 2.3.17, or a newer patched version
Plugin: FluentAuth – The Ultimate Authorization & Security Plugin for WordPress
Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Rate My Post – Star Rating Plugin by FeedbackWP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version
Plugin: Easy Bootstrap Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Simple Shopping Cart
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: Formidable PRO2PDF
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version
Plugin: Real Testimonials – Testimonial Slider, Carousel, Grid | Collect Customer Reviews and Video Testimonial with Testimonial Form | Social Proof Reviews and Review Slider
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: پلاگین پرداخت دلخواه
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version
Plugin: Simple Membership
Vulnerability: Authenticated (Contributor+) Cross Site Scripting via shortcode
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: WP Spell Check
Vulnerability: Cross-Site Request Forgery
Patched Version: 9.13
Recommended Action: Update to version 9.13, or a newer patched version
Plugin: Custom Post Types and Custom Fields creator – WCK
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: Conditional Payment Methods for WooCommerce
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version
Plugin: CBX Petition for WordPress
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Welcart e-Commerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version
Plugin: Mongoose Page Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: Waiting: One-click countdowns
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login Logout Menu
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Simple Podcasting
Vulnerability: Prototype Pollution
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Justified Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: MashShare – Social Media Share Buttons, Social Share Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version
Plugin: Page-list
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version
Plugin: Page scroll to id
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Insert Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version
Plugin: Themify Portfolio Post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Greenshift – animation and page builder blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version
Plugin: Seriously Simple Podcasting
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.19.1
Recommended Action: Update to version 2.19.1, or a newer patched version
Plugin: Store Locator WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: WP Attachments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 13.2.9
Recommended Action: Update to version 13.2.9, or a newer patched version
Plugin: Show All Comments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version
Plugin: Sidebar Widgets by CodeLights
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Compact WP Audio Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version
Plugin: Anti-Malware Security and Brute-Force Firewall
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 4.21.86
Recommended Action: Update to version 4.21.86, or a newer patched version
Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.3
Recommended Action: Update to version 1.13.3, or a newer patched version
Plugin: RD Order Modifier for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Images Optimize and Upload CF7
Vulnerability: Missing Authorization to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fontsy
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Analyticator
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version
Plugin: Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4.10
Recommended Action: Update to version 3.4.10, or a newer patched version
Plugin: WP Video Lightbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: WP Limit Login Attempts
Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: Link Library
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.4.1
Recommended Action: Update to version 7.4.1, or a newer patched version
Plugin: Search & Filter
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.16
Recommended Action: Update to version 1.2.16, or a newer patched version
Plugin: Tickera – WordPress Event Ticketing
Vulnerability: Cross-Site Request Forgery to Plugin Data Deletion & Settings Changes
Patched Version: 3.5.1.0
Recommended Action: Update to version 3.5.1.0, or a newer patched version
Plugin: Login as User or Customer
Vulnerability: Privilege Escalation
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: HashBar – WordPress Notification Bar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Sitemap
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
