Watch Out Wednesday – February 1, 2023

Home » Watch Out Wednesday – February 1, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting and Settings Reset
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version

Plugin: EmbedSocial – Social Media Feeds, Reviews and Galleries

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.28
Recommended Action: Update to version 1.1.28, or a newer patched version

Plugin: Organization chart

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: WPComplete

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery to Plugin Activation
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Cross Site Request Forgery
Patched Version: 6.11.4
Recommended Action: Update to version 6.11.4, or a newer patched version

Plugin: WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Simple Photo Gallery

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Private Message

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Auto Hide Admin Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: WP Responsive Testimonials Slider And Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MapGeo – Interactive Geo Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: AFI – The Easiest Integration Plugin

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.63.0
Recommended Action: Update to version 1.63.0, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.0.107.3
Recommended Action: Update to version 1.0.107.3, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Admin+) Cross Site Scripting (XSS)
Patched Version: 1.5.49
Recommended Action: Update to version 1.5.49, or a newer patched version

Plugin: Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization Checks
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Loan Comparison

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more

Vulnerability: Authenticator (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Bootstrap Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Cross Site Request Forgery
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: WP Table Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: TinyMCE Custom Styles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: bbPress Voting

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.11.1
Recommended Action: Update to version 2.1.11.1, or a newer patched version

Plugin: Post Views Count (Support caching plugins!)

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: Loan Comparison

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.12.23
Recommended Action: Update to version 2.12.23, or a newer patched version

Plugin: JobBoardWP – Job Board Listings and Submissions

Vulnerability: Missing Authorization to Job Posting Manipulation
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Namaste! LMS

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.9.4
Recommended Action: Update to version 2.5.9.4, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.10.2
Recommended Action: Update to version 2.10.2, or a newer patched version

Plugin: Olevmedia Shortcodes

Plugin: Efí Bank

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: ContentStudio

Vulnerability: Information Exposure
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Missing Authorization
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Simple Newsletter Plugin – Noptin

Vulnerability: Unauthenticated CSV Injection
Patched Version: 1.11.0
Recommended Action: Update to version 1.11.0, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Correos Oficial

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bootstrap Shortcodes

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Simple Image Popup

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 13.2.11
Recommended Action: Update to version 13.2.11, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Advanced Social Pixel

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Welcart e-Commerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.8.11
Recommended Action: Update to version 2.8.11, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: BackupBuddy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.3
Recommended Action: Update to version 8.8.3, or a newer patched version

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Install and Activation
Patched Version: 3.6.4.2
Recommended Action: Update to version 3.6.4.2, or a newer patched version

Plugin: Easy Social Box / Page Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.2.24
Recommended Action: Update to version 2.2.24, or a newer patched version

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Namaste! LMS

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.9.2
Recommended Action: Update to version 2.5.9.2, or a newer patched version

Plugin: Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Quick Restaurant Menu

Vulnerability: Missing Authorization
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: GetResponse for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.5.32
Recommended Action: Update to version 5.5.32, or a newer patched version

Plugin: Login Logout Menu

Plugin: Bootstrap Shortcodes

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: PHP Object Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: No subtitle
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: EmbedStories – Display social media stories

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.7.5
Recommended Action: Update to version 0.7.5, or a newer patched version

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: Intuitive Custom Post Order

Vulnerability: Missing Authorization to Authenticated Settings Change
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Opening Hours

Plugin: Quick Restaurant Menu

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Material Design Icons for Page Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Glossary

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version

Plugin: ContentStudio

Vulnerability: Authorization Bypass
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: eVision Responsive Column Layout Shortcodes

Plugin: BNE Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Juicer.io: Effortlessly embed, curate, and aggregate social media feeds into your website

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version

Plugin: Quick Restaurant Menu

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1.0.5
Recommended Action: Update to version 3.1.0.5, or a newer patched version

Plugin: Intuitive Custom Post Order

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: PrivateContent

Vulnerability: Protection Mechanism Bypass
Patched Version: 8.4.4
Recommended Action: Update to version 8.4.4, or a newer patched version

Plugin: Client Logo Carousel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Organization chart

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Blocksy Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.68
Recommended Action: Update to version 1.8.68, or a newer patched version

Plugin: AI Contact Us Form

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Site Reviews

Vulnerability: Unauthenticated CSV Injection
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Efí Bank

Vulnerability: Missing Authorization
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.7.2
Recommended Action: Update to version 2.1.7.2, or a newer patched version

Plugin: WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: GS Portfolio for Envato

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: DH – Anti AdBlocker

Vulnerability: Cross-Site Request Forgery
Patched Version: 37
Recommended Action: Update to version 37, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Unauthenticated Bypass Vulnerability
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Quick Restaurant Menu

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Hueman Addons

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Views for WooCommerce – Product Slider, Grid, Ticker, List & Masonry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.