Watch Out Wednesday – March 15, 2023

Home » Watch Out Wednesday – March 15, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Reflected Cross-Site Scripting via ‘ays_pb_tab’ Parameter
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: Exxp

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Google XML Sitemap for Images

Vulnerability: Cross-Site Request Forgery via image_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘attach_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Admin side data storage for Contact Form 7

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘uucss_update_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard

Vulnerability: Directory Traversal
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘attach_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: 301 Redirects – Easy Redirect Manager

Vulnerability: Easy Redirect Manager <= 2.72
Patched Version: 2.73
Recommended Action: Update to version 2.73, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: LOGIN AND REGISTRATION ATTEMPTS LIMIT

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Rename Media On Upload

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘uucss_update_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Chronoforms

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘clear_page_cache’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: HT Easy GA4 – Google Analytics WordPress Plugin

Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Clone

Vulnerability: Cross-Site Request Forgery via wp_ajax_tifm_save_decision
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: xili-tidy-tags

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.04
Recommended Action: Update to version 1.12.04, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Information Disclosure via updraft_ajaxrestore
Patched Version: 1.23.1
Recommended Action: Update to version 1.23.1, or a newer patched version

Plugin: Solidres – Hotel booking plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Webmention

Vulnerability: Reflected Cross-Site Scripting via ‘replytocom’
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘clear_uucss_logs’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via Form Name
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version

Plugin: Customify – Intuitive Website Styling

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Cross-Site Request Forgery via init
Patched Version: 1.18.1
Recommended Action: Update to version 1.18.1, or a newer patched version

Plugin: Affiliate Super Assistent

Vulnerability: Cross-Site Request Forgery to Settings Update and Cache Clearing
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: cformsII

Vulnerability: Cross-Site Request Forgery leading to Settings Updates
Patched Version: 15.0.5
Recommended Action: Update to version 15.0.5, or a newer patched version

Plugin: Easy Event calendar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fluid Checkout for WooCommerce – Lite

Vulnerability: Cross-Site Request Forgery via dismiss_notice
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Unauthenticated CSV Injection
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Reusable Blocks Extended

Vulnerability: Cross-Site Request Forgery via reblex_reusable_screen_block_pattern_registration
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version

Plugin: Tags Cloud Manager

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery via delete()
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Weaver Xtreme Theme Support

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.2.7
Recommended Action: Update to version 6.2.7, or a newer patched version

Plugin: Yandex.News Feed by Teplitsa

Plugin: WP Basic Elements

Vulnerability: Cross-Site Request Forgery via wpbe_save_settings
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Cross-Site Request Forgery via wp_ajax_wpcrm_log
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: Side Menu Lite – add sticky fixed buttons

Vulnerability: Cross-Site Request Forgery to Item Deletion
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Clone

Vulnerability: Missing Authorization via wp_ajax_tifm_save_decision
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘ucss_connect’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery to Plugin De-Installation
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: PhonePe Payment Solutions

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: CF7 Invisible reCAPTCHA

Vulnerability: Cross-Site Request Forgery via vsz_cf7_invisible_recaptcha_page
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: CMS Press

Plugin: Daily Prayer Time

Vulnerability: Cross-Site Request Forgery
Patched Version: 2023.03.17
Recommended Action: Update to version 2023.03.17, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Authenticated (Admin+) Local File Inclusion via import_file_url
Patched Version: 5.4.3
Recommended Action: Update to version 5.4.3, or a newer patched version

Plugin: Modern Footnotes

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.16
Recommended Action: Update to version 1.4.16, or a newer patched version

Plugin: Daily Prayer Time

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2023.05.05
Recommended Action: Update to version 2023.05.05, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Cross-Site Request Forgery via wp_ajax_wpcrm_log_verbosity
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: WordPress WP-Advanced-Search

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Updates
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Missing Authorization to Email Capture List Download
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘clear_uucss_logs’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Contributor+) Arbitrary Content Deletion
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Kopa Framework

Plugin: Mass Delete Unused Tags

Vulnerability: Cross-Site Request Forgery via plugin_mass_delete_unused_tags_init
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: External Links – nofollow, noopener & new window

Vulnerability: Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice
Patched Version: 2.58
Recommended Action: Update to version 2.58, or a newer patched version

Plugin: Data Tables Generator by Supsystic

Vulnerability: Missing Authorization
Patched Version: 1.10.26
Recommended Action: Update to version 1.10.26, or a newer patched version

Plugin: LeadSnap

Vulnerability: Unauthenticated PHP Object Injection via AJAX
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version

Plugin: Solidres – Hotel booking plugin for WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘clear_page_cache’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘ajax_deactivate’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: WooCommerce Weight Based Shipping

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Changes
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: WH Testimonials

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery via give_cache_flush
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Missing Authorization via save_popup_enabled_state
Patched Version: 1.18.0
Recommended Action: Update to version 1.18.0, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery via save
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via give_form_grid shortcode
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Mass Delete Taxonomies

Vulnerability: Cross-Site Request Forgery via mp_plugin_mass_delete_tags_init
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Image Over Image For WPBakery Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Sensitive Data Exposure via debug log file
Patched Version: 1.18.0
Recommended Action: Update to version 1.18.0, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘queue_posts’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Klaviyo

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Print Invoice & Delivery Notes for WooCommerce

Vulnerability: Cross-Site Request Forgery via ts_reset_tracking_setting
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version

Plugin: Site Reviews

Vulnerability: Missing Authorization
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘ajax_deactivate’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.10.5
Recommended Action: Update to version 6.10.5, or a newer patched version

Plugin: Stock Ticker

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 3.23.1
Recommended Action: Update to version 3.23.1, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘ucss_connect’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG files
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Auto Prune Posts

Vulnerability: Cross-Site Request Forgery via admin_menu
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘queue_posts’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: WordPress Console

Vulnerability: Missing Authorization via reload.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: W4 Post List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘w4pl[no_items_text]’
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.