Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Kanban Boards for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slideshow Gallery LITE
Vulnerability: Cross-Site Request Forgery via admin_galleries
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version
Plugin: Lead Generated
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.25
Recommended Action: Update to version 1.25, or a newer patched version
Plugin: Slide Anything – Responsive Content / HTML Slider and Carousel
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version
Plugin: Userlike – WordPress Live Chat plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Cross-Site Request Forgery via admin_slides
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Dynamics 365 Integration
Vulnerability: Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Vertical scroll recent post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Store Locator WordPress
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via ‘category_name’, ‘description’, ‘description_2’ parameters
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version
Plugin: Tussendoor – Open RDW
Vulnerability: Reflected Cross-Site Scripting via open_data_rdw_kenteken
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version
Plugin: Force First and Last Name as Display Name
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.29.1
Recommended Action: Update to version 3.29.1, or a newer patched version
Plugin: Klaviyo
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version
Plugin: Branded Social Images – Open Graph Images with logo and extra text layer
Vulnerability: Missing Authorization leading to Unauthenticated Plugin Settings Updates
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Privilege Escalation via updraft_central_ajax_handler
Patched Version: 1.23.3
Recommended Action: Update to one of the following versions, or a newer patched version: 1.23.3, 2.23.3
Plugin: VigilanTor
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version
Plugin: Team Member – Multi Language Supported Team Plugin
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Reflected Cross-Site Scripting via ‘page’ and ‘tab’
Patched Version: 12.1.21
Recommended Action: Update to version 12.1.21, or a newer patched version
Plugin: Lazy Social Comments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Surbma | GDPR Proof Cookie Consent & Notice Bar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 17.6.0
Recommended Action: Update to version 17.6.0, or a newer patched version
Plugin: Calendar Event Multi View
Vulnerability: Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version
Plugin: WP Simple Events
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JS Job Manager
Vulnerability: Missing Authorization
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: PHP Object Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: Stylish Cost Calculator
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.9.0
Recommended Action: Update to version 7.9.0, or a newer patched version
Plugin: Estatik Mortgage Calculator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Tiles
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Website Monetization by MageNet
Vulnerability: Cross-Site Request Forgery via admin_magenet_settings
Patched Version: 1.0.29.2
Recommended Action: Update to version 1.0.29.2, or a newer patched version
Plugin: Bulk Resize Media
Vulnerability: Cross-Site Request Forgery via bulk_resize_resize_image
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard
Vulnerability: Contact Form 7 Standard <= 5.0.6.3 and <= 2.11.0
Patched Version: 2.11.1
Recommended Action: Update to one of the following versions, or a newer patched version: 2.11.1, 5.0.6.4
Plugin: Slideshow Gallery LITE
Vulnerability: Authenticated(Admin+) SQL Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Import External Images
Vulnerability: Cross-Site Request Forgery via external_image_import_all_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: InPost Gallery
Vulnerability: Reflected Cross-Site Scripting via ‘imgurl’
Patched Version: 2.1.4.2
Recommended Action: Update to version 2.1.4.2, or a newer patched version
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Relected Cross-Site Scripting via ‘tax_name’
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Scheduled Announcements Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version
Plugin: Disqus Conditional Load
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings.
Patched Version: 11.1.2
Recommended Action: Update to version 11.1.2, or a newer patched version
Plugin: WP Shortcode by MyThemeShop
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Authenticated (Administrator)+ SQL Injection
Patched Version: 2.7.9.4
Recommended Action: Update to version 2.7.9.4, or a newer patched version
Plugin: Hotel Booking Lite
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version
Plugin: SMTP2GO for WordPress – Email Made Easy
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: WP Popup Banners
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Settings
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version
Plugin: WSB Brands
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via $logo
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: PB SEO Friendly Images
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting via form fields
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Missing Authorization
Patched Version: 12.1.21
Recommended Action: Update to version 12.1.21, or a newer patched version
Plugin: HT Feed
Vulnerability: Cross-Site Request Forgery leading to Limited Plugin Activation
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Contact Form Email
Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.3.32
Recommended Action: Update to version 1.3.32, or a newer patched version
Plugin: Content Filter – Censor All Offensive Content From Your Site
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Custom Options Plus
Vulnerability: Cross-Site Request Forgery via custom_options_plus_adm
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Custom Author Profiles
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Store Locator for WordPress with Google Maps – LotsOfLocales
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 3.98.8
Recommended Action: Update to version 3.98.8, or a newer patched version
Plugin: Contact Form 7 Redirect & Thank You Page
Vulnerability: Cross-Site Request Forgery via cf7rl_admin_table
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Enhanced Plugin Admin
Vulnerability: Cross-Site Request Forgery via epa_options_page
Patched Version: 1.17
Recommended Action: Update to version 1.17, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 1.8.15
Recommended Action: Update to version 1.8.15, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version
Plugin: WP Popup Banners
Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘value’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Amazon S3 Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Vulnerability: Cross-Site Request Forgery leading to Uninstall Form Submission
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version
Plugin: BigContact Contact Page
Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Updates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Weather Station
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.13
Recommended Action: Update to version 3.8.13, or a newer patched version
Plugin: Google XML Sitemap for Mobile
Vulnerability: Cross-Site Request Forgery via mobile_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Express Checkout (Accept PayPal Payments Easily)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: WordPress Email Marketing Plugin – WP Email Capture
Vulnerability: Information Exposure via wp_email_capture_options_process
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version
Plugin: Custom Field Template
Vulnerability: Cross-Site Request Forgery via Plugin Options Update
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version
Plugin: wpml
Vulnerability: Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version
Plugin: GamiPress – Youtube integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Simple Mobile URL Redirect
Vulnerability: Cross-Site Request Forgery leading to Mobile Redirect Updates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cyberus Key
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘uid’ in ‘cyberkey_settings’ Plugin Setting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version
Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘mep_get_option’ function
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version
Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.9
Recommended Action: Update to version 3.4.9, or a newer patched version
Plugin: WordPress Online Booking and Scheduling Plugin – Bookly
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Name
Patched Version: 21.5.1
Recommended Action: Update to version 21.5.1, or a newer patched version
Plugin: ConvertBox Auto Embed WordPress plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.20
Recommended Action: Update to version 1.0.20, or a newer patched version
Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.11.5
Recommended Action: Update to version 6.11.5, or a newer patched version
Plugin: Contact Form Email
Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.3.32
Recommended Action: Update to version 1.3.32, or a newer patched version
Plugin: Events Made Easy
Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘search_name’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Basic Elements
Vulnerability: Missing Authorization to Plugin Settings Update via wpbe_save_settings
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: JetEngine
Vulnerability: Authenticated(Author+) Arbitrary File Upload to Remote Code Execution
Patched Version: 3.1.3.1
Recommended Action: Update to version 3.1.3.1, or a newer patched version
Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN
Vulnerability: Unauthenticated Path Traversal
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Backup Bank: WordPress Backup Plugin
Vulnerability: Missing Authorization via post_user_feedback_backup_bank
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Time Sheets
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.29.3
Recommended Action: Update to version 1.29.3, or a newer patched version
Plugin: WordPress Simple Shopping Cart
Vulnerability: Information Disclosure
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version
Plugin: Be POPIA Compliant
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: WP Tiles
Vulnerability: Authenticated(Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Cyberus Key
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Return and Warranty Management System for WooCommerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TreePress – Easy Family Trees & Ancestor Profiles
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘post_title’ parameter
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Open Graphite
Vulnerability: Reflected Cross-Site Scripting via topic parameter
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Google XML Sitemap for Videos
Vulnerability: Cross-Site Request Forgery via video_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Table of Contents
Vulnerability: Missing Authorization via eztoc_reset_options_to_default
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
