Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.21
Recommended Action: Update to version 11.21, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: Configurable Tag Cloud (CTC)
Vulnerability: Cross-Site Request Forgery via ctc_options_page()
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version
Plugin: CopySafe Web Protection
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version
Plugin: WP FEvents Book
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Generate Images (AI) – Magic Post Thumbnail
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version
Plugin: Advanced Local Pickup for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: SMTP Mailing Queue
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Missing Authorization via wp_ajax_stm_wpcfto_get_settings
Patched Version: 2.9.35
Recommended Action: Update to version 2.9.35, or a newer patched version
Plugin: Steveas WP Live Chat Shoutbox
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Happy Addons for Elementor
Vulnerability: Cross-Site Request Forgery via handle_optin_optout()
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: Comment Reply Notification
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sp*tify Play Button for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.08
Recommended Action: Update to version 2.08, or a newer patched version
Plugin: External Media
Vulnerability: Authenticated(Author+) File Upload to Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Trending/Popular Post Slider and Widget
Vulnerability: Cross-Site Request Forgery via wtpsw_post_view_count
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Zippy
Vulnerability: Authenticated (Contributor+) Sensitive Information Disclosure
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Premmerce
Vulnerability: Cross-Site Request Forgery via runAction
Patched Version: 1.3.19
Recommended Action: Update to version 1.3.19, or a newer patched version
Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Vulnerability: Missing Authorization
Patched Version: 8.3.0
Recommended Action: Update to version 8.3.0, or a newer patched version
Plugin: Enhanced WP Contact Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Custom More Link Complete
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Random Text
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Direct checkout, Add to cart redirect, Quick purchase button, Buy now button, Quick View button for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.49
Recommended Action: Update to version 2.1.49, or a newer patched version
Plugin: Premmerce Redirect Manager
Vulnerability: Cross-Site Request Forgery via deleteRedirect()
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: Enhanced WP Contact Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Conditional cart fee / Extra charge rule for WooCommerce extra fees
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.97
Recommended Action: Update to version 1.0.97, or a newer patched version
Plugin: HappyFiles Pro
Vulnerability: Missing Authorization to Arbitrary File Deletion
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: GMAce
Vulnerability: Cross-Site Request Forgery to Arbitrary File Modification (Creation/Overwrite/Deletion)
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Welcome Bar
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Easy Quiz Maker
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Product Enquiry for WooCommerce, WooCommerce product catalog
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.13
Recommended Action: Update to version 2.2.13, or a newer patched version
Plugin: WP Ultimate Review
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: Albo Pretorio On line
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: Welcome Bar
Vulnerability: Missing Authorization
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Responsive Vertical Icon Menu
Vulnerability: Reflected Cross-Site Scripting via ‘id’
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: No CAPTCHA reCAPTCHA for WooCommerce
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting via Plugin Settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Property Hive
Vulnerability: Reflected Cross-Site Scripting via ‘merge_ids’
Patched Version: 1.5.47
Recommended Action: Update to version 1.5.47, or a newer patched version
Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.4.4
Recommended Action: Update to version 5.4.4, or a newer patched version
Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version
Plugin: WishSuite – Wishlist for WooCommerce
Vulnerability: Cross-Site Request Forgery via plugin_activation()
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Mega Main Menu
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: amr ical events lists
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SlimStat Analytics
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 4.9.3.4
Recommended Action: Update to version 4.9.3.4, or a newer patched version
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 5.12.5
Recommended Action: Update to one of the following versions, or a newer patched version: 5.12.5, 6.1.0
Plugin: Premmerce Redirect Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Missing Authorization on openai_settings_option_callback
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version
Plugin: WP Ultimate Review
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Ajax Search Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.26.2
Recommended Action: Update to version 4.26.2, or a newer patched version
Plugin: JustTables – WooCommerce Product Table
Vulnerability: Cross-Site Request Forgery via plugin_activation()
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Easy Forms for Mailchimp
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.8.8
Recommended Action: Update to version 6.8.8, or a newer patched version
Plugin: Really Simple Google Tag Manager (GTM)
Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Weaver Show Posts
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Libsyn Publisher Hub
Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: ZYREX POPUP
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Affiliates Manager
Vulnerability: Cross-Site Request Forgery via process_bulk_action()
Patched Version: 2.9.21
Recommended Action: Update to version 2.9.21, or a newer patched version
Plugin: HappyFiles Pro
Vulnerability: Missing Authorization
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Steveas WP Live Chat Shoutbox
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HT Menu – WordPress Mega Menu Builder for Elementor
Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: HT Builder – WordPress Theme Builder for Elementor
Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Social Proof (Testimonial) Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: PixFields
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Health Check & Troubleshooting
Vulnerability: Cross-Site Request Forgery via health_check_troubleshoot_get_captures
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Mobile Banner
Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Changes
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Product page shipping calculator for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version
Plugin: No CAPTCHA reCAPTCHA for WooCommerce
Vulnerability: Missing Authorization to Notification Dismissal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order date, Order pickup, Order date time, Pickup Location, delivery date for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.20
Recommended Action: Update to version 3.0.20, or a newer patched version
Plugin: Ajax Search Lite – Live Search & Filter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.1
Recommended Action: Update to version 4.11.1, or a newer patched version
Plugin: WP FEvents Book
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Booking Manipulation
Patched Version: 0.47
Recommended Action: Update to version 0.47, or a newer patched version
Plugin: Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches)
Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
