Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: GD Mail Queue
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Mail logging – WP Mail Catcher
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Vulnerability: Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor
Patched Version: 3.7.20
Recommended Action: Update to version 3.7.20, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Cross-Site Request Forgery to Product Limit Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: CF7 Google Sheets Connector Pro
Vulnerability: Reflected Cross-Site Scripting via ‘code’
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Missing Authorization via REST API
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_transaction_id’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.94
Recommended Action: Update to version 3.3.94, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: WP PDF Generator
Vulnerability: Cross-Site Request Forgery to PDF Settings Update
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Securimage-WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Forms Google Sheet Connector Pro
Vulnerability: Reflected Cross-Site Scripting via ‘code’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All Bootstrap Blocks
Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: WooCommerce Stripe Payment Gateway
Vulnerability: Missing Authorization
Patched Version: 7.4.1
Recommended Action: Update to version 7.4.1, or a newer patched version
Plugin: WP Directory Kit
Vulnerability: Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Ninja Forms Google Sheet Connector
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: ND Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version
Plugin: Download Monitor
Vulnerability: Authenticated(Subscriber+) Arbitrary File Upload via upload_file
Patched Version: 4.8.4
Recommended Action: Update to version 4.8.4, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Protect WP Admin
Vulnerability: Unauthenticated Information Disclosure to Protection Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: WooCommerce Stripe Payment Gateway
Vulnerability: Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure
Patched Version: 5.5.1
Recommended Action: Update to one of the following versions, or a newer patched version: 5.5.1, 5.6.3, 5.7.1, 5.8.2, 5.9.1, 6.0.1, 6.1.1, 6.2.1, 6.3.1, 6.4.4, 6.5.2, 6.6.1, 6.7.1, 6.8.1, 6.9.1, 7.0.3, 7.1.1, 7.2.1, 7.3.1, 7.4.1
Plugin: Login Configurator
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPForms Google Sheet Connector Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Cross-Site Request Forgery to Order Message Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category, and more
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Missing Authorization
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Authenticated(Subscriber+) SQL Injection
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: FiboSearch – Ajax Search for WooCommerce
Vulnerability: AJAX Search for WooCommerce <= 1.23.0
Patched Version: 1.24.0
Recommended Action: Update to version 1.24.0, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Recent Posts Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Elementor Addons, Widgets and Enhancements – Stax
Vulnerability: Missing Authorization in toggle_widget
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: ND Shortcodes
Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Race Condition to Multiple Poll Voting
Patched Version: 1.24.1
Recommended Action: Update to version 1.24.1, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Cross-Site Request Forgery to Order Title Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: WP-Members Membership Plugin
Vulnerability: Missing Authorization to Settings Update
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version
Plugin: Elementor Addons, Widgets and Enhancements – Stax
Vulnerability: Cross-Site Request Forgery via toggle_widget
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Cross-Site Request Forgery to Order Status Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘orderby’
Patched Version: 5.4.11
Recommended Action: Update to version 5.4.11, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Cross-Site Request Forgery to Order Title Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Unauthenticated CSV Injection
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Cross-Site Request Forgery to Firebase Server Key Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: Lana Email Logger
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_payment_status’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Cross-Site Request Forgery via edd_trigger_upgrades
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Church Admin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.30
Recommended Action: Update to version 3.7.30, or a newer patched version
Plugin: WP Mail Logging
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 1.11.2
Recommended Action: Update to version 1.11.2, or a newer patched version
Plugin: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version
Plugin: WordPress Contact Forms by Cimatti
Vulnerability: Cross-Site Request Forgery via _accua_forms_form_edit_action
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
