Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WordPress NextGen GalleryView
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Square
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Export All URLs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version
Plugin: Sermon’e – Sermons Online
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Website Builder Pro
Vulnerability: Missing Authorization
Patched Version: 3.13.1
Recommended Action: Update to version 3.13.1, or a newer patched version
Plugin: Recent Posts Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sermon'e – Sermons Online
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce PayPal Payments
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Product Vendors
Vulnerability: Authenticated (Shop manager+) SQL Injection
Patched Version: 2.1.79
Recommended Action: Update to version 2.1.79, or a newer patched version
Plugin: EventON
Vulnerability: Insecure Direct Object Reference to Unauthorized Post Access
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Complianz Premium – GDPR/CCPA Cookie Consent
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version
Plugin: WooPayments: Integrated WooCommerce Payments
Vulnerability: Missing Authorization via redirect_pay_for_order_to_update_payment_method
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthorized Account Access and Privilege Escalation
Patched Version: 4.10.8
Recommended Action: Update to version 4.10.8, or a newer patched version
Plugin: Form Builder | Create Responsive Contact Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mailtree Log Mail
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件
Vulnerability: Missing Authorization
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: WooCommerce Bulk Stock Management
Vulnerability: Cross-Site Scripting
Patched Version: 2.2.34
Recommended Action: Update to version 2.2.34, or a newer patched version
Plugin: LWS Tools
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: All In One Redirection
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Smoothscroller
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Greeklish-permalink
Vulnerability: Missing Authorization via cyrtrans_ajax_old AJAX action
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Missing Authorization to Course Category Creation
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: Companion Sitemap Generator – HTML & XML
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version
Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor
Vulnerability: Missing Authorization via ‘data/update’ API Endpoint
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: CHP Ads Block Detector
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.13.53
Recommended Action: Update to version 7.13.53, or a newer patched version
Plugin: Seed Fonts
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: Enable SVG Uploads
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: breadcrumb simple
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Float menu – awesome floating side menu
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version
Plugin: Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
Vulnerability: Authenticated(Administrator+) CSV Injection
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: WP Backup Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Core Web Vitals & PageSpeed Booster
Vulnerability: Open Redirect via _wp_http_referer
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version
Plugin: MojoPlug Slide Panel
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CHP Ads Block Detector
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: Who Hit The Page – Hit Counter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recipe Cards For Your Food Blog from Zip Recipes
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version
Plugin: Call Now Accessibility Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: HTTP Headers
Vulnerability: Authenticated(Administrator+) Remote Code Execution
Patched Version: 1.18.11
Recommended Action: Update to version 1.18.11, or a newer patched version
Plugin: WPBakery Page Builder for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.13.0
Recommended Action: Update to version 6.13.0, or a newer patched version
Plugin: Matterport Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Missing Authorization in check_score
Patched Version: 1.15.17
Recommended Action: Update to version 1.15.17, or a newer patched version
Plugin: Simple Iframe
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via block attributes
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Extra User Details
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version
Plugin: Template Debugger
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PrePost SEO
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: Potent Donations for WooCommerce
Vulnerability: Cross-Site Request Forgery in hm_wcdon_admin_page
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version
Plugin: Stock Manager for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Missing Authorization
Patched Version: 1.5.66
Recommended Action: Update to version 1.5.66, or a newer patched version
Plugin: Extra User Details
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version
Plugin: WooCommerce Brands
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.50
Recommended Action: Update to version 1.6.50, or a newer patched version
Plugin: WP Sticky Social
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: WooCommerce Subscription
Vulnerability: Missing Authorization to Insecure Direct Object Reference
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1.3
Recommended Action: Update to version 1.8.1.3, or a newer patched version
Plugin: LWS Cleaner
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Constant Contact Forms
Vulnerability: Missing Authorization via constant_contact_privacy_ajax_handler
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: WP Affiliate Links
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Flo Forms – Easy Drag & Drop Form Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.41
Recommended Action: Update to version 1.0.41, or a newer patched version
Plugin: Display Custom Fields – wpView
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CMS Commander – Manage Multiple Sites
Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
Patched Version: 2.288
Recommended Action: Update to version 2.288, or a newer patched version
Plugin: Google Map Shortcode
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 1.5.67
Recommended Action: Update to version 1.5.67, or a newer patched version
Plugin: Booking Calendar | Appointment Booking | Bookit
Vulnerability: Authentication Bypass
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: TinyMCE Custom Styles
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: AN_GradeBook
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: EventON
Vulnerability: Missing Authorization to Event Access
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: WooPayments: Integrated WooCommerce Payments
Vulnerability: Authenticated (Shop manager+) SQL Injection via currency parameters
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version
Plugin: CHP Ads Block Detector
Vulnerability: Cross-Site Request Forgery via chp_abd_action
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: Galleria
Vulnerability: Cross-Site Request Forgery via showOptionsPage
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recipe Cards For Your Food Blog from Zip Recipes
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version
Plugin: Image Protector
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Buy Me a Coffee – Button and Widget Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: Contact Form by WD – responsive drag & drop contact form builder tool
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
