Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
Vulnerability: Cross-Site Request Forgery in new_voucher_template.php
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.24.4
Recommended Action: Update to version 1.24.4, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Plaintext Storage of Credentials
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: WP Dummy Content Generator
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Shortcode IMDB
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Back In Stock Notifier for WooCommerce | Manage Inventory and Waitlist Product for WooCommerce
Vulnerability: Missing Authorization via API
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Authors List
Vulnerability: Reflected Cross-Site Scripting via al_id
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: School Management System – WPSchoolPress
Vulnerability: Missing Authorization
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: WooCommerce Pre-Orders
Vulnerability: Cross-Site Request Forgery to Order Cancellation
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Client Interface <= 3.9.1
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Missing Authorization to Vote Tampering
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version
Plugin: Classified Listing – Classified ads & Business Directory Plugin
Vulnerability: Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: BuddyPress Builder for Elementor – BuddyBuilder
Vulnerability: BuddyPress Builder for Elementor <= 1.7.3
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: Getnet Argentina para WooCommerce
Vulnerability: 0.0.4
Patched Version: 0.0.5
Recommended Action: Update to version 0.0.5, or a newer patched version
Plugin: Stripe Payment forms for WordPress – WP Full Pay
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version
Plugin: WP Default Feature Image
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Missing Authorization
Patched Version: 4.2.3.1
Recommended Action: Update to version 4.2.3.1, or a newer patched version
Plugin: Social Share Boost
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: WP Reroute Email
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels
Vulnerability: Insecure Direct Object Reference
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version
Plugin: WooCommerce Warranty Requests
Vulnerability: Missing Authorization
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Grid Kit Premium
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Cross-Site Request Forgery via process_data
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: BadgeOS
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: View All Post's Pages
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version
Plugin: Buy Me a Coffee – Button and Widget Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: BadgeOS
Vulnerability: Missing Authorization in delete_badgeos_log_entries
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking Package
Vulnerability: Authorization Bypass to Arbitrary Password Reset
Patched Version: 1.5.99
Recommended Action: Update to version 1.5.99, or a newer patched version
Plugin: RSVPMaker
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘resend’
Patched Version: 10.5.5
Recommended Action: Update to version 10.5.5, or a newer patched version
Plugin: Livestream Notice
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Visibility Logic for Elementor
Vulnerability: Missing Authorization via admin_post ‘toggle_option’
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version
Plugin: BadgeOS
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.13.54
Recommended Action: Update to version 7.13.54, or a newer patched version
Plugin: Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 0.3.2
Recommended Action: Update to version 0.3.2, or a newer patched version
Plugin: WPAdmin AWS CDN
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin
Vulnerability: Missing Authorization to Sensitive Data Exposure
Patched Version: 1.5.89
Recommended Action: Update to version 1.5.89, or a newer patched version
Plugin: Short URL
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: IP2Location Country Blocker
Vulnerability: Bypass via IP Spoofing
Patched Version: 2.29.2
Recommended Action: Update to version 2.29.2, or a newer patched version
Plugin: WP Mail Log
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Product Category Tree
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SMTP Mail
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Ship to Multiple Addresses
Vulnerability: Missing Authorization
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version
Plugin: Social Media Icons Widget
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Denial of Service via Large Form Submissions
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version
Plugin: Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: WooCommerce GoCardless Gateway
Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version
Plugin: WooCommerce Ship to Multiple Addresses
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version
Plugin: Visibility Logic for Elementor
Vulnerability: Cross-Site Request Forgery via toggle_option
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: Image Social Feed Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popups supercharged: Stunning templates for email, SMS, discount popups, product recommendation etc.
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Buy Me a Coffee – Button and Widget Plugin
Vulnerability: Missing Authorization
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: Custom Registration Forms Builder for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: WooCommerce Pre-Orders
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Terms descriptions
Vulnerability: Reflected Cross-Site Scripting via term_search
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: WDS Multisite Aggregate
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin
Vulnerability: Cross-Site Request Forgery via rate_the_plugin_action
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Missing Authorization
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: Twittee Text Tweet
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Vulnerability: Authenticated (Author+) Privilege Escalation
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: BadgeOS
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Addons Pro for Elementor
Vulnerability: Sensitive Information Exposure
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: WP Dummy Content Generator
Vulnerability: Missing Authorization
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Secondary Title
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: oAuth Twitter Feed for Developers
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: HTTP Headers
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.19.0
Recommended Action: Update to version 1.19.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
