Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: PDQ CSV
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Five Star Restaurant Menu and Food Ordering
Vulnerability: Cross-Site Request Forgery via maybe_duplicate_item
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: WP Shopping Pages
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Vulnerability: Unauthenticated Reflected Cross-Site Scripting via Tag Filter Links
Patched Version: 2.0.13.1
Recommended Action: Update to version 2.0.13.1, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Question Title
Patched Version: 8.1.11
Recommended Action: Update to version 8.1.11, or a newer patched version
Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks
Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 5.4.4
Recommended Action: Update to version 5.4.4, or a newer patched version
Plugin: MultiParcels Shipping For WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version
Plugin: WP Food Manager – Restaurant Menu & Online Food Ordering for WooCommerce – Food Delivery & Pickup – Table Reservation
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Checkout with Zelle on Woocommerce
Vulnerability: Missing Authorization
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: Chat Button & Custom ChatGPT-Powered Bot by GetButton.io
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.8.10
Recommended Action: Update to version 1.8.10, or a newer patched version
Plugin: Art Direction
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YARPP – Yet Another Related Posts Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.30.4
Recommended Action: Update to version 5.30.4, or a newer patched version
Plugin: WP Testimonials
Vulnerability: Cross-Site Request Forgery to Widget Deletion
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: YourMembership Single Sign On – YM SSO Login
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Export and Import Users and Customers
Vulnerability: Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting via fs_request_get
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Dovetail
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Data Retrieval
Patched Version: 1.5.89
Recommended Action: Update to version 1.5.89, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery in import_wpforms
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: WP Donate
Vulnerability: Unauthenticated SQL Injection in donate-display.php
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.17
Recommended Action: Update to version 2.7.17, or a newer patched version
Plugin: ShopConstruct – Product Catalog, Shopping Cart and eCommerce solution for Store
Vulnerability: Reflected Cross-Site Scripting via multiple parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Donate
Vulnerability: SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Media Library Assistant
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: User Activity Log
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: HTTP Headers
Vulnerability: Server-Side Request Forgery
Patched Version: 1.19.0
Recommended Action: Update to version 1.19.0, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Hardcoded Encryption Key
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version
Plugin: Integrate Google Drive
Vulnerability: Missing Authorization via REST API Endpoints
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Zippy
Vulnerability: Missing Authorization via adminInit
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Variation Swatches for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: Replace Word
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: what3words Address Field
Vulnerability: Authenticated (Administrator+) Sensitive Information Exposure in class-w3w-autosuggest-public.php
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: Easyship WooCommerce Shipping Rates
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version
Plugin: Ninja Popups
Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Qubely – Advanced Gutenberg Blocks
Vulnerability: Insufficient Authorization
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Excessive Quiz Attempts
Patched Version: 8.1.11
Recommended Action: Update to version 8.1.11, or a newer patched version
Plugin: User Activity Log
Vulnerability: Unauthenticated SQL Injection via username
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: cartflows-pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.11.12
Recommended Action: Update to version 1.11.12, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Unauthenticated MailChimp API Key Disclosure
Patched Version: 1.3.71
Recommended Action: Update to version 1.3.71, or a newer patched version
Plugin: Coming Soon Chop Chop
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YourMembership Single Sign On – YM SSO Login
Vulnerability: Missing Authorization
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Contact Form to Any API
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘form_id’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Missing Authorization
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.119.1
Recommended Action: Update to version 1.0.119.1, or a newer patched version
Plugin: IURNY by INDIGITALL – WhatsApp Chat, Web Push Notifications (FREE)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Back In Stock Notifier for WooCommerce | Manage Inventory and Waitlist Product for WooCommerce
Vulnerability: Information Disclosure
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: MF Gig Calendar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via event_title and event_time
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version
Plugin: Bubble Menu – Sticky Navigation with Floating Button Menu Solution
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: MultiParcels Shipping For WooCommerce
Vulnerability: Authenticated(Subscriber+) SQL Injection via id
Patched Version: 1.14.15
Recommended Action: Update to version 1.14.15, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Missing Authorization to Arbitrary Group Option Modification and Privilege Escalation
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.0.65
Recommended Action: Update to version 1.0.65, or a newer patched version
Plugin: Variation Images Gallery for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via style
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: Falang multilanguage for WordPress
Vulnerability: Cross-Site Request Forgery via add_language
Patched Version: 1.3.40
Recommended Action: Update to version 1.3.40, or a newer patched version
Plugin: Contact Form Generator : Creative form builder for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Radio Forge Muses Player with Skins
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery in template_importer
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Missing Authorization to User Import
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Membership Plugin <= 4.0.16
Patched Version: 4.0.17
Recommended Action: Update to version 4.0.17, or a newer patched version
Plugin: MailArchiver
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: MultiParcels Shipping For WooCommerce
Vulnerability: Missing Authorization via get_history
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version
Plugin: WPBulky – WordPress Bulk Edit Post Types
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Vulnerability: Open Redirect
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Custom Field For WP Job Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: WP Social AutoConnect
Vulnerability: Cross-Site Request Forgery via jfb_admin_page
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: Buy Me a Coffee – Button and Widget Plugin
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: DirectoryPress – Business Directory And Classified Ad Listing
Vulnerability: Missing Authorization
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: Slider a SlidersPack – Image Slider, Post Slider, ACF Gallery Slider
Vulnerability: Missing Authorization via wp_spaios_save_attachment_data
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
