Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Sitekit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe’ shortcode
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: PowerPress Podcasting plugin by Blubrry
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info
Patched Version: 11.0.7
Recommended Action: Update to version 11.0.7, or a newer patched version
Plugin: WP Users Media
Vulnerability: Cross-Site Request Forgery in wpusme_save_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP VK-付费内容插件(付费阅读/资料/工具软件资源管理)
Vulnerability: Cross-Site Request Forgery via AJAX actions
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Solid Central – Site Management, Backups, Security, and Reporting
Vulnerability: Cross-Site Request Forgery and Missing Authorization via ‘hide_authenticate_notice’
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version
Plugin: Pricing Deals for WooCommerce
Vulnerability: Missing Authorization via vtprd_ajax_clone_rule
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Site Reviews
Vulnerability: Missing Authorization
Patched Version: 6.10.3
Recommended Action: Update to version 6.10.3, or a newer patched version
Plugin: GuruWalk Affiliates
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version
Plugin: Social Media Share Buttons & Social Sharing Icons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: LuckyWP Scripts Control
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Olive One Click Demo Import
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload in olive_one_click_demo_import_save_file
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SlimStat Analytics
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version
Plugin: URL Shortener by MyThemeShop
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Share Boost
Vulnerability: Cross-Site Request Forgery via ‘syntatical_settings_content’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Translate WordPress with GTranslate
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via Multiple Parameters
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: ElementsKit Elementor addons
Vulnerability: Missing Authorization
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version
Plugin: Locatoraid Store Locator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.24
Recommended Action: Update to version 3.9.24, or a newer patched version
Plugin: Maintenance Switch
Vulnerability: Cross-Site Request Forgery via ‘admin_action_request’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sitekit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe ‘ shortcode
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: Order Tracking – WordPress Status Tracking Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: WP Users Media
Vulnerability: Missing Authorization via wpusme_save_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Leyka
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.30.3
Recommended Action: Update to version 3.30.3, or a newer patched version
Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Vulnerability: Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.25.0
Recommended Action: Update to version 1.25.0, or a newer patched version
Plugin: Secure Admin IP
Vulnerability: Missing Authorization via ‘saveSettings’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Category Slider and Product Category Showcase for WooCommerce – WooCategory
Vulnerability: Missing Authorization via notice dismissal functionality
Patched Version: 1.4.16
Recommended Action: Update to version 1.4.16, or a newer patched version
Plugin: Localize Remote Images
Vulnerability: Cross-Site Request Forgery via admin menu
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DoLogin Security
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: WP Super Minify
Vulnerability: Cross-Site Request Forgery via ‘wpsmy_admin_options’
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Prevent files / folders access
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload in mo_media_restrict_page
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Bridge Core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Import XML and RSS Feeds
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: Snap Pixel
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FV Flowplayer Video Player
Vulnerability: Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update
Patched Version: 7.5.39.7212
Recommended Action: Update to version 7.5.39.7212, or a newer patched version
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: Happy Addons for Elementor Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: MakeStories (for Google Web Stories)
Vulnerability: Cross-Site Request Forgery via ‘ms_set_options’
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Easy Coming Soon
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: Email Encoder – Protect Email Addresses and Phone Numbers
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: AffiliateWP
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation
Patched Version: 2.14.1
Recommended Action: Update to version 2.14.1, or a newer patched version
Plugin: Order Tracking – WordPress Status Tracking Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: Import XML and RSS Feeds
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Premmerce User Roles
Vulnerability: Missing Authorization via role management functions
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version
Plugin: Search Analytics for WP
Vulnerability: Reflected Cross-Site Scripting via ‘render_stats_page’
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
