Watch Out Wednesday – May 10, 2023

Plugin: Zero Spam for WordPress

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version

Plugin: WPO365 | Mail Integration for Office 365 / Outlook

Vulnerability: reflected Cross-Site Scripting via error_description
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: WPPizza – A Restaurant Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.17.2
Recommended Action: Update to version 3.17.2, or a newer patched version

Plugin: Team Circle Image Slider With Lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Community by PeepSo – Social Network, Membership, Registration, User Profiles

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UserAgent-Spy

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Appointments

Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide My WP Ghost – Security Plugin

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 5.0.20
Recommended Action: Update to version 5.0.20, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 4.9.4
Recommended Action: Update to version 4.9.4, or a newer patched version

Plugin: WP Job Portal – A Complete Job Board

Vulnerability: Missing Authorization to Settings Modification
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress

Vulnerability: Missing Authorization
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Ordering
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: My WP Customize Admin/Frontend

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.21.1
Recommended Action: Update to version 1.21.1, or a newer patched version

Plugin: Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Multi Rating

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OSM – OpenStreetMap

Vulnerability: OpenStreetMap <= 6.1
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DX Delete Attached Media

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: TK Google Fonts GDPR Compliant

Vulnerability: Authorization Bypass
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Multi Rating

Vulnerability: Cross-Site Request Forgery to Arbitrary Ratings Value Change
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Library Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version

Plugin: Snow Monkey Forms

Vulnerability: Directory Traversal via ‘view’ REST endpiont
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version

Plugin: Manager for Icomoon

Vulnerability: Unauthenticated Arbitrary File Upload via ‘upload’
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Manager for Icomoon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Cross-Site Request Forgery via shortpixel_ai_handle_page_action
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: WP Job Portal – A Complete Job Board

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FV Flowplayer Video Player

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 7.5.35.7212
Recommended Action: Update to version 7.5.35.7212, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Cross-Site Request Forgery via wpbe_update_page_field
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Participants Database

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Participants Database

Vulnerability: Cross-Site Request Forgery via _process_general
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Library Viewer

Vulnerability: Open Redirect via ‘redirect_to’
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version

Plugin: Albo Pretorio On line

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: Hostel

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Manage Bookings
Patched Version: 1.1.5.2
Recommended Action: Update to version 1.1.5.2, or a newer patched version

Plugin: TP Education

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Advanced Custom Fields Pro

Vulnerability: Reflected Cross-Site Scripting via ‘post_status’
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ays_gpg_settings_tab
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version

Plugin: QuBot – Chatbot Builder with Templates

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Contact Form 7 extension for Google Map fields

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: Albo Pretorio On line

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Reflected Cross-Site Scripting via ‘post_status’
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version

Plugin: Multi Rating

Vulnerability: Missing Authorization to Arbitrary Ratings Value Change
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pro Mime Types

Vulnerability: Manage file media types <= 1.0.7
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: MW WP Form

Vulnerability: Directory Traversal via _file_upload
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: CM Pop-Up banners for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection via getStatistics
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version