Watch Out Wednesday – May 24, 2023

Plugin: WooDiscuz – WooCommerce Comments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Admin Account and Ticket Creation
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Update License
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Waiting: One-click countdowns

Vulnerability: Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Non-Arbitrary File Upload
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: woocommerce-follow-up-emails

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version

Plugin: BP Social Connect

Vulnerability: Authentication Bypass
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Activity Log Premium

Vulnerability: Cross-Site Request Forgery via ajax_switch_db
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Easy Google Maps

Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version

Plugin: Cookie Monster

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: woocommerce-follow-up-emails

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability:
Patched Version: 3.13.4
Recommended Action: Update to version 3.13.4, or a newer patched version

Plugin: WooCommerce Shipping & Tax

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: MStore API

Vulnerability: Authentication Bypass
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: UpdraftPlus WordPress Backup Plugin

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage
Patched Version: 1.23.4
Recommended Action: Update to version 1.23.4, or a newer patched version

Plugin: WP htaccess Control

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.83
Recommended Action: Update to version 1.6.83, or a newer patched version

Plugin: WP Activity Log Premium

Vulnerability: Missing Authorization via ajax_switch_db
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Performance Lab

Vulnerability: Cross-Site Request Forgery via dismiss-wp-pointer
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Customize WordPress Emails and Alerts – Better Notifications for WP

Vulnerability: Cross-Site Request Forgery via handle_actions
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Predictive Search for WooCommerce

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: woocommerce-follow-up-emails

Vulnerability: Authenticated Arbitrary File Upload in Template Editing
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery via delete_expired_used_coupon_code
Patched Version: 5.14.2
Recommended Action: Update to version 5.14.2, or a newer patched version

Plugin: Stop Referrer Spam

Vulnerability: Cross-Site Request Forgery via processParameters
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.1.3.2
Recommended Action: Update to version 1.1.3.2, or a newer patched version

Plugin: Scripts n Styles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress File Upload

Vulnerability: Authenticated (Administrator+) Path Traversal
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Cross-Site Request Forgery to Disable All Plugins
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: WishSuite – Wishlist for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Jazz Popups

Vulnerability: Reflected Cross-Site Scripting via ‘wpjazzpopup_switchonoff’
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress

Vulnerability: Cross-Site Request Forgery via update_automator_connect
Patched Version: 4.15
Recommended Action: Update to version 4.15, or a newer patched version

Plugin: SEO Change Monitor – Track Website Changes

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MStore API

Vulnerability: Authentication Bypass
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: CAPTCHA Bypass
Patched Version: 1.9.118
Recommended Action: Update to version 1.9.118, or a newer patched version

Plugin: Predictive Search for WooCommerce

Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Cross-Site Request Forgery via ajax_run_cleanup
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Baidu Tongji generator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Dashboard – Custom WordPress Dashboard

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery via ts_reset_tracking_setting
Patched Version: 5.14.2
Recommended Action: Update to version 5.14.2, or a newer patched version

Plugin: MStore API

Vulnerability: Authentication Bypass
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Missing Capabilities Check to User Enumeration
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Smart App Banner

Vulnerability: Cross-Site Request Forgery via wsl_smart_app_banner_options
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: nuajik

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.