Watch Out Wednesday – December 20, 2023

Plugin: E2Pdf – Export To Pdf Tool for WordPress

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.20.26
Recommended Action: Update to version 1.20.26, or a newer patched version

Plugin: Image horizontal reel scroll slideshow

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 13.4
Recommended Action: Update to version 13.4, or a newer patched version

Plugin: Simple Membership

Vulnerability: Reflected Cross-Site Scripting Vulnerability via environment_mode
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version

Plugin: MW WP Form

Vulnerability: Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: Clone

Vulnerability: Sensitive Information Exposure
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: Slick Social Share Buttons

Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Real Estate

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Post Grid Combo – 36+ Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 2.2.65
Recommended Action: Update to version 2.2.65, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.0.92.1
Recommended Action: Update to version 1.0.92.1, or a newer patched version

Plugin: Enable Media Replace

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: GG Woo Feed for WooCommerce Shopping Feed on Google Facebook and Other Channels

Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jquery news ticker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: SpeedyCache – Cache, Optimization, Performance

Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version