Watch Out Wednesday – July 24, 2024

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Updates
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Timeline Event History

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce – Social Login

Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Mercado Pago payments for WooCommerce

Vulnerability: 7.6.1
Patched Version: 7.6.2
Recommended Action: Update to version 7.6.2, or a newer patched version

Plugin: Redux Framework

Vulnerability: 4.4.17
Patched Version: 4.4.18
Recommended Action: Update to version 4.4.18, or a newer patched version

Plugin: MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Easy Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

Vulnerability: Authenticated (Admin+) SMTP Password Exposure
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Insecure Direct Object Reference to Authenticated (GiveWP Worker+) Arbitrary Post Actions
Patched Version: 3.14.0
Recommended Action: Update to version 3.14.0, or a newer patched version

Plugin: WooCommerce – Social Login

Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via File Upload
Patched Version: 1.26.7
Recommended Action: Update to version 1.26.7, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: Duplica – Duplicate Posts, Pages, Custom Posts or Users

Vulnerability: Authenticated (Subscriber+) Missing Authorization to Users/Posts Duplicates Creation
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version

Plugin: SVG Support

Vulnerability: Authenticated (Author+) Cross-Site Scripting via SVG
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce – Social Login

Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Unauthenticated Information Exposure via ekit_widgetarea_content Function
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Conditional Fields for Contact Form 7

Vulnerability: Cross-Site Request Forgery to Plugin Setting Reset
Patched Version: 2.4.14
Recommended Action: Update to version 2.4.14, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 2.4.45
Recommended Action: Update to version 2.4.45, or a newer patched version

Plugin: RegLevel

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Authenticated (Contributor+) SQL Injection via url Parameter
Patched Version: 12.3.20
Recommended Action: Update to version 12.3.20, or a newer patched version

Plugin: Addonify – Quick View For WooCommerce

Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: YITH Essential Kit for WooCommerce #1

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install, Activation, and Deactivation
Patched Version: 2.35.0
Recommended Action: Update to version 2.35.0, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Authenticated (Subscriber+) SQL Injection via exclude Parameter
Patched Version: 7.5.47.7212
Recommended Action: Update to version 7.5.47.7212, or a newer patched version

Plugin: Meks Video Importer

Vulnerability: Missing Authorization to Authenticated (Subscriber+) API Keys Modification
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Missing Authentication to MailChimp API key update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Missing Authorization to Google API key update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version