Watch Out Wednesday – July 31, 2024

Plugin: Add Admin CSS

Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IgnitionDeck Crowdfunding Platform

Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: Tutor LMS – Migration Tool

Vulnerability: Missing Authorization in tutor_import_from_xml
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tutor LMS – Migration Tool

Vulnerability: Missing Authorization in tutor_lp_export_xml
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flipbox Builder

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add Admin JavaScript

Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Piotnet Addons For Elementor

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version

Plugin: Ultimate WordPress Auction Plugin

Vulnerability: Missing Authorization to Unauthenticated Email Creation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Media.net Ads Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via PDF View Widget
Patched Version: 3.11.3
Recommended Action: Update to version 3.11.3, or a newer patched version

Plugin: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Title
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version

Plugin: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via Welcome Screen Fields
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: Admin Trim Interface

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Intelligence

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.2.6.9
Recommended Action: Update to version 4.2.6.9, or a newer patched version

Plugin: Campaign Monitor for WordPress

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 2.8.16
Recommended Action: Update to version 2.8.16, or a newer patched version

Plugin: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: aThemes Starter Sites

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.54
Recommended Action: Update to version 1.0.54, or a newer patched version

Plugin: Admin Post Navigation

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Aramex Shipping WooCommerce

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Product Table Lite

Vulnerability: Missing Authorization to (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: ParityPress – Parity Pricing with Discount Rules

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Master Currency WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Currency Converter Form Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: One Click Close Comments

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.