Watch Out Wednesday – August 14, 2024

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Currency Settings
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Organization chart

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via title_input and node_description Parameters
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Linkify Text

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fuse Social Floating Sidebar

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File Upload
Patched Version: 5.4.11
Recommended Action: Update to version 5.4.11, or a newer patched version

Plugin: Obfuscate Email

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated PHP Code Injection to Remote Code Execution
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: PDF Builder for WPForms

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 1.2.117
Recommended Action: Update to version 1.2.117, or a newer patched version

Plugin: Reveal Template

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Viral Signup – limited opt-in with viral refferal sharing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: 1.1.7
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Viral Signup – limited opt-in with viral refferal sharing

Vulnerability: Unauthenticated SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Contributor+) SQL Injection via order Parameter
Patched Version: 4.2.6.9.4
Recommended Action: Update to version 4.2.6.9.4, or a newer patched version

Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via no_more_items_text Parameter
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Authenticated (Contributor+) SQL Injection via id Parameter
Patched Version: 1.2.58
Recommended Action: Update to version 1.2.58, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: No Update Nag

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Paid Memberships Pro – Membership Maps Add On

Vulnerability: Membership Maps Add On < 0.7
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Gallery and Countdown Widgets
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Lightbox & Modal Popup WordPress Plugin – FooBox

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes
Patched Version: 2.7.32
Recommended Action: Update to version 2.7.32, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Authenticated (Author+) Arbitrary File Upload via mla-inline-edit-upload-scripts AJAX Action
Patched Version: 3.19
Recommended Action: Update to version 3.19, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Christmasify!

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update
Patched Version: 4.10.39
Recommended Action: Update to version 4.10.39, or a newer patched version

Plugin: WP Bannerize Pro

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Falang multilanguage for WordPress

Vulnerability: Missing Authorization to Translation Update and Information Exposure
Patched Version: 1.3.53
Recommended Action: Update to version 1.3.53, or a newer patched version

Plugin: MainWP Child Reports

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: My Custom CSS PHP & ADS

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Opal Membership

Vulnerability: Authenticated (Subscriber+) Information Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Agreement Text
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Opal Membership

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce – Social Login

Vulnerability: Social Login <= 2.7.5
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: affiliate-toolkit – WordPress Affiliate Plugin

Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.