Watch Out Wednesday – August 28, 2024

Plugin: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive Function
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: Mollie Payments for WooCommerce

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 7.8.0
Recommended Action: Update to version 7.8.0, or a newer patched version

Plugin: User Private Files – Upload and Share Files with Secure WordPress File Manager

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Private File Access
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version

Plugin: Music Request Manager

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: String locator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: blogintroduction-wordpress-plugin

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Music Request Manager

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Themify Builder

Vulnerability: Missing Authorization to Authenticated (Contributor+) Post Duplication
Patched Version: 7.6.2
Recommended Action: Update to version 7.6.2, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version

Plugin: Visual Sound

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version

Plugin: Music Request Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Image Hotspot by DevVN

Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WooCommerce Google Feed Manager

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Feed Actions
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Favicon Generator (CLOSED)

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Oxygen Builder

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stylesheet Update
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: MM-Breaking News

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.4.31
Recommended Action: Update to version 2.4.31, or a newer patched version

Plugin: Custom Permalinks

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Media Upload
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version

Plugin: Favicon Generator (CLOSED)

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Misiek Photo Album

Vulnerability: Cross-Site Request Forgery to Album Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ImageRecycle pdf & image compression

Vulnerability: Cross-Site Request in Several AJAX Actions
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: Misiek Photo Album

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RT Easy Builder – Advanced addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Permalink Manager Lite

Vulnerability: Missing Authorization to Unauthenticated Sensitive Information Exposure
Patched Version: 2.4.4.1
Recommended Action: Update to version 2.4.4.1, or a newer patched version

Plugin: Ninja Tables – Easiest Data Table Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version

Plugin: MM-Breaking News

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Job Board

Vulnerability: Authenticated (Editor+) PHP Object Injection
Patched Version: 2.12.4
Recommended Action: Update to version 2.12.4, or a newer patched version

Plugin: Relevanssi Live Ajax Search

Vulnerability: Unauthenticated WP_Query Argument Injection
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.10.37
Recommended Action: Update to version 2.10.37, or a newer patched version

Plugin: Simple Headline Rotator

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quick Code

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Grid Widget
Patched Version: 1.4.4.4
Recommended Action: Update to version 1.4.4.4, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version

Plugin: Misiek Paypal

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Settings Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File Upload
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: ILC Thickbox

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gixaw Chat

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Missing Authorization in Several AJAX Actions
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: File Manager Pro

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 8.3.8
Recommended Action: Update to version 8.3.8, or a newer patched version

Plugin: WPML

Vulnerability: Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection
Patched Version: 4.6.13
Recommended Action: Update to version 4.6.13, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Full Path Disclosure
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: WooCommerce Google Feed Manager

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version