Watch Out Wednesday – September 11, 2024

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Information Exposure via AJAX Search Form
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version

Plugin: Remember Me Controls

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: HelloAsso

Vulnerability: Missing Authorization to Authenticated (Contributor+) Limited Options Update
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: Big File Uploads – Increase Maximum File Upload Size

Vulnerability: Authenticated (Author+) Full Path Disclosure
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Cab fare calculator

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Newsletters

Vulnerability: Authenticated Privilege Escalation
Patched Version: 4.9.9.3
Recommended Action: Update to version 4.9.9.3, or a newer patched version

Plugin: Geo Controller

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Menu Creation/Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Booking for Appointments and Events Calendar – Amelia Premium

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Revision Manager TMC

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Patched Version: 2.8.20
Recommended Action: Update to version 2.8.20, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Unauthenticated Sensitive Information Exposure via Log Files
Patched Version: 6.5.0.1
Recommended Action: Update to version 6.5.0.1, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 7.7.6
Recommended Action: Update to version 7.7.6, or a newer patched version

Plugin: Advanced Sermons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Ninja Forms – File Uploads

Vulnerability: Unauthenticated Stored Cross-Site Scripting via File Upload
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version

Plugin: Geo Controller

Vulnerability: Missing Authorization to Unauthenticated Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability:
Patched Version: 2.9.9.5.1
Recommended Action: Update to version 2.9.9.5.1, or a newer patched version

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: 6.5.5
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version

Plugin: Dynamic Featured Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dfiFeatured Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Customizer Export/Import

Vulnerability: Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import
Patched Version: 0.9.7.1
Recommended Action: Update to version 0.9.7.1, or a newer patched version

Plugin: Preloader Plus – WordPress Loading Screen Plugin

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update
Patched Version: 16.26.9
Recommended Action: Update to version 16.26.9, or a newer patched version

Plugin: RD Station

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version

Plugin: Form Vibes – Database Manager for Forms

Vulnerability: Missing Authorization in Multiple Functions
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version

Plugin: WP AdCenter – Ad Manager & Adsense Ads

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ad_alignment Attribute
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: ForumWP – Forum & Discussion Board Plugin

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Security, Antivirus, Firewall – S.A.F

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Share This Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode
Patched Version: 2.03
Recommended Action: Update to version 2.03, or a newer patched version

Plugin: Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: WPCOM Member

Vulnerability: Unauthenticated Privilege Escalation via User Meta
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Events Card Widget
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cost Calculator Builder PRO

Vulnerability: Unauthenticated Price Manipulation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.