Watch Out Wednesday – September 18, 2024

Plugin: YITH Custom Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: WP Booking System – Booking Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.19.9
Recommended Action: Update to version 2.0.19.9, or a newer patched version

Plugin: Roles & Capabilities

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.8.12
Recommended Action: Update to version 2.8.12, or a newer patched version

Plugin: WordPress Affiliates Plugin — SliceWP Affiliates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.21
Recommended Action: Update to version 1.1.21, or a newer patched version

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Missing Authorization
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthorized User Registration
Patched Version: 4.15.4
Recommended Action: Update to version 4.15.4, or a newer patched version

Plugin: amCharts: Charts and Maps

Vulnerability: Reflected Cross-Site Scripting via Cross-Site Request Forgery
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Cron Jobs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Backuply – Backup, Restore, Migrate and Clone

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: WP Test Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery Widget
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version

Plugin: Email Obfuscate Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fusion Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode
Patched Version: 3.11.10
Recommended Action: Update to version 3.11.10, or a newer patched version

Plugin: Simple Spoiler

Vulnerability: 1.3
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Custom Post Limits

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stream

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: PDF Thumbnail Generator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated SQL Injection via ‘c_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version

Plugin: WP Simple Booking Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: WPFactory Helper

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: WooCommerce Multiple Free Gift

Vulnerability: Insufficient Server-Side Validation to Arbitrary Gift Adding
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Lucas String Replace

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Exit Notifier

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login with phone number

Vulnerability: Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
Patched Version: 1.7.50
Recommended Action: Update to version 1.7.50, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.4.2.2
Recommended Action: Update to version 1.4.2.2, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated SQL Injection via ‘c_only_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version

Plugin: WP Editor

Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 1.2.9.1
Recommended Action: Update to version 1.2.9.1, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authenticated (Subscriber+) Limited Arbitrary File Upload
Patched Version: 4.15.4
Recommended Action: Update to version 4.15.4, or a newer patched version