Watch Out Wednesday – October 9, 2024

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading and Icon Picker Widgets
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version

Plugin: Clio Grow

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Delivery Date for WooCommerce – Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 10.6.1
Recommended Action: Update to version 10.6.1, or a newer patched version

Plugin: Bridge Core

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Easy Demo Importer – A Modern One-Click Demo Import Solution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Cleanup and Basic Functions

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Authenticated (Subscriber+) Limited JavaScript File Upload
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: CMSMasters Content Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: WooCommerce Multilingual & Multicurrency with WPML

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version

Plugin: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

Vulnerability: Authenticated (Form Manager+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: Popularis Extra

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Limit Login Attempts (Spam Protection)

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget
Patched Version: 1.3.987
Recommended Action: Update to version 1.3.987, or a newer patched version

Plugin: Survey Maker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Private Gallery Title Disclosure
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version

Plugin: Social Web Suite – Social Media Auto Post, Social Media Auto Publish

Vulnerability: Directory Traversal to Arbitrary File Download
Patched Version: 4.1.12
Recommended Action: Update to version 4.1.12, or a newer patched version

Plugin: WP Blocks Hub

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Missing Authorization to Unauthenticated User and Term Metadata Insert, Update, and Delete
Patched Version: 1.0.229
Recommended Action: Update to version 1.0.229, or a newer patched version

Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.3
Recommended Action: Update to version 5.4.3, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Request Forgery to Membership Status Change
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Checkout Field Editor (Checkout Manager) for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via render_review_request_notice
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Aggregator Advanced Settings

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login Logout Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smart Custom 404 Error Page

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.4.8
Recommended Action: Update to version 11.4.8, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Re:WP

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Themify Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version

Plugin: Code Embed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.0.229
Recommended Action: Update to version 1.0.229, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Authenticated (Admin+) Limited Arbitrary Function Call
Patched Version: 6.3.6.1
Recommended Action: Update to one of the following versions, or a newer patched version: 6.3.6.1, 6.3.8

Plugin: BuddyPress Docs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Captcha Plugin by Captcha Bank

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Display Medium Posts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via display_medium_posts Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hash Form – Drag & Drop Form Builder

Vulnerability: Drag & Drop Form Builder <= 1.1.9
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Fish and Ships – Most flexible shipping table rate. A WooCommerce shipping rate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.67
Recommended Action: Update to version 4.9.67, or a newer patched version

Plugin: Quantity Dynamic Pricing & Bulk Discounts for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Memberful – Membership Plugin

Vulnerability: Authenticated (contributor+) Stored Cross-Site Scripting
Patched Version: 1.73.8
Recommended Action: Update to version 1.73.8, or a newer patched version

Plugin: Easy Mega Menu Plugin for WordPress – ThemeHunk

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version