Watch Out Wednesday – October 23, 2024

Plugin: Miniorange OTP Verification with Firebase

Vulnerability: Authentication Bypass
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Product Customizer Light

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Easy Post Types

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Suki Sites Import

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventON Pro

Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.6.8
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Time Clock Pro

Vulnerability: Unauthenticated (Limited) Remote Code Execution
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Social Share With Floating Bar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fonto – Custom Web Fonts Manager

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Edit WooCommerce Templates

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Photo Album Plus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.07.004
Recommended Action: Update to version 8.8.07.004, or a newer patched version

Plugin: Infinite-Scroll

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elemenda

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GetResponse Forms by Optin Cat

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Parallax Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: DPD Baltic Shipping

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SendPulse Free Web Push

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin

Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Cross-Site Request Forgery to Draft Custom Form Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version

Plugin: Branding

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Cross-Site Request Forgery to Draft Quiz Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version

Plugin: Parcel Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ElementInvader Addons for Elementor

Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Miniorange OTP Verification with Firebase

Vulnerability: Unauthenticated Arbitrary User Password Change
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Bulk images optimizer: Resize, optimize, convert to webp, rename …

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Debrandify · Remove or Replace WordPress Branding

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Flexmls® IDX Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.14.23
Recommended Action: Update to version 3.14.23, or a newer patched version

Plugin: WordPress Social Share Buttons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.20
Recommended Action: Update to version 1.20, or a newer patched version

Plugin: Click to Chat – WP Support All-in-One Floating Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsaio_snapchat Shortcode
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: RSS Feed Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via rfw-youtube-videos Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: SendGrid for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ReDi Restaurant Reservation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 24.1015
Recommended Action: Update to version 24.1015, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Subscriber+) Private Post Disclosure
Patched Version: 1.3.987
Recommended Action: Update to version 1.3.987, or a newer patched version

Plugin: WP Easy Post Types

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Vulnerability: Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: WP Easy Post Types

Vulnerability: Authenticated (Subscriber+) Missing Authorization via Multiple Functions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: StreamWeasels Twitch Integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sw-twitch-embed Shortcode
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Gantry 4 Framework

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MAS Companies For WP Job Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Add Widget After Content

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: HTML Injection
Patched Version: 5.2.46
Recommended Action: Update to version 5.2.46, or a newer patched version

Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version

Plugin: Flat UI Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via flatbtn Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Arconix Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: Miniorange OTP Verification with Firebase

Vulnerability: Privilege Escalation via Registration due to Administrator Default User Role Value
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Advanced Category and Custom Taxonomy Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ad_tax_image Shortcode
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Easy Menu Manager | WPZest

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.