Watch Out Wednesday – November 13, 2024

Plugin: Envo Extra

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: Algori PDF Viewer

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: SysBasics Customize My Account for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via tab Parameter
Patched Version: 2.7.30
Recommended Action: Update to version 2.7.30, or a newer patched version

Plugin: Code Embed

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 1.15.31
Recommended Action: Update to version 1.15.31, or a newer patched version

Plugin: WooCommerce Support Ticket System

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 17.8
Recommended Action: Update to version 17.8, or a newer patched version

Plugin: Debug Tool

Vulnerability: Missing Authorization to Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Countdown Timer block – Display the event's date into a timer.

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Lenxel Core for Lenxel(LNX) LMS

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Shortcode for Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Category Ajax Filter

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: CE21 Suite

Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form 7 – PayPal & Stripe Add-on

Vulnerability: PayPal & Stripe Add-on <= 2.3.1
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: User Meta – User Profile Builder and User management plugin

Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Photo Album Plus

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via getshortcodedrenderedfenodelay
Patched Version: 8.9.01.001
Recommended Action: Update to version 8.9.01.001, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Authenticated (Administrator+) Time-Based SQL Injection
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version

Plugin: Debug Tool

Vulnerability: Unauthenticated Arbitrary File Creation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy SVG Support

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: CE21 Suite

Vulnerability: JWT Token Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Membership

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.3.1
Recommended Action: Update to version 1.8.3.1, or a newer patched version

Plugin: WordPress User Extra Fields

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 16.6
Recommended Action: Update to version 16.6, or a newer patched version

Plugin: Elementor Header & Footer Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6.46
Recommended Action: Update to version 1.6.46, or a newer patched version

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: SKT Addons for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Attesa Extra

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Quform – WordPress Form Builder

Vulnerability: WordPress Form Builder <= 2.20.0
Patched Version: 2.21.0
Recommended Action: Update to version 2.21.0, or a newer patched version

Plugin: Leopard – WordPress Offload Media

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Content Slider Block

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: RegistrationMagic – User Registration Plugin with Custom Registration Forms

Vulnerability: Unauthenticated Privilege Escalation via Password Recovery
Patched Version: 6.0.2.7
Recommended Action: Update to version 6.0.2.7, or a newer patched version

Plugin: CE21 Suite

Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Change
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.4.2.3
Recommended Action: Update to version 1.4.2.3, or a newer patched version

Plugin: WooCommerce Support Ticket System

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 17.8
Recommended Action: Update to version 17.8, or a newer patched version

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.13.1
Recommended Action: Update to version 2.13.1, or a newer patched version

Plugin: Cowidgets – Elementor Addons

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Support Ticket System

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 17.8
Recommended Action: Update to version 17.8, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)

Vulnerability: Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider <= 3.15.18
Patched Version: 3.15.19
Recommended Action: Update to version 3.15.19, or a newer patched version

Plugin: Cowidgets – Elementor Addons

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Leave a Comment