Watch Out Wednesday – November 20, 2024

Plugin: SimpleForm – Contact form made simple

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP AdCenter – Ad Manager & Adsense Ads

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpadcenter_ad Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Blogger 301 Redirect

Vulnerability: Unauthenticated SQL Injection via br
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elfsight Telegram Chat CC

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 4.1.17
Recommended Action: Update to version 4.1.17, or a newer patched version

Plugin: SimpleForm Contact Form Submissions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popularis Extra

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Music Player for Elementor – Audio Player & Podcast Player

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Template Import
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login using WordPress Users ( WP as SAML IDP )

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.15.7
Recommended Action: Update to version 1.15.7, or a newer patched version

Plugin: WP Chat App

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version

Plugin: PJW Mime Config

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Video Robot – The Ultimate Video Importer

Vulnerability: Authenticated (Subscriber+) Privilege Escalation via User Meta Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Yotpo: Product & Photo Reviews for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.10
Recommended Action: Update to version 1.7.10, or a newer patched version

Plugin: Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Author+) Sensitive Information Exposure to Privilege Escalation
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version

Plugin: PDF Generator Addon for Elementor Page Builder

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

Vulnerability: Unauthentiated Stored Cross-Site Scripting via Form File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mapster WP Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Simple Pricing Table

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Activity Log

Vulnerability: Unauthenticated Stored Cross-Site Scripting via User_id Parameter
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.8
Recommended Action: Update to version 6.0.8, or a newer patched version

Plugin: 404 Error Monitor

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gallery Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Google for WooCommerce

Vulnerability: Information Disclosure via Publicly Accessible PHP Info File
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: SVGPlus

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SVG Block

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.25
Recommended Action: Update to version 1.1.25, or a newer patched version

Plugin: Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Really Simple Security Pro multisite

Vulnerability: 9.1.1.1
Patched Version: 9.1.2
Recommended Action: Update to version 9.1.2, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sonaar_audioplayer Shortcode
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Tutor LMS Elementor Addons

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 0.9.108
Recommended Action: Update to version 0.9.108, or a newer patched version

Plugin: WordPress GDPR

Vulnerability: Missing Authorization to Unauthenticated Arbitrary User Deletion
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Steel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via btn Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version

Plugin: GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via gamipress_get_user_earnings
Patched Version: 7.1.6
Recommended Action: Update to version 7.1.6, or a newer patched version

Plugin: BulkPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress GDPR

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: ConvertCalculator for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id and type Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EleForms – All In One Form Integration including DB for Elementor

Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Missing Authorization to Unauthenticated Limited Options Update
Patched Version: 4.9.8
Recommended Action: Update to version 4.9.8, or a newer patched version

Plugin: Hide My WP Ghost – Security & Firewall

Vulnerability: Reflected Cross-Site Scripting via URL
Patched Version: 5.3.02
Recommended Action: Update to version 5.3.02, or a newer patched version

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Bounce Handler MailPoet 3

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: External Database Based Actions

Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chartify – WordPress Chart Plugin

Vulnerability: Unauthenticated Local File Inclusion via source
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version

Plugin: 404 Solution

Vulnerability: Missing Authentication to Sensitive Information Exposure
Patched Version: 2.35.18
Recommended Action: Update to version 2.35.18, or a newer patched version

Plugin: SVG Case Study

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PeproDev WooCommerce Receipt Uploader

Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Local Avatars

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Cache Clearing
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Import Cancellation
Patched Version: 5.62.0
Recommended Action: Update to version 5.62.0, or a newer patched version

Plugin: WP Log Viewer

Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Uix Slideshow

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Subscription Popup

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via print_email_subscribe_form Shortcode
Patched Version: 1.2.23
Recommended Action: Update to version 1.2.23, or a newer patched version

Plugin: Drop Shadow Boxes

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Backup and Staging by WP Time Capsule

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.22.22
Recommended Action: Update to version 1.22.22, or a newer patched version