Watch Out Wednesday – April 12, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Dynamics 365 Integration

Vulnerability: Missing Authorization via init
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_preload_single_save_settings_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 6.5.0.3
Recommended Action: Update to version 6.5.0.3, or a newer patched version

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_clear_cache_of_allsites_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: tencentcloud-cos

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tiny carousel horizontal slider plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_start_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_preload_single_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Restricted Site Access

Vulnerability: Sandbox Bypass
Patched Version: 7.4.0
Recommended Action: Update to version 7.4.0, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘wpfc_purgecache_varnish_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: PixTypes

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version

Plugin: Transbank Webpay

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Comments Ratings

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Limit Login Attempts

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Missing Authorization to Plugin Settings Reset
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: Optin Forms – Simple List Building Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: IFrame Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: PHP Compatibility Checker

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: qTranslate X Cleanup and WPML Import

Vulnerability: Cross-Site Request Forgery via clean_ajx
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version

Plugin: StagTools

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Channel Reset
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_remove_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘deleteCssAndJsCacheToolbar’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Missing Authorization to Plugin Cache Reset
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘wpfc_preload_single_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.7.1
Recommended Action: Update to version 6.7.1, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Unauthenticated SQL Injection via parse_user_filters
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Front End Users

Vulnerability: Missing Authorization to Unauthenticated Registered User Deletion
Patched Version: 3.2.25
Recommended Action: Update to version 3.2.25, or a newer patched version

Plugin: Email Subscription Popup

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Insufficient Authorization on Mulitple AJAX Actions
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Product Catalog Simple

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Cryptocurrency All-in-One

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via url
Patched Version: 2.124
Recommended Action: Update to version 2.124, or a newer patched version

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: Spreadshop Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Cancel order request / Return order / Repeat Order / Reorder for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.4.12
Recommended Action: Update to version 3.4.12, or a newer patched version

Plugin: Download Manager Pro

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 6.3.0
Recommended Action: Update to version 6.3.0, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via ‘code’
Patched Version: 1.0.76
Recommended Action: Update to version 1.0.76, or a newer patched version

Plugin: WP Data Access – App, Table, Form and Chart Builder plugin

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version

Plugin: tencentcloud-cos

Vulnerability: Missing Authorization via AJAX actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: a3 Portfolio

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Cross-Site Request Forgery via sjb_save_settings_section
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Missing Authorization
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_pause_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Missing Authorization via send_test_email
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_toolbar_save_settings_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection via get_maps
Patched Version: 2.85.5
Recommended Action: Update to version 2.85.5, or a newer patched version

Plugin: Connections Business Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.4.37
Recommended Action: Update to version 10.4.37, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization to Cache Deletion
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Easy Sign Up

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘deleteCssAndJsCacheToolbar’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘deleteCacheToolbar’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘wpfc_clear_cache_of_allsites_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: qTranslate X Cleanup and WPML Import

Vulnerability: Missing Authorization via clean_ajx
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘hc-title’
Patched Version: 4.9.24
Recommended Action: Update to version 4.9.24, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Language Translation Update
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Cross-Site Request Forgery
Patched Version: 12.4.5
Recommended Action: Update to version 12.4.5, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_purgecache_varnish_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Cross-Site Request Forgery via get
Patched Version: 4.9.24
Recommended Action: Update to version 4.9.24, or a newer patched version

Plugin: Superb Social Media Share Buttons and Follow Buttons for WordPress

Vulnerability: Missing Authorization via spbsmAjax
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Limit Login Attempts

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Blocksy Companion

Vulnerability: Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode
Patched Version: 1.8.82
Recommended Action: Update to version 1.8.82, or a newer patched version

Plugin: IMPress Listings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Listing Fields
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Better Search – Relevant search results for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Reflected Cross-Site Scripting via ‘edit’
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: SimpleModal Contact Form (SMCF)

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Vulnerability: Missing Authorization
Patched Version: 6.6.1
Recommended Action: Update to version 6.6.1, or a newer patched version

Plugin: Maps Widget for Google Maps

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.25
Recommended Action: Update to version 4.25, or a newer patched version

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: No subtitle
Patched Version: 7.6.6
Recommended Action: Update to version 7.6.6, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Insufficient Authorization to Arbitrary Options Update via fpd_update_options
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Superb Social Media Share Buttons and Follow Buttons for WordPress

Vulnerability: Cross-Site Request Forgery via spbsmAjax
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Front End Users

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.25
Recommended Action: Update to version 3.2.25, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Language Translation Reset
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Ruby Help Desk

Vulnerability: Missing Authorization to Arbitrary Ticket Modification
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.