Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: AdRotate Banner Manager – The only ad manager you'll need
Vulnerability: Authenticated Stored Cross-Site Scripting via Group Names
Patched Version: 5.8.23
Recommended Action: Update to version 5.8.23, or a newer patched version
Plugin: Opensea
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Easy Google Maps
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.32
Recommended Action: Update to version 1.9.32, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.6
Recommended Action: Update to version 2.11.6, or a newer patched version
Plugin: Responsive Tabs
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version
Plugin: English WordPress Admin
Vulnerability: Unauthenticated Open Redirect
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Import WP – Export and Import CSV and XML files to WordPress
Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.7
Recommended Action: Update to version 6.2.7, or a newer patched version
Plugin: Nimble Page Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.19.2.1
Recommended Action: Update to version 1.19.2.1, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Authenticated Arbitrary File Read
Patched Version: 0.9.71
Recommended Action: Update to version 0.9.71, or a newer patched version
Plugin: Yoo Slider – Image Slider & Video Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Order Notification for WooCommerce – Get Audio Alert on new Orders
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Pricing Table by Supsystic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: AdRotate Banner Manager – The only ad manager you'll need
Vulnerability: Authenticated Stored Cross-Site Scripting via Advert Names
Patched Version: 5.8.23
Recommended Action: Update to version 5.8.23, or a newer patched version
Plugin: eRoom – Zoom Meetings & Webinars
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: DW Question Answer Pro
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Insert Special Characters
Vulnerability: Prototype Pollution
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Master Elements
Vulnerability: Unauthenticated SQL injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Text Hover
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: Maintenance Mode by Supsystic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: RSVP and Event Management
Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Vulnerability: Authorization Bypass and Cross-Site Request Forgery
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.12
Recommended Action: Update to version 2.7.12, or a newer patched version
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: SQL Injection
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: SQL Injection
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Unify
Vulnerability: Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics
Vulnerability: Server Side Request Forgery
Patched Version: 8.8.15
Recommended Action: Update to version 8.8.15, or a newer patched version
Plugin: SearchIQ – The Search Solution
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version
Plugin: Content Egg
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: Security Optimizer – The All-In-One Protection Plugin
Vulnerability: Authentication Bypass via 2FA Setup
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Vulnerability: Subscriber+ Arbitrary Affiliate Links Creation
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version
Plugin: LayerSlider
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version
Plugin: WooCommerce
Vulnerability: Information Disclosure
Patched Version: 4.0.3
Recommended Action: Update to one of the following versions, or a newer patched version: 4.0.3, 4.1.3, 4.2.4, 4.3.5, 4.4.3, 4.5.4, 4.6.4, 4.7.3, 4.8.2, 4.9.4, 5.0.2, 5.1.2, 5.2.4, 5.3.2, 5.4.3, 5.5.3, 5.6.1, 5.7.0
Plugin: Plausible Analytics
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Easy Social Icons
Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Menubar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Cross-Site Scripting
Patched Version: 3.1.40
Recommended Action: Update to version 3.1.40, or a newer patched version
Plugin: Visual Form Builder
Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: eRoom – Zoom Meetings & Webinars
Vulnerability: Unauthorized Setting Update
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Security Optimizer – The All-In-One Protection Plugin
Vulnerability: Authorization Weakness to Authentication Bypass
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
Vulnerability: Subscriber+ Blind SQL injection
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version
Plugin: Anti-Malware Security and Brute-Force Firewall
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.20.96
Recommended Action: Update to version 4.20.96, or a newer patched version
Plugin: Visual Form Builder
Vulnerability: Cross-Site Request Forgery to Data Modification
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Open Redirect and Reflected Cross-Site Scripting
Patched Version: 4.4.11
Recommended Action: Update to version 4.4.11, or a newer patched version
Plugin: Good & Bad comments
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: No subtitle
Patched Version: 1.22.9
Recommended Action: Update to version 1.22.9, or a newer patched version
Plugin: DW Question Answer Pro
Vulnerability: Missing Authorization Checks
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Themify Post Type Builder (PTB) Search Addon
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Easy Social Icons
Vulnerability: Authenticated (Admin+) Cross-Site Scripting and Missing Authorization Checks
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Easy Social Icons
Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Page Restriction WordPress (WP) – Protect WP Pages/Post
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: eRoom – Zoom Meetings & Webinars
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Thank Me Later
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Yoo Slider – Image Slider & Video Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Page Security & Membership
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social comments by WpDevArt
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: One Click Demo Import
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
