Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Rife Elementor Extensions & Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Content Copy Protection & Prevent Image Save
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Check Tester
Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Super Cache
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Authenticated PHP4 Upload
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version
Plugin: WP Smart Import : Import any XML File to WordPress
Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: JetWidgets For Elementor
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2021.9
Recommended Action: Update to version 2021.9, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: No subtitle
Patched Version: 4.2.8
Recommended Action: Update to version 4.2.8, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version
Plugin: Workscout Core
Vulnerability: Job Board WordPress Theme <= 2.0.31
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.11.2
Recommended Action: Update to version 5.11.2, or a newer patched version
Plugin: Podcast Importer SecondLine
Vulnerability: Server-Side Request Forgery
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Larsens Calender
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementsKit Elementor addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: DethemeKit For Elementor
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.5.5.5
Recommended Action: Update to version 1.5.5.5, or a newer patched version
Plugin: Event Banner
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Addon Elements
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.11.2
Recommended Action: Update to version 1.11.2, or a newer patched version
Plugin: Video Downloader for TikTok
Vulnerability: Server-Side Request Forgery
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: classyfrieds
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CM Download Manager – Document and File Management
Vulnerability: Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version
Plugin: All-in-One Addons for Elementor – WidgetKit
Vulnerability: WidgetKit <= 2.3.9
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version
Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Ultimate Addons for Elementor
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.30.0
Recommended Action: Update to version 1.30.0, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: No subtitle
Patched Version: 6.8
Recommended Action: Update to version 6.8, or a newer patched version
Plugin: College publisher Import
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Absolute Addons for Elementor Page Builder <= 1.5.5
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: WP-DownloadManager
Vulnerability: Server-Side Request Forgery
Patched Version: 1.68.5
Recommended Action: Update to version 1.68.5, or a newer patched version
Plugin: WP Page Builder
Vulnerability: Multiple Stored Cross-Site scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Cross-Site Request Forgery to Arbitrary Payment History Update
Patched Version: 5.11.2
Recommended Action: Update to version 5.11.2, or a newer patched version
Plugin: CM Download Manager – Document and File Management
Vulnerability: Directory Traversal to Arbitrary File Deletion and Denial of Service
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version
Plugin: Image Hover Effects – Elementor Addon
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.3.12
Recommended Action: Update to version 3.3.12, or a newer patched version
Plugin: Media File Renamer: Rename for better SEO (AI-Powered)
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: OpenID Connect Generic Client
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: WP Page Builder
Vulnerability: Insecure Default to Unauthorized Page Editing
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Imagements
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Import XML and RSS Feeds
Vulnerability: Server-Side Request Forgery
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Cross-Site Request Forgery to Arbitrary Listing Export
Patched Version: 5.11.2
Recommended Action: Update to version 5.11.2, or a newer patched version
Plugin: User Notes
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Video Downloader for TikTok
Vulnerability: Directory Traversal
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Media File Organizer
Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
