Watch Out Wednesday – April 19, 2023

Home » Watch Out Wednesday – April 19, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Optima Express + MarketBoost IDX Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: Membership Database

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: f(x) TOC

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via get
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Themify Portfolio Post

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 5.30.5
Recommended Action: Update to version 5.30.5, or a newer patched version

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Export/Import Courses <= 4.0.2
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: External Videos

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Booqable Rental Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.16
Recommended Action: Update to version 2.4.16, or a newer patched version

Plugin: Simple PopUp

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Button Builder – Buttons X

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Reflected Cross-Site Scripting via ‘question’
Patched Version: 3.3.9.3
Recommended Action: Update to version 3.3.9.3, or a newer patched version

Plugin: Enable/Disable Auto Login when Register

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zendesk Support for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Church Admin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: WP Offload SES Lite

Vulnerability: Interpretation Conflict
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: WPML

Vulnerability: Reflected Cross-Site Scripting via wp_lang
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Missing Authorization on ‘load_hcaptcha_preview’ AJAX function
Patched Version: 1.23.3
Recommended Action: Update to version 1.23.3, or a newer patched version

Plugin: Database Collation Fix

Vulnerability: Cross-Site Request Forgery via admin_page
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Featured Post Creative

Vulnerability: Cross-Site Request Forgery via wpfp_update_featured_post
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Reflected Cross-Site Scripting via ‘message’
Patched Version: 2.1.0.12
Recommended Action: Update to version 2.1.0.12, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated PHP Object Injection via Cookies
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Reflected Cross-Site Scripting via ‘td_video_url’
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: WP Reroute Email

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Stamped.io Product Reviews & UGC for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Plugin: WP Custom Author URL

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery To Staff Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Cross-Site Request Forgery via route
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Paytm Payment Donation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Smart WooCommerce Search

Vulnerability: Missing Authorization
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: WP Roles at Registration

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery to Holidays Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cloud Manager

Plugin: Captcha Them All

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: WP Docs

Vulnerability: Cross-Site Request Forgery to folder management
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Featured Post Creative

Vulnerability: Missing Authorization via wpfp_update_featured_post
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Article Directory Redux

Plugin: WP Login Box

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stock Exporter for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version

Plugin: Pretty Url

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Missing Authorization on ‘load_recaptcha_preview’ AJAX function
Patched Version: 1.23.3
Recommended Action: Update to version 1.23.3, or a newer patched version

Plugin: Vimeotheque: Vimeo WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting via ‘view’ and ‘page’
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Ultimate Noindex Nofollow Tool II

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: BBSpoiler

Plugin: Stamped.io Product Reviews & UGC for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: BadgeOS

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Order Numbers for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Product Slider For WooCommerce Lite

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Keys
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Motor Racing League

Plugin: Wp-D3

Plugin: WooCommerce Easy Duplicate Product

Vulnerability: Reflected Cross-Site Scripting via wedp_duplicated
Patched Version: 0.3.0.1
Recommended Action: Update to version 0.3.0.1, or a newer patched version

Plugin: Video List Manager

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pickup | Delivery | Dine-in date time

Plugin: Affiliate Links: WordPress Plugin for Link Cloaking and Link Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Visual CSS Style Editor

Vulnerability: Reflected Cross-Site Scripting liveLink
Patched Version: 7.5.9
Recommended Action: Update to version 7.5.9, or a newer patched version

Plugin: Sloth Logo Customizer

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Cross-Site Request Forgery and PHAR Deserialization
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version

Plugin: Thumbnail carousel slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: WP Reroute Email

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 8.4
Recommended Action: Update to version 8.4, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via template_count
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: WP-FormAssembly

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Mega Addons For WPBakery Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Semalt Blocker

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.41
Recommended Action: Update to version 2.2.41, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: YML for Yandex Market

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.10.8
Recommended Action: Update to version 3.10.8, or a newer patched version

Plugin: WP Popups – WordPress Popup builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.5.1
Recommended Action: Update to version 2.1.5.1, or a newer patched version

Plugin: User registration & user profile – UserPlus

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via templates
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Kaya QR Code Generator

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via url parameter
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Vulnerability: Maintenance Mode Bypass
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Enable Accessibility

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Ultimate Carousel For Elementor

Plugin: ZM Ajax Login & Register

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Unauthenticated SQL Injection
Patched Version: 8.1.5
Recommended Action: Update to version 8.1.5, or a newer patched version

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Reflected Cross-Site Scripting via Query String
Patched Version: 4.9.26
Recommended Action: Update to version 4.9.26, or a newer patched version

Plugin: Avirato hotels online booking engine

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Post Type List Shortcode

Plugin: Fantastic Content Protector Free

Vulnerability: Missing Authorization via update_setting_fantastic_content_protector
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: hiWeb Migration Simple

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Easy Appointments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.11.1
Recommended Action: Update to version 3.11.1, or a newer patched version

Plugin: Landing Page Builder – Free Landing Page Templates

Vulnerability: Local File Inclusion via ‘lpp_template_select’
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated Stored Cross-Site Scripting in Admin Dashboard
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version

Plugin: OoohBoi Steroids for Elementor

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Image Upload
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery To Designation Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video Grid

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version

Plugin: Ultimate Carousel For WPBakery Page Builder

Plugin: Cyr to Lat enhanced

Vulnerability: Authenticated SQL Injection
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: CoSchedule

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Unauthenticated CSV Injection
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery to Designation Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Missing Authorization on ‘hubspot_support_request’ AJAX function
Patched Version: 1.23.3
Recommended Action: Update to version 1.23.3, or a newer patched version

Plugin: Panorama – WordPress Project Management Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Cross-Site Request Forgery via save
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via openai_settings_option_callback
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version

Plugin: Freshdesk (official)

Vulnerability: Open Redirect
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery to Staff Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video Grid

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version

Plugin: Locatoraid Store Locator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.15
Recommended Action: Update to version 3.9.15, or a newer patched version

Plugin: Blazeo

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery To Holiday Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcodes by Angie Makes

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Responsive Filterable Portfolio

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.20
Recommended Action: Update to version 1.0.20, or a newer patched version

Plugin: Stream

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Electric Studio Client Login

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: Japanized For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Neshan Maps

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AFFILIATE Solution

Plugin: FAQ / Accordion / Docs / KB – Helpie WordPress FAQ Accordion plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Post Shortcode

Plugin: Thumbnail carousel slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Kaya QR Code Generator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via qrCode attribute
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via save
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.