Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Sensitive Information Disclosure
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Builder forms Addon For WordPress < 5.2
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version
Plugin: Gwyn’s Imagemap Selector
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Call Now Button – The #1 Click to Call Button for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: 3xSocializer
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
Vulnerability: Subscriber+ Arbitrary Settings Update
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: WP LESS to CSS
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet
Vulnerability: Paid Author Subscriptions, Content, Downloads, Membership <= 1.9.5
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version
Plugin: Turn off all comments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Contact form 7 DB
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: WPCargo Track & Trace
Vulnerability: Admin+ Stored Cross Site Scripting
Patched Version: 6.9.5
Recommended Action: Update to version 6.9.5, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Builder forms Addon For WordPress < 5.2
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version
Plugin: Tracked Tweets
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RSVPMaker
Vulnerability: Unauthenticated SQL Injection
Patched Version: 9.2.6
Recommended Action: Update to version 9.2.6, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: ScrollReveal.js Effects
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cab fare calculator
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Arbitrary File Upload
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: Easy Call With Twilio
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Admin Word Count Column
Vulnerability: Unauthenticated Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPCargo Track & Trace
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.9.5
Recommended Action: Update to version 6.9.5, or a newer patched version
Plugin: Social Live Chat Helpdesk – MyAlice
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Melhor Envio
Vulnerability: Cross-Site Request Forgery and Authenticated Settings Change
Patched Version: 2.11.20
Recommended Action: Update to version 2.11.20, or a newer patched version
Plugin: Gmedia Photo Gallery
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.20.0
Recommended Action: Update to version 1.20.0, or a newer patched version
Plugin: Vertical scroll recent post
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version
Plugin: Pricing Table Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Donate Extra
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Subtitle
Vulnerability: Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: Donorbox – Free Recurring Donation Plugin and Fundraising Platform
Vulnerability: Cross-Site Scripting
Patched Version: 7.1.7
Recommended Action: Update to version 7.1.7, or a newer patched version
Plugin: Slider by 10Web – Responsive Image Slider
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.2.52
Recommended Action: Update to version 1.2.52, or a newer patched version
Plugin: Social Stickers
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP YouTube Live
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Easy Smooth Scroll Links
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rara One Click Demo Import
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Builder forms Addon For WordPress < 5.2
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Night Mode
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: WPC Smart Wishlist for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
