Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: MWB Point of Sale (POS) for WooCommerce- Generate Barcodes, Process your Bills, Synchronize, Your Online-Offline Orders
Vulnerability: Missing Authorization
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Clean Login
Vulnerability: Cross-Site Scripting
Patched Version: 1.12.6.4
Recommended Action: Update to version 1.12.6.4, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2021.18
Recommended Action: Update to version 2021.18, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.56
Recommended Action: Update to version 0.9.56, or a newer patched version
Plugin: Form Builder | Create Responsive Contact Forms
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.9.8.4
Recommended Action: Update to version 1.9.8.4, or a newer patched version
Plugin: Site Reviews
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.13.1
Recommended Action: Update to version 5.13.1, or a newer patched version
Plugin: Form Builder | Create Responsive Contact Forms
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.8.5
Recommended Action: Update to version 1.9.8.5, or a newer patched version
Plugin: Keyword Meta
Vulnerability: Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Highlight Sitewide Notice, Text, Button Menu
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.9.3
Recommended Action: Update to version 0.9.3, or a newer patched version
Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vulnerability: SQL Injection
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: WP Customize Login
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Two Factor Authentication (2FA , MFA, OTP SMS and Email)
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: WP Fusion Lite – Marketing Automation and CRM Integration for WordPress
Vulnerability: No subtitle
Patched Version: 3.37.30
Recommended Action: Update to version 3.37.30, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Missing Capabilities Check to Information Disclosure
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: Cookie Notice & Consent Banner for GDPR & CCPA Compliance
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version
Plugin: Pods – Custom Content Types and Fields
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.7.29
Recommended Action: Update to version 2.7.29, or a newer patched version
Plugin: AddToAny Share Buttons
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.46
Recommended Action: Update to version 1.7.46, or a newer patched version
Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: WP Fusion Lite – Marketing Automation and CRM Integration for WordPress
Vulnerability: No subtitle
Patched Version: 3.37.30
Recommended Action: Update to version 3.37.30, or a newer patched version
Plugin: Book appointment online
Vulnerability: Cross-Site Scripting
Patched Version: 1.39
Recommended Action: Update to version 1.39, or a newer patched version
Plugin: AddToAny Share Buttons
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.48
Recommended Action: Update to version 1.7.48, or a newer patched version
Plugin: WP Simple Booking Calendar
Vulnerability: Authenticated SQL Injection
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: WPFront Notification Bar
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: SQL Injection
Patched Version: 7.1.14
Recommended Action: Update to version 7.1.14, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version
Plugin: ReFlex Gallery » WordPress Photo Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version
Plugin: User Rights Access Manager
Vulnerability: Access Restriction Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
Vulnerability: Authenticated SQL Injection
Patched Version: 6.60
Recommended Action: Update to version 6.60, or a newer patched version
Plugin: WP Mapa Politico España
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: SpeakOut! Email Petitions
Vulnerability: Cross-Site Scripting
Patched Version: 2.13.3
Recommended Action: Update to version 2.13.3, or a newer patched version
Plugin: Custom Post View Generator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Daily Prayer Time
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2021.08.10
Recommended Action: Update to version 2021.08.10, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Missing Capabilities Check to Information Disclosure
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: Affiliate Program Suite — SliceWP Affiliates
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.46
Recommended Action: Update to version 1.0.46, or a newer patched version
Plugin: Picture Gallery – Frontend Image Uploads, AJAX Photo List
Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email
Vulnerability: Cross-Site Scripting
Patched Version: 5.4.40
Recommended Action: Update to version 5.4.40, or a newer patched version
Plugin: Availability Calendar
Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: AMP extensions
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
