Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Avada (Fusion) Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: wSecure Lite
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stock Ticker
Vulnerability: Reflected Cross-Site Scripting in ajax_stockticker_load
Patched Version: 3.23.4
Recommended Action: Update to version 3.23.4, or a newer patched version
Plugin: Realia
Vulnerability: Cross-Site Request Forgery to User Email Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Pipes
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Analytics for Woo – Putler Accurate Analytics and Reports for your WooCommerce Store
Vulnerability: Missing Authorization via ‘putler_connector_sync_complete’
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version
Plugin: 123.chat – 1:1 Live Video Chat Tool Plugin
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: YITH WooCommerce Waitlist
Vulnerability: Cross-Site Request forgery via ‘save_mail_status’
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: BigBlueButton
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup by Supsystic
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version
Plugin: Theme Demo Import
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MailChimp Forms by MailMunch
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Jupiter X Core
Vulnerability: 3.3.0
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: WP LINE Notify
Vulnerability: Reflected Cross-Site Scripting via ‘uid’
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: WP Remote Users Sync
Vulnerability: Authenticated (Subscriber+) Server Side Request Forgery
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version
Plugin: WP Remote Users Sync
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log View
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version
Plugin: WP 404 Auto Redirect to Similar Post
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Avada (Fusion) Builder
Vulnerability: Missing Authorization
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: Easy!Appointments
Vulnerability: Authenticated(Subscriber+) Arbitrary File Deletion via ‘disconnect’
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Analytics for Woo – Putler Accurate Analytics and Reports for your WooCommerce Store
Vulnerability: Missing Authorization via ‘send_resync_request’
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version
Plugin: Products Quick View for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End
Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’
Patched Version: 20230811
Recommended Action: Update to version 20230811, or a newer patched version
Plugin: Stock Ticker
Vulnerability: Reflected Cross-Site Scripting in ajax_stockticker_symbol_search_test
Patched Version: 3.23.3
Recommended Action: Update to version 3.23.3, or a newer patched version
Plugin: Easy Cookie Law
Vulnerability: Cross-Site Request Forgery via ‘ecl_options’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Store Locator WordPress
Vulnerability: Reflected Cross-Site Scripting via ‘asl-nounce’
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version
Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more
Vulnerability: Authenticated (Subscriber+) SQL Injection via Export
Patched Version: 1.2.90
Recommended Action: Update to version 1.2.90, or a newer patched version
Plugin: Jupiter X Core
Vulnerability: 3.3.0
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: Accordion and Accordion Slider
Vulnerability: Missing Authorization via ‘wp_aas_get_attachment_edit_form’ and ‘wp_aas_save_attachment_data’
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Orders Tracking for WooCommerce
Vulnerability: Authenticated (Administrator+) Directory Traversal via ‘file_url’
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: Rate My Post – Star Rating Plugin by FeedbackWP
Vulnerability: WP Rating System <= 3.4.1
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: WebLibrarian
Vulnerability: Reflected Cross-Site Scripting via multiple parameters
Patched Version: 3.5.8.2
Recommended Action: Update to version 3.5.8.2, or a newer patched version
Plugin: User Activity Log
Vulnerability: IP Address Spoofing
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Advanced Custom Fields Pro
Vulnerability: 6.1.7
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version
Plugin: Avada (Fusion) Builder
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: Premium Packages – Sell Digital Products Securely
Vulnerability: Sell Digital Products Securely <= 5.7.4
Patched Version: 5.7.5
Recommended Action: Update to version 5.7.5, or a newer patched version
Plugin: Make Paths Relative
Vulnerability: Cross-Site Request Forgery via ‘admin/class-make-paths-relative-admin.php’
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Portfolio and Projects
Vulnerability: Cross-Site Request Forgery via ‘wpos_anylc_admin_init_process’
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Media from FTP
Vulnerability: Authenticated (Author+) Improper Privilege Management
Patched Version: 11.17
Recommended Action: Update to version 11.17, or a newer patched version
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version
Plugin: WP Like Button
Vulnerability: Cross-Site Request Forgery via ‘saveData’
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Highcompress Image Compressor
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Missing Authorization to Sensitive Information Exposure via REST API
Patched Version: 2.2.51
Recommended Action: Update to version 2.2.51, or a newer patched version
Plugin: WP Categories Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Canto
Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Product Attachment for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: InfiniteWP Client
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version
Plugin: Futurio Extra
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Avada (Fusion) Builder
Vulnerability: Reflected Cross-Site Scripting via User Register Element
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Missing Authorization
Patched Version: 5.9.3
Recommended Action: Update to version 5.9.3, or a newer patched version
Plugin: Kangu para WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.4
Recommended Action: Update to version 3.9.4, or a newer patched version
Plugin: Justified Gallery
Vulnerability: Missing Authorization via ‘dismiss_how_to_use_notice’ and ‘dismiss_notice’
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Printful Integration for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: PixTypes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced File Manager
Vulnerability: Authenticated (Administrator+) Arbitrary File and Folder Access
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version
Plugin: Email Template Designer – WP HTML Mail
Vulnerability: Cross-Site Request Forgery via ‘send_test’
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: flowpaper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Responsive WordPress Slider – Avartan Slider Lite
Vulnerability: Reflected Cross-Site Scripting via ‘asview-nouce’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more
Vulnerability: Cross-Site Request Forgery via Save
Patched Version: 1.2.91
Recommended Action: Update to version 1.2.91, or a newer patched version
Plugin: SendPress Newsletters
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: demon image annotation
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version
Plugin: Absolute Privacy
Vulnerability: Cross-Site Request Forgery to User Email/Password Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Password Reset with Code for WordPress REST API
Vulnerability: Weak Password Recovery Mechanism
Patched Version: 0.0.16
Recommended Action: Update to version 0.0.16, or a newer patched version
Plugin: Post Timeline
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: Futurio Extra
Vulnerability: Cross-Site Request Forgery via ‘futurio_extra_reset_mod’
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: SB Child List
Vulnerability: Cross-Site Request Forgery via ‘sb_cl_update_settings’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: woocommerce-one-page-checkout
Vulnerability: Authenticated (Contributor+) Local File Inclusion via `woocommerce_one_page_checkout`
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
