Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Booster for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Missing Authorization to Arbitrary Options Update
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version
Plugin: WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square Plugin
Vulnerability: Missing Authorization
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version
Plugin: wpShopGermany – Protected Shops
Vulnerability: Protected Shops <= 2.0
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Banner Management For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: User Email Verification for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Discussion Board – WordPress Forum Plugin
Vulnerability: Authenticated (Subscriber+) Content Injection
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version
Plugin: wp tell a friend popup form
Vulnerability: Cross-Site Request Forgery via ‘TellAFriend_admin’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shop as a Customer for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Privilege Escalation
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Meks Audio Player
Vulnerability: Cross-Site Request Forgery via meks_remove_notification
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Optimize Database after Deleting Revisions
Vulnerability: Cross-Site Request Forgery via ‘odb_start_manually’
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version
Plugin: Simple Wp Sitemap
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HTTP Auth
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version
Plugin: InstaWP Connect – 1-click WP Staging & Migration
Vulnerability: Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver
Patched Version: 0.0.9.19
Recommended Action: Update to version 0.0.9.19, or a newer patched version
Plugin: Stripe Payment Plugin for WooCommerce
Vulnerability: Authentication Bypass
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version
Plugin: MultiParcels Shipping For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.15.2
Recommended Action: Update to version 1.15.2, or a newer patched version
Plugin: Optimize Database after Deleting Revisions
Vulnerability: Cross-Site Request Forgery via ‘odb_csv_download’
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Media from FTP
Vulnerability: Improper Privilege Management
Patched Version: 11.16
Recommended Action: Update to version 11.16, or a newer patched version
Plugin: Schema Pro
Vulnerability: Authenticated(Contributor+) Missing Authorization
Patched Version: 2.7.9
Recommended Action: Update to version 2.7.9, or a newer patched version
Plugin: ACF Photo Gallery Field
Vulnerability: Authenticated (Subscriber+) Arbitrary Usermeta Update
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Shop as a Customer for WooCommerce
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Church Admin
Vulnerability: Server-Side Request Forgery via church_admin_import_csv
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version
Plugin: Simple Blog Card
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version
Plugin: TI WooCommerce Wishlist
Vulnerability: Unauthenticated Blind SQL Injection via Rest API
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: MultiParcels Shipping For WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version
Plugin: WordPress Job Board and Recruitment Plugin – JobWP
Vulnerability: Arbitrary File Upload via ‘jobwp_upload_resume’
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: All In One Login — WordPress Login Security Plugin to Protect and Customize WP Admin
Vulnerability: Protection Mechanism Failure to Login Page Disclosure
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Assistant – Every Day Productivity Apps
Vulnerability: Authenticated (Editor+) Server Side Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Web Accessibility By accessiBe
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version
Plugin: SSL Mixed Content Fix
Vulnerability: Cross-Site Request Forgery on handle_installation function
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: AGP Font Awesome Collection
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slider Carousel – Image Slider
Vulnerability: Missing Authorization
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Saphali Woocommerce Lite
Vulnerability: Cross-Site Request Forgery via ‘woocommerce_saphali_page_s_l’
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: SSL Mixed Content Fix
Vulnerability: Missing Authorization on handle_installation function
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version
Plugin: cartflows-pro
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.13
Recommended Action: Update to version 1.11.13, or a newer patched version
Plugin: Short URL
Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: Update Theme and Plugins from Zip File
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Meks Smart Social Widget
Vulnerability: Missing Authorization to notice dimissal
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: wp tell a friend popup form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fraud Prevention For WooCommerce and EDD
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
