Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Live Scores for SportsPress
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Visual Link Preview
Vulnerability: Unauthorised AJAX Calls
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: WordPress Slider Block Gutenslider
Vulnerability: Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: WP Domain Redirect
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RESPONSIVE 3D SLIDER
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.
Vulnerability: Subscriber+ Arbitrary File/Folder Deletion
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Post Views Counter
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: BuddyPress
Vulnerability: SQL Injection
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: WordPress Page Contact
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: MicroCopy
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Sorter
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Display Users
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Live Scores for SportsPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Product Feed on WooCommerce for Google, Awin, Shareasale, Bing, and More
Vulnerability: Authenticated SQL Injection via product_id Parameter
Patched Version: 3.3.1.0
Recommended Action: Update to version 3.3.1.0, or a newer patched version
Plugin: Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Timetable and Event Schedule by MotoPress
Vulnerability: Unauthorised Event TimeSlot Deletion
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Simple Schools Staff Directory
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: BuddyPress
Vulnerability: Information Disclosure via REST API
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Jock On Air Now
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version
Plugin: Contact List – Online Staff Directory and Address Book
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.42
Recommended Action: Update to version 2.9.42, or a newer patched version
Plugin: 博客社交分享组件
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TextMe SMS
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version
Plugin: 博客社交分享组件
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Jock On Air Now
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version
Plugin: Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via blockType arguments
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: GSEOR – WordPress SEO Plugin
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jock On Air Now
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version
Plugin: Timetable and Event Schedule by MotoPress
Vulnerability: Unauthorised Event TimeSlot Update
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Timetable and Event Schedule by MotoPress
Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 2.3.19
Recommended Action: Update to version 2.3.19, or a newer patched version
Plugin: Timetable and Event Schedule by MotoPress
Vulnerability: Arbitrary User’s Hashed Password/Email/Username Disclosure
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.
Vulnerability: Unauthenticated Path Traversal in REST API
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Comment Link Remove and Other Comment Tools
Vulnerability: Arbitrary Comment Deletion via Cross-Site Request Forgery
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.0.2
Recommended Action: Update to version 4.11.0.2, or a newer patched version
Plugin: Limit Login Attempts
Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.0.50
Recommended Action: Update to version 4.0.50, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version
Plugin: ThinkTwit
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: WP Video Lightbox
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version
Plugin: SMTP Mail
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: SMTP Mail
Vulnerability: SQL Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: WP-Board
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: WP iCommerce – the first interactive ecommerce for wordpress
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
