Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Autoptimize
Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version
Plugin: NAB Transact
Vulnerability: Payment System Bypass
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons
Vulnerability: Missing Authorization
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: WP Customer Reviews
Vulnerability: Multiple Stored Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms
Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms
Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: WP Floating Menu – One page navigator, sticky menu for WordPress
Vulnerability: Cross-Site Scripting via id Parameter
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Authenticated Information Disclosure
Patched Version: 6.6.2
Recommended Action: Update to version 6.6.2, or a newer patched version
Plugin: Click to top
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: RSVPMaker
Vulnerability: Unauthenticated SQL Injection via ‘event_count’
Patched Version: 7.8.2
Recommended Action: Update to version 7.8.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
