Watch Out Wednesday – August 28, 2024

Home » Watch Out Wednesday – August 28, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Leopard – WordPress Offload Media

Vulnerability: WordPress offload media <= 2.0.36
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Super Testimonials

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: WP Testimonial Widget

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Missing Authorization
Patched Version: 6.9.4
Recommended Action: Update to version 6.9.4, or a newer patched version

Plugin: Search & Replace

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive Function
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: Mollie Payments for WooCommerce

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 7.8.0
Recommended Action: Update to version 7.8.0, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Missing Authorization to Authenticated (Subscriber+) to Enable/Disable Addons
Patched Version: 2.1.11
Recommended Action: Update to version 2.1.11, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Cross-Site Request Forgery to Opt-out
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Private File Access
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version

Plugin: Arkhe Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.23.0
Recommended Action: Update to version 2.23.0, or a newer patched version

Plugin: Music Request Manager

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Enhanced Search Box

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Just Custom Fields

Vulnerability: Missing Authorization via AJAX actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Void Elementor Post Grid Addon for Elementor Page builder

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: String locator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Responsive Blocks – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version

Plugin: FormFacade – WordPress plugin for Google Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Compute Links

Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: infolinks Ad Wrap

Plugin: WP Telegram Widget and Join Link

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version

Plugin: CM Pop-Up Banners for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: WP Armour Extended

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.26
Recommended Action: Update to version 3.1.26, or a newer patched version

Plugin: Logo Manager For Enamad

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.7.3
Recommended Action: Update to version 0.7.3, or a newer patched version

Plugin: Propovoice: All-in-One Client Management System

Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: blogintroduction-wordpress-plugin

Plugin: Music Request Manager

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.16.8
Recommended Action: Update to version 1.16.8, or a newer patched version

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: KBucket: Your Curated Content in WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: DSGVO All in one for WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Web and WooCommerce Addons for WPBakery Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woo Inquiry

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Brickscore

Plugin: Hide My Site

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Themify Builder

Vulnerability: Missing Authorization to Authenticated (Contributor+) Post Duplication
Patched Version: 7.6.2
Recommended Action: Update to version 7.6.2, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: NinjaTeam Header Footer Custom Code

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Visual Sound (old)

Plugin: Carousel Slider

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.14
Recommended Action: Update to version 2.2.14, or a newer patched version

Plugin: Store Locator Plus® for WordPress

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Propovoice Pro

Plugin: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews

Vulnerability: Unauthenticated Stored Cross-Site Scripting via form_data Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version

Plugin: Gallery Plugin for WordPress – Envira Photo Gallery

Vulnerability: Missing Authorization
Patched Version: 1.8.15
Recommended Action: Update to version 1.8.15, or a newer patched version

Plugin: Generate Images (AI) – Magic Post Thumbnail

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.10
Recommended Action: Update to version 5.2.10, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Visual Sound

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: NinjaTeam Header Footer Custom Code

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via CSS Styles
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Bit Form Pro

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.49
Recommended Action: Update to version 11.49, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version

Plugin: WP Travel Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.6.6
Recommended Action: Update to version 4.6.6, or a newer patched version

Plugin: Music Request Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WHMpress – WHMCS WordPress Integration Plugin

Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 2.5.32
Recommended Action: Update to version 2.5.32, or a newer patched version

Plugin: Backup and Restore WordPress – Backup Plugin

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Hotspot by DevVN

Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WordSurvey

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via sounding_title Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Accordion Image Menu

Plugin: Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.9
Recommended Action: Update to version 4.9.9, or a newer patched version

Plugin: WP Armour Extended

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version

Plugin: Visual CSS Style Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: Memberpress

Vulnerability: Missing Authorization
Patched Version: 1.11.35
Recommended Action: Update to version 1.11.35, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin

Vulnerability: Authorization Bypass
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.3.4
Recommended Action: Update to version 2.8.3.4, or a newer patched version

Plugin: WooCommerce Google Feed Manager

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Feed Actions
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: AZIndex

Plugin: TI WooCommerce Wishlist

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Bit Form Pro

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Lightbox & Gallery

Vulnerability: Missing Authorization
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Favicon Generator (CLOSED)

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Authentication Bypass to Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login As Users

Vulnerability: Authentication Bypass
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Donation Block For PayPal

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Modal Window – create popup modal window

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version

Plugin: Oxygen Builder

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stylesheet Update
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: Bit Form Pro

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.1.3
Recommended Action: Update to version 9.1.3, or a newer patched version

Plugin: Responsive Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version

Plugin: WHMpress – WHMCS WordPress Integration Plugin

Plugin: WP Content Copy Protection & No Right Click (PRO)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 15.3
Recommended Action: Update to version 15.3, or a newer patched version

Plugin: White Label CMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Zynith SEO

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Option Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Icegram Collect – Easy Form, Lead Collection and Subscription plugin

Vulnerability: Missing Authorization
Patched Version: 1.3.15
Recommended Action: Update to version 1.3.15, or a newer patched version

Plugin: weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Droip

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block

Vulnerability: Missing Authorization
Patched Version: 2.5.31
Recommended Action: Update to version 2.5.31, or a newer patched version

Plugin: Photo Engine (Media Organizer & Lightroom)

Vulnerability: Missing Authorization
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: MM-Breaking News

Plugin: Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Missing Authorization
Patched Version: 5.30.11
Recommended Action: Update to version 5.30.11, or a newer patched version

Plugin: SKT Blocks – Gutenberg based Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Collapsing Archives

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Greenshift Query and Meta Addon

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Backup and Restore WordPress – Backup Plugin

Plugin: Review Ratings

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.12.17
Recommended Action: Update to version 1.12.17, or a newer patched version

Plugin: All Bootstrap Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.20
Recommended Action: Update to version 1.3.20, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.4.31
Recommended Action: Update to version 2.4.31, or a newer patched version

Plugin: Custom Permalinks

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Media Upload
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 3.3.101
Recommended Action: Update to version 3.3.101, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Missing Authorization
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Zynith SEO

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpForo Forum

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Favicon Generator (CLOSED)

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.5.48
Recommended Action: Update to version 1.5.48, or a newer patched version

Plugin: Misiek Photo Album

Vulnerability: Cross-Site Request Forgery to Album Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ImageRecycle pdf & image compression

Vulnerability: Cross-Site Request in Several AJAX Actions
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: Droip

Plugin: Misiek Photo Album

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: RT Easy Builder – Advanced addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mega Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Lister Lite for eBay

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Missing Authorization to Unauthenticated Sensitive Information Exposure
Patched Version: 2.4.4.1
Recommended Action: Update to version 2.4.4.1, or a newer patched version

Plugin: WBW Product Table Pro

Vulnerability: Unauthenticated Arbitrary SQL Execution
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Invite Anyone

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: WP Testimonial Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Animated Number Counters

Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version

Plugin: KBucket: Your Curated Content in WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: App Builder – Create Native Android & iOS Apps On The Flight

Vulnerability: Unauthenticated Limited SQL Injection via app-builder-search
Patched Version: 4.3.4
Recommended Action: Update to version 4.3.4, or a newer patched version

Plugin: GHActivity

Plugin: JobSearch WP Job Board

Vulnerability: Missing Authorization
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Classic Addons – WPBakery Page Builder

Plugin: MM-Breaking News

Plugin: Salon Booking System

Vulnerability: Unauthenticated Open Redirect
Patched Version: 10.9
Recommended Action: Update to version 10.9, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Authenticated (Editor+) PHP Object Injection
Patched Version: 2.12.4
Recommended Action: Update to version 2.12.4, or a newer patched version

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Authenticated (Editor+) Local File Inlcusion
Patched Version: 1.5.2.1
Recommended Action: Update to version 1.5.2.1, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Authenticated (Contributor+) SQL Injection via url Parameter
Patched Version: 12.3.20
Recommended Action: Update to version 12.3.20, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.6.7.43
Recommended Action: Update to version 1.6.7.43, or a newer patched version

Plugin: azurecurve Toggle Show/Hide

Plugin: Relevanssi Live Ajax Search

Vulnerability: Unauthenticated WP_Query Argument Injection
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: LatePoint Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.10.37
Recommended Action: Update to version 2.10.37, or a newer patched version

Plugin: Simple Headline Rotator

Plugin: Quick Code

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: LMS <= 1.11.4
Patched Version: 1.11.5
Recommended Action: Update to version 1.11.5, or a newer patched version

Plugin: Pocket Widget

Plugin: Responsive Video

Plugin: AI Engine

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Grid Widget
Patched Version: 1.4.4.4
Recommended Action: Update to version 1.4.4.4, or a newer patched version

Plugin: Maintenance & Coming Soon Redirect Animation

Vulnerability: IP Spoofing to Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LWS Affiliation

Vulnerability: Missing Authorization
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version

Plugin: Misiek Paypal

Plugin: Vikinghammer Tweet

Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Mediavine Control Panel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version

Plugin: AZIndex

Vulnerability: Cross-Site Request Forgery to Index Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flamix: Bitrix24 and Contact Form 7 integrations

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Posts reminder

Plugin: Employee, Leave and Recruitment Management System – Crew HRM

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Settings Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File Upload
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: ILC Thickbox

Plugin: Name Directory

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.29.1
Recommended Action: Update to version 1.29.1, or a newer patched version

Plugin: Gixaw Chat

Plugin: Woocommerce Addon Greenshift

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Easy Property Listings

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Bit Form Pro

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Address Encoder

Vulnerability: Cross-Site Request Forgery via eae_clear_caches()
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Child Theme Creator by Orbisius

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Missing Authorization in Several AJAX Actions
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: File Manager Pro

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 8.3.8
Recommended Action: Update to version 8.3.8, or a newer patched version

Plugin: Special Feed Items

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated Information Exposure
Patched Version: 23.1.3
Recommended Action: Update to version 23.1.3, or a newer patched version

Plugin: Newspack

Vulnerability: Missing Authorization
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Team Showcase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.22.24
Recommended Action: Update to version 1.22.24, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Adicon Server

Plugin: WPML

Vulnerability: Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection
Patched Version: 4.6.13
Recommended Action: Update to version 4.6.13, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Missing Authorization
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.25.11
Recommended Action: Update to version 1.25.11, or a newer patched version

Plugin: Backup and Restore WordPress – Backup Plugin

Plugin: Meta Field Block

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version

Plugin: WP Content Copy Protection & No Right Click (PRO)

Vulnerability: Open Redirect
Patched Version: 15.3
Recommended Action: Update to version 15.3, or a newer patched version

Plugin: SendGrid for WordPress

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Full Path Disclosure
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: WooCommerce Google Feed Manager

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.