Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Dialog
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bold Page Builder
Vulnerability: PHP Object Injection
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version
Plugin: SMS Alert Order Notifications – WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version
Plugin: StoryChief
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version
Plugin: Alojapro Booking Engine
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated File Upload
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Subscriber+ Arbitrary File Upload
Patched Version: 4.24
Recommended Action: Update to version 4.24, or a newer patched version
Plugin: StoryChief
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version
Plugin: ZhuiGe Official Website Mini Program
Vulnerability: SQL Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Sitewide Notice WP
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Email Encoder – Protect Email Addresses and Phone Numbers
Vulnerability: Reflected Cross Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Scripting
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: Availability Calendar
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Youtube Feeder
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Business Hours Indicator
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: 有赏 You Shang
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Splash Header
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.20.8
Recommended Action: Update to version 1.20.8, or a newer patched version
Plugin: VDZ Google Analytics or Google Tag Manager / GTM
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: youForms for WordPress – Creating Forms for CopeCart
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: ShareThis Dashboard for Google Analytics
Vulnerability: Reflected Cross-Site Scripting via ga_action parameter
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: WP Learn Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: VDZ Google Analytics or Google Tag Manager / GTM
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: Nifty Newsletters (Formerly Sola Newsletters)
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.