Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS
Vulnerability: Courses for Membership Add On <= 1.2.3
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting in Language Settings
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version
Plugin: Simple Ticker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.06
Recommended Action: Update to version 3.06, or a newer patched version
Plugin: Upload Media By URL
Vulnerability: Cross-Site Request Forgery via ‘umbu_download’
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version
Plugin: JCH Optimize
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Modification
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version
Plugin: All Users Messenger
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Message Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Blog Card
Vulnerability: Sensitive Information Exposure
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version
Plugin: User Activity Tracking and Log
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS
Vulnerability: Courses for Membership Add On <= 1.2.4
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX
Vulnerability: Gutenberg Post Grid Blocks <= 3.0.5
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Arbitrary Usermeta Update to Authenticated (Author+) Privilege Escalation
Patched Version: 7.9.9
Recommended Action: Update to version 7.9.9, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 7.9.9
Recommended Action: Update to version 7.9.9, or a newer patched version
Plugin: Woo Custom Emails
Vulnerability: Reflected Cross-Site Scripting via wcemails_edit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JetElements
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 2.6.11
Recommended Action: Update to version 2.6.11, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Missing Authorization to Initial Page Creation
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version
Plugin: POEditor
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.8
Recommended Action: Update to version 0.9.8, or a newer patched version
Plugin: User Access Manager
Vulnerability: IP Spoofing
Patched Version: 2.2.18
Recommended Action: Update to version 2.2.18, or a newer patched version
Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD
Vulnerability: Cross-Site Request Forgery to License Modification
Patched Version: 4.12.5
Recommended Action: Update to version 4.12.5, or a newer patched version
Plugin: Order Delivery Date for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via ‘orddd_lite_custom_startdate’ and ‘orddd_lite_custom_enddate’
Patched Version: 3.20.1
Recommended Action: Update to version 3.20.1, or a newer patched version
Plugin: FULL – Cliente
Vulnerability: Customer <= 2.2.3
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Sign-up Sheets
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: Subscribers Text Counter
Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: FULL – Cliente
Vulnerability: Customer <= 2.2.3
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Duplicate Post
Vulnerability: Cross-Site Request Forgery via ‘cdp_action_handling’ AJAX action
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Biometric Login For WooCommerce
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS
Vulnerability: Courses for Membership Add On <= 1.2.3
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Authenticated (Author+) PHP File Creation to Remote Code Execution
Patched Version: 7.9.9
Recommended Action: Update to version 7.9.9, or a newer patched version
Plugin: User Activity Log
Vulnerability: Unauthenticated Data Export to Sensitive Information Disclosure
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: FormCraft – Form Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Leyka
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.30.3
Recommended Action: Update to version 3.30.3, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated (Administrator+) Stored HTML Injection
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version
Plugin: Booking Package
Vulnerability: Reflected Cross-Site Scripting via ‘mode’
Patched Version: 1.6.02
Recommended Action: Update to version 1.6.02, or a newer patched version
Plugin: Real Estate Manager – Property Listing and Agent Management
Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Authenticated (Author+) Remote Code Execution
Patched Version: 7.9.9
Recommended Action: Update to version 7.9.9, or a newer patched version
Plugin: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: Simple Share Follow Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version
Plugin: Themesflat Addons For Elementor
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Advanced Custom Fields (ACF)
Vulnerability: 6.1.7
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
