Watch Out Wednesday – December 1, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: MOLIE – Instructure Canvas Linking tool

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: SQL Injection
Patched Version: 6.2.4
Recommended Action: Update to version 6.2.4, or a newer patched version

Plugin: Smart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – Buttonizer

Vulnerability: Smart Floating Action Button <= 2.5.4
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: Rich Reviews by Starfish

Vulnerability: SQL Injection
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.21
Recommended Action: Update to version 4.3.21, or a newer patched version

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: Authorization Bypass
Patched Version: 6.2.4
Recommended Action: Update to version 6.2.4, or a newer patched version

Plugin: Stetic

Vulnerability: No subtitle
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.15.14
Recommended Action: Update to version 1.15.14, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 4.19.3
Recommended Action: Update to version 4.19.3, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: CorreosExpress – Shipping Management – Tags

Vulnerability: Sensitive Data Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Dependency Confusion
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version

Plugin: The WP Remote WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.65
Recommended Action: Update to version 4.65, or a newer patched version

Plugin: WP Mail Logging

Vulnerability: Unauthenticated Arbitrary Settings Change
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Reflected Cross-Site Scripting via qc_res
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authorization Bypass
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Typebot | Create advanced chat experiences without coding

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Browser and Operating System Finder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.16
Recommended Action: Update to version 3.8.16, or a newer patched version

Plugin: Contact Form With Captcha

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.7
Recommended Action: Update to version 6.0.7, or a newer patched version

Plugin: MOLIE – Instructure Canvas Linking tool

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress