Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Visual Email Designer for WooCommerce
Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Panda Pods Repeater Field
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: WP-Lister Lite for Amazon
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.15
Recommended Action: Update to version 2.9.15, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Universal Star Rating
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Custom Field Template
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Web Invoice – Invoicing and billing for WordPress
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product List / Grid View for Woocommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: User Enumeration Bypass via REST API
Patched Version: 9.3.3
Recommended Action: Update to version 9.3.3, or a newer patched version
Plugin: WP Social Sharing
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP RSS By Publishers
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP RSS By Publishers
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OWM Weather
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version
Plugin: Launchpad – Coming Soon & Maintenance Mode Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: multimedial images
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Conditional Shipping for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Quote-O-Matic
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GC Testimonials
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP RSS By Publishers
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version
Plugin: Cryptocurrency Widgets Pack
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Authenticated (Subscriber+) HTML Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Wholesale Market for WooCommerce
Vulnerability: Authenticated (Administrator+) Arbitrary Log File Download
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: LetsRecover – WooCommerce Abandoned Cart Notifications
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Moosend Website Connector
Vulnerability: Missing Authorization
Patched Version: 1.0.190
Recommended Action: Update to version 1.0.190, or a newer patched version
Plugin: LetsRecover – WooCommerce Abandoned Cart Notifications
Vulnerability: Unauthenticated SQL Injection via AJAX action
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: WP User – Custom Registration Forms, Login and User Profile
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Missing Authorization
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version
Plugin: SlimStat Analytics
Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: LetsRecover – WooCommerce Abandoned Cart Notifications
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Cryptocurrency Widgets Pack
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Afterpay Gateway for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: demon image annotation
Vulnerability: Improper Input Restriction Validation
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Wholesale Market
Vulnerability: Information Disclosure via Unauthenticated Arbitrary File Download
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: WP AutoComplete Search
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sales Report for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 3.5.7.7
Recommended Action: Update to version 3.5.7.7, or a newer patched version
Plugin: WP Calendar
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Social Comments
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Change
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: ContentStudio
Vulnerability: Missing Authorization
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Team Members
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version
Plugin: White Label CMS
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Image Optimizer, Resizer and CDN – Sirv
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Information Disclosure
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: LWS Affiliation
Vulnerability: Missing Authorization Checks
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: WP Custom Admin Interface
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 7.29
Recommended Action: Update to version 7.29, or a newer patched version
Plugin: Qe SEO Handyman
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Reviews Import Export for WooCommerce
Vulnerability: CSV Injection
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: Woocommerce Vietnam Checkout
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: 9.8.4
Patched Version: 9.8.5
Recommended Action: Update to version 9.8.5, or a newer patched version
Plugin: Web Invoice – Invoicing and billing for WordPress
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clearpay Gateway for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: Login with Cognito
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: Qe SEO Handyman
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Joy Of Text Lite – SMS messaging for WordPress.
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
