Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.77.32
Recommended Action: Update to version 1.0.77.32, or a newer patched version
Plugin: True Ranker
Vulnerability: Directory Traversal/Arbitrary File Read
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: 4.1.5.2 Authorization Bypass
Patched Version: 4.1.5.3
Recommended Action: Update to version 4.1.5.3, or a newer patched version
Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map
Vulnerability: Subscriber+ Arbitrary Post Deletion and Plugin Settings Update
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Parsian Bank Gateway for Woocommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: H5P CSS Editor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: myghpay WooCommerce Payment Gateway
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Magic Post Voice
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map
Vulnerability: Missing Authorization
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Lets-Box
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.3
Recommended Action: Update to version 1.15.3, or a newer patched version
Plugin: Accept Donations with PayPal & Stripe
Vulnerability: Arbitrary Post Deletion via Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Fathom Analytics for WP
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: duoFAQ – Responsive, Flat, Simple FAQ
Vulnerability: Responsive, Flat, Simple FAQ <= 1.4.8
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Plus Addons for Elementor Page Builder
Vulnerability: Sensitive Data Disclosure
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version
Plugin: Real WYSIWYG
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: 4.1.5.2
Patched Version: 4.1.5.3
Recommended Action: Update to version 4.1.5.3, or a newer patched version
Plugin: Out-of-the-Box
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.20.3
Recommended Action: Update to version 1.20.3, or a newer patched version
Plugin: link-list-manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus
Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: .htaccess Redirect
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce EnvioPack
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: tarteaucitron.js – Cookies legislation & GDPR
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: The Plus Addons for Elementor Page Builder
Vulnerability: Pro <= 5.0.6
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version
Plugin: WP Booking System – Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.7.3
Recommended Action: Update to version 1.3.7.3, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authentication Bypass
Patched Version: 5.0.1.8
Recommended Action: Update to version 5.0.1.8, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
