Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: E2Pdf – Export Pdf Tool for WordPress
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.20.26
Recommended Action: Update to version 1.20.26, or a newer patched version
Plugin: Menu Image, Icons made easy
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version
Plugin: Ultimate Dashboard – Custom WordPress Dashboard
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.7.12
Recommended Action: Update to version 3.7.12, or a newer patched version
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Improper Input Validation to Arbitrary Email Sending to Admin
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Insert or Embed Articulate Content into WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.3000000023
Recommended Action: Update to version 4.3000000023, or a newer patched version
Plugin: Email Subscription Popup
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.20
Recommended Action: Update to version 1.2.20, or a newer patched version
Plugin: WooCommerce Menu Extension
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Membership
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version
Plugin: Accredible Certificates & Open Badges
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Crowdfunding
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: Image horizontal reel scroll slideshow
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 13.4
Recommended Action: Update to version 13.4, or a newer patched version
Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Vulnerability: Missing Authorization to Plugin Version Downgrade
Patched Version: 8.3.15
Recommended Action: Update to version 8.3.15, or a newer patched version
Plugin: Simple Membership
Vulnerability: Reflected Cross-Site Scripting Vulnerability via environment_mode
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Unauthenticated Stored Cross-Site Scripting via REST API
Patched Version: 9.0.28
Recommended Action: Update to version 9.0.28, or a newer patched version
Plugin: MW WP Form
Vulnerability: Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version
Plugin: Clone
Vulnerability: Sensitive Information Exposure
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: Gutenberg Block Editor Toolkit – EditorsKit
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.40.4
Recommended Action: Update to version 1.40.4, or a newer patched version
Plugin: Currency Converter Widget – Exchange Rates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version
Plugin: Colibri Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.241
Recommended Action: Update to version 1.0.241, or a newer patched version
Plugin: Debug Log Manager
Vulnerability: Directory Listing to Sensitive Information Disclosure
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Seos Contact Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Real Estate
Vulnerability: Missing Authorization to Denial of Service
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: Slick Social Share Buttons
Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: BackWPup – WordPress Backup & Restore Plugin
Vulnerability: Sensitive Information Exposure
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version
Plugin: Essential Real Estate
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Real Estate
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: Translate WordPress – Google Language Translator
Vulnerability: Missing Authorization via admin notifications
Patched Version: 6.0.20
Recommended Action: Update to version 6.0.20, or a newer patched version
Plugin: iframe Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multi Step Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.17
Recommended Action: Update to version 1.7.17, or a newer patched version
Plugin: WP Dashboard Notes
Vulnerability: Insecure Direct Object References to Authenticated Private Note Deletion
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 2.2.65
Recommended Action: Update to version 2.2.65, or a newer patched version
Plugin: CSS & JavaScript Toolbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 11.9
Recommended Action: Update to version 11.9, or a newer patched version
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.0.92.1
Recommended Action: Update to version 1.0.92.1, or a newer patched version
Plugin: Enable Media Replace
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Simple Counter
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels
Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Jquery news ticker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: Featured Image from URL (FIFU)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Advanced Category Template
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SpeedyCache – Cache, Optimization, Performance
Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: WP Edit Username
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Loan Repayment Calculator and Application Form
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
