Watch Out Wednesday – December 6, 2023

Home » Watch Out Wednesday – December 6, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: WP Photo Album Plus

Vulnerability: IP Spoofing
Patched Version: 8.6.01.005
Recommended Action: Update to version 8.6.01.005, or a newer patched version

Plugin: KP Fastest Tawk.to Chat

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fix My Feed RSS Repair

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Backup Migration

Vulnerability: Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Structured Content (JSON-LD) #wpsc

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Guest Author

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: LiveChat – WP live chat plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.16
Recommended Action: Update to version 4.5.16, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Missing Authorization
Patched Version: 5.2.3.1
Recommended Action: Update to version 5.2.3.1, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.0
Recommended Action: Update to version 6.5.0, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery via delete_profiles_data
Patched Version: 1.4.1.5
Recommended Action: Update to version 1.4.1.5, or a newer patched version

Plugin: GDPR Cookie Consent by Supsystic

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting via code
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.16.2
Recommended Action: Update to version 5.16.2, or a newer patched version

Plugin: MSync

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.1.6
Recommended Action: Update to version 5.1.6, or a newer patched version

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: Missing Authorization via multiple admin_init actions
Patched Version: 1.30.1
Recommended Action: Update to version 1.30.1, or a newer patched version

Plugin: Enhanced Text Widget

Vulnerability: Missing Authorization via etw_hide_admin_notification_callback
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: CSV Importer

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3.9
Recommended Action: Update to version 0.3.9, or a newer patched version

Plugin: Code Embed

Vulnerability: Authenticated(Contributor+) Denial of Service
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: PowerPack Pro for Elementor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.24
Recommended Action: Update to version 2.9.24, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Cross-Site Request Forgery via pagelayer_load_plugin
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Cross-Site Request Forgery via consume_post
Patched Version: 2.22
Recommended Action: Update to version 2.22, or a newer patched version

Plugin: SureTriggers: All-in-One WordPress Automation

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via name
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Database for CF7

Vulnerability: Missing Authorization via wpcf7db_delete AJAX action
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Social Share Buttons & Analytics Plugin – GetSocial.io

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Seraphinite Accelerator

Vulnerability: Reflected Cross-Site Scripting via rt
Patched Version: 2.20.29
Recommended Action: Update to version 2.20.29, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Cross-Site Scripting
Patched Version: 8.6.01.005
Recommended Action: Update to version 8.6.01.005, or a newer patched version

Plugin: Genesis Simple Love

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Dashboard – Custom WordPress Dashboard

Vulnerability: Login Page Disclosure on Multi-site
Patched Version: 3.7.11
Recommended Action: Update to version 3.7.11, or a newer patched version

Plugin: Flexible Woocommerce Checkout Field Editor

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Block for Font Awesome

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Contact Form 7

Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 5.8.4
Recommended Action: Update to version 5.8.4, or a newer patched version

Plugin: Quotes for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Email Subscription Popup

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.19
Recommended Action: Update to version 1.2.19, or a newer patched version

Plugin: Download Manager

Vulnerability: Unauthenticated Password Leak
Patched Version: 3.2.83
Recommended Action: Update to version 3.2.83, or a newer patched version

Plugin: Ads by datafeedr.com

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Database Cleaner

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Symbiostock – Sell Photos Online For Free!

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video PopUp

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Quiz Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.9.5
Recommended Action: Update to version 6.4.9.5, or a newer patched version

Plugin: Quotes for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Automatic Youtube Video Posts Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Plugin: List all posts by Authors, nested Categories and Titles

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Track Geolocation Of Users Using Contact Form 7

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Insecure Direct Object Reference
Patched Version: 8.6.01.005
Recommended Action: Update to version 8.6.01.005, or a newer patched version

Plugin: BrainCert Virtual Classroom

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Get Use APIs – JSON Content Importer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: HDW Player Plugin (Video Player & Video Gallery)

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Guest Author

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress

Vulnerability: Unauthenticated Password Protected Post Disclosure
Patched Version: 2.74
Recommended Action: Update to version 2.74, or a newer patched version

Plugin: Smart External Link Click Monitor [Link Log]

Plugin: Debug Log Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Forms by CaptainForm – Form Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Client Dash

Plugin: WP Booking System – Booking Calendar

Vulnerability: Missing Authorization
Patched Version: 2.0.19.3
Recommended Action: Update to version 2.0.19.3, or a newer patched version

Plugin: Elementor Timeline Widget

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: WP Pocket URLs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: AppMySite – Create an app with the Best Mobile App Builder

Vulnerability: Unauthenticated Information Disclsoure
Patched Version: 3.11.1
Recommended Action: Update to version 3.11.1, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Hotel Booking Lite

Vulnerability: Insufficient Path Validation to Unauthenticated Arbitrary File Deletion and Download
Patched Version: 4.8.5
Recommended Action: Update to version 4.8.5, or a newer patched version

Plugin: BCorp Shortcodes

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: 6.6.19
Recommended Action: Update to version 6.6.19, or a newer patched version

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Cross-Site Request Forgery via consume_post
Patched Version: 2.22
Recommended Action: Update to version 2.22, or a newer patched version

Plugin: Quiz Maker

Vulnerability: Missing Authorization to Email Disclosure
Patched Version: 6.4.9.5
Recommended Action: Update to version 6.4.9.5, or a newer patched version

Plugin: Site Offline Or Coming Soon Or Maintenance Mode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Sign In Scheduling Online Appointment Booking System

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Coming soon and Maintenance mode

Vulnerability: IP Address Spoofing via get_real_ip
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: Webflow Pages

Vulnerability: Missing Authorization
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: WPsoonOnlinePage

Plugin: Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 2.2.28
Recommended Action: Update to version 2.2.28, or a newer patched version

Plugin: SpeedyCache – Cache, Optimization, Performance

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: SpeedyCache – Cache, Optimization, Performance

Vulnerability: Missing Authorization via speedycache_create_test_cache
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Parallax Slider Block

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Piotnet Forms

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.0.29
Recommended Action: Update to version 1.0.29, or a newer patched version

Plugin: Sayfa Sayac

Plugin: MW WP Form

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 5.0.2
Recommended Action: Update to version 5.0.2, or a newer patched version

Plugin: Duplicator Pro

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 4.5.14.2
Recommended Action: Update to version 4.5.14.2, or a newer patched version

Plugin: Astra Pro Addon

Vulnerability: Authenticated(Contributor+) Remote Code Execution via Metabox
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: Bulk Edit Post Titles

Plugin: which template file

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Calculated Fields Form

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.41
Recommended Action: Update to version 1.2.41, or a newer patched version

Plugin: Dashboard Widgets Suite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Smart External Link Click Monitor [Link Log]

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 4.6.16
Recommended Action: Update to version 4.6.16, or a newer patched version

Plugin: WooDiscuz – WooCommerce Comments

Plugin: Sayfa Sayac

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Structured Content (JSON-LD) #wpsc

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: DOOFINDER Search and Discovery for WP & WooCommerce

Vulnerability: Reflected Cross-Site Scripting via tab
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Post Duplicator

Vulnerability: Missing Authorization via mtphr_duplicate_post
Patched Version: 2.32
Recommended Action: Update to version 2.32, or a newer patched version

Plugin: 1 click disable all

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.6.16
Recommended Action: Update to version 4.6.16, or a newer patched version

Plugin: Nested Pages

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.54
Recommended Action: Update to version 2.0.54, or a newer patched version

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Missing Authorization
Patched Version: 3.3.53
Recommended Action: Update to version 3.3.53, or a newer patched version

Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.1.42
Recommended Action: Update to version 3.1.42, or a newer patched version

Plugin: Product Enquiry for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Plugin: Innovs HR – Complete Human Resource Management System for Your Business

Plugin: CSprite

Plugin: CF7 Google Sheets Connector

Vulnerability: Unauthenticated Sensitive Information Exposure via Debug Log
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization
Patched Version: 6.1.11
Recommended Action: Update to version 6.1.11, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.