Watch Out Wednesday – February 15, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Deletion
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version

Plugin: Under Construction

Vulnerability: Cross-Site Request Forgery via admin_action_ucp_dismiss_notice
Patched Version: 3.97
Recommended Action: Update to version 3.97, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: Twitch Player

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: WordPress Robots.txt optimizer (+ XML Sitemap) – Boost SEO, Traffic & Rankings

Vulnerability: Cross Site Request Forgery
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Link Juice Keeper

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Interactive Image Map Builder

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Authenticated (Admin+) SQL Injection via ‘delete’ parameter
Patched Version: 9.9.4
Recommended Action: Update to version 9.9.4, or a newer patched version

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.2.8
Recommended Action: Update to version 8.2.8, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.5.7.1
Recommended Action: Update to version 2.5.7.1, or a newer patched version

Plugin: Cart All In One For WooCommerce

Vulnerability: Cross-Site Request Forgery to Cart Changes
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: Schema – All In One Schema Rich Snippets

Vulnerability: All In One Schema Rich Snippets <= 1.6.5
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Fancy Comments WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Announce from the Dashboard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Shoppable Images

Vulnerability: Cross Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Resume Builder

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Authenticated (Subscriber+) Arbitrary Post Access
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Shoppable Images

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce

Vulnerability: Cross-Site Request Forgery to Order Information Disclosure
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Authenticated (Admin+) SQL Injection via $email value
Patched Version: 9.9.4
Recommended Action: Update to version 9.9.4, or a newer patched version

Plugin: WatchTowerHQ

Vulnerability: Type Juggling to Authentication Bypass in check_ota
Patched Version: 3.6.17
Recommended Action: Update to version 3.6.17, or a newer patched version

Plugin: ImageMagick Engine

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Missing Authorization to User Points Updates
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Under Construction

Vulnerability: Cross-Site Request Forgery via admin_action_install_weglot
Patched Version: 3.97
Recommended Action: Update to version 3.97, or a newer patched version

Plugin: Void Contact Form 7 Widget For Elementor Page Builder

Vulnerability: Cross-Site Request Forgery in void_cf7_opt_in_user_data_track
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read via Shortcode
Patched Version: 5.12.7
Recommended Action: Update to version 5.12.7, or a newer patched version

Plugin: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Vulnerability: Cross Site Request Forgery via bulk_delete
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: Advanced Recent Posts

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UpQode Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Plugin for Google Reviews

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce

Vulnerability: Missing Authorization to Order Information Disclosure
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 5.12.7
Recommended Action: Update to version 5.12.7, or a newer patched version

Plugin: Portfolio – WordPress Portfolio Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.11
Recommended Action: Update to version 2.8.11, or a newer patched version

Plugin: Download Attachments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Locatoraid Store Locator

Vulnerability: Cross Site Request Forgery in grab
Patched Version: 3.9.12
Recommended Action: Update to version 3.9.12, or a newer patched version

Plugin: Scriptless Social Sharing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Quick Event Manager

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 9.6.5
Recommended Action: Update to version 9.6.5, or a newer patched version

Plugin: Multi Rating

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Quick Paypal Payments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version

Plugin: WooCommerce Checkout Field Manager

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 18.0
Recommended Action: Update to version 18.0, or a newer patched version

Plugin: 微信机器人高级版

Vulnerability: Reflected Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery leading to Post Thumbnail Change
Patched Version: 3.29
Recommended Action: Update to version 3.29, or a newer patched version

Plugin: Google Analytics Opt-Out

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Quick Paypal Payments

Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version

Plugin: Quick Paypal Payments

Vulnerability: Missing Authorization
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version

Plugin: WP Prayer

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Product GTIN (EAN, UPC, ISBN) for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Cross-Site Request Forgery to Ticket Post Status Change
Patched Version: 3.5.1.1
Recommended Action: Update to version 3.5.1.1, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Sensitive Information Disclosure via Shortcode
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: WPGlobus Translate Options

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

Vulnerability: Missing Authorization to Sensitive Key Disclosure/Update
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Cost Calculator

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery to Arbitrary Media Deletion
Patched Version: 8.0.9
Recommended Action: Update to version 8.0.9, or a newer patched version

Plugin: WPaudio MP3 Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: i2 Pros & Cons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 5.12.7
Recommended Action: Update to version 5.12.7, or a newer patched version

Plugin: Conditional Payments for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: DupeOff

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Insecure Password Reset Mechanism
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Simple Yearly Archive

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Replyable – Subscribe to Comments and Reply by Email

Vulnerability: Authenticated (Subscriber+) PHP Object Injection via prompt_dismiss_notice
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version

Plugin: WordPress Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Cross-Site Request Forgery to User Earnings Deletion
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.