Watch Out Wednesday – February 21, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: PB oEmbed HTML5 Audio – with Cache Support

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Error Log Viewer by BestWebSoft

Vulnerability: Sensitive Information Exposure
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Missing Authorization to Unauthenticated Information Disclosure
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.19
Recommended Action: Update to version 4.10.19, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.30.10
Recommended Action: Update to version 5.30.10, or a newer patched version

Plugin: Sydney Toolbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: DOOFINDER Search and Discovery for WP & WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: System Dashboard

Vulnerability: Missing Authorization to Information Disclosure (sd_php_info)
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Broken Link Checker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.57
Recommended Action: Update to version 3.3.57, or a newer patched version

Plugin: Wbcom Designs – BuddyPress Activity Social Share

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: postMash – custom post order

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP To Do

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Cwicly

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 1.4.0.3
Recommended Action: Update to version 1.4.0.3, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated(Student+) HTML Injection via Q&A
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Core: WordPress

Vulnerability: Unauthorized Password Reset via Interception
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Sitepact's Contact Form 7 Extension For Klaviyo

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.6.0
Recommended Action: Update to version 5.2.6.0, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: 0.1.0.9
Recommended Action: Update to version 0.1.0.9, or a newer patched version

Plugin: MyWaze

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Peach Payments Gateway

Vulnerability: Missing Authorization via peach_core_version_rollback()
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Heureka

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Event Export
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Link Library

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via animated_text_class
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version

Plugin: Backup Bolt

Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Coming Soon Maintenance Mode

Vulnerability: Information Exposure
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: WPify Woo Czech

Vulnerability: Missing Authorization
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Tabs Shortcode and Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.15.0
Recommended Action: Update to version 4.15.0, or a newer patched version

Plugin: Advanced Social Feeds Widget & Shortcode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Change Table Prefix

Vulnerability: Cross-Site Request Forgery via change_prefix_form
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Google Calendar Widget Link
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Enhanced Text Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: SysBasics Easy Checkout Field Editor, Fees & Discounts

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.5.13
Recommended Action: Update to version 3.5.13, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.15.0
Recommended Action: Update to version 4.15.0, or a newer patched version

Plugin: Seriously Simple Podcasting

Vulnerability: Unauthenticated Email Disclosure
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: moveto

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ocean Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Parallax Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Enjoy Social Feed plugin for WordPress website

Vulnerability: Missing Authorization to Database Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Reflected Cross-Site Scripting.
Patched Version: 3.4.2.5
Recommended Action: Update to version 3.4.2.5, or a newer patched version

Plugin: PeproDev Ultimate Invoice

Vulnerability: Unauthenticated Sensitive Information Exposure via init_plugin
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: Widgets Controller

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via onClick Events
Patched Version: 4.10.19
Recommended Action: Update to version 4.10.19, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: TinyMCE and TinyMCE Advanced Professsional Formats and Styles

Vulnerability: Cross-Site Request Forgery via bb_taps_backend_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Activity Log

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Buttons Widget
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version

Plugin: WP Maintenance

Vulnerability: Information Exposure
Patched Version: 6.1.7
Recommended Action: Update to version 6.1.7, or a newer patched version

Plugin: Account Manager for WooCommerce

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Editor

Vulnerability: Sensitive Information Exposure via log file
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Ultimate Reviews

Vulnerability: Unauthenticated stored Cross-Site Scripting via reviews
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via [edit-profile-text-box] shortcode
Patched Version: 4.15.0
Recommended Action: Update to version 4.15.0, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: moveto

Vulnerability: Missing Authorization to Unauthenticated Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Missing Authorization to Arbitrary Plugin Deactivation
Patched Version: 2.3.42
Recommended Action: Update to version 2.3.42, or a newer patched version

Plugin: CatalogX – Product Catalog Mode For WooCommerce

Vulnerability: Cross-Site Request Forgery via REST API
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url
Patched Version: 4.6.3
Recommended Action: Update to version 4.6.3, or a newer patched version

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Authenticated (Custom) Stored Cross-Site Scripting
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 21.3.1
Recommended Action: Update to version 21.3.1, or a newer patched version

Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version

Plugin: Plugin Groups

Vulnerability: Missing Authorization to Unauthenticated Denial of Service
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Simple Website Banner

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.0.0
Recommended Action: Update to version 1.8.0.0, or a newer patched version

Plugin: TNC PDF viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: 404 Solution

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.35.8
Recommended Action: Update to version 2.35.8, or a newer patched version

Plugin: Simple Share Buttons Adder

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via CSS Settings
Patched Version: 8.4.12
Recommended Action: Update to version 8.4.12, or a newer patched version

Plugin: File Manager Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.3.5
Recommended Action: Update to version 8.3.5, or a newer patched version

Plugin: FormFacade – WordPress plugin for Google Forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version

Plugin: My Private Site

Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Database Reset

Vulnerability: Cross-Site Request Forgery to WP Reset Plugin Installation
Patched Version: 3.23
Recommended Action: Update to version 3.23, or a newer patched version

Plugin: Custom Order Statuses for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category, and more

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Missing Authorization to reCaptcha Key Modification
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Unauthenticated Sensitive Information Disclosure via Log file
Patched Version: 6.2.7.1
Recommended Action: Update to version 6.2.7.1, or a newer patched version

Plugin: Maspik – Advanced Spam Protection

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 0.10.7
Recommended Action: Update to version 0.10.7, or a newer patched version

Plugin: Oliver POS – A WooCommerce Point of Sale (POS)

Vulnerability: Missing Authorization
Patched Version: 2.4.2.1
Recommended Action: Update to version 2.4.2.1, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Sensitive Information Exposure via user uploads
Patched Version: 22.8
Recommended Action: Update to version 22.8, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Contributor+) Information Disclosure via Shortcode
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version

Plugin: WordPress User Registration Forms by Formidable Forms

Vulnerability: Authenticated (Contributor+) Arbitrary User Password Reset To Account Takeover
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version

Plugin: Page scroll to id

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Enjoy Social Feed plugin for WordPress website

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Microsoft Clarity

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.9.4
Recommended Action: Update to version 0.9.4, or a newer patched version

Plugin: Scalable Vector Graphics (SVG)

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: moveto

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cost of Goods: Product Cost & Profit Calculator for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: No subtitle
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Attendee List Retrieval
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: WP Media folder

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Plugin settings change
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Sensitive Information Exposure via logfile
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Defender Security – Malware Scanner, Login Security & Firewall

Vulnerability: IP Address Spoofing
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Reflected (DOM-Based) Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version

Plugin: WooCommerce Google Sheet Connector

Vulnerability: Missing Authorization
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version

Plugin: Innovs HR – Complete Human Resource Management System for Your Business

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Paytium: Mollie payment forms & donations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via $search_label
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: moveto

Vulnerability: Unauthenticated Directory Traversal to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Missing Authorization
Patched Version: 2.3.42
Recommended Action: Update to version 2.3.42, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version

Plugin: Piraeus Bank WooCommerce Payment Gateway

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Action Network

Vulnerability: Reflected Cross-Site Scripting via ‘search’
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: WP Setup Wizard

Vulnerability: Authenticated (Subscriber+) Full Database Download
Patched Version: 1.0.8.2
Recommended Action: Update to version 1.0.8.2, or a newer patched version

Plugin: WP Media folder

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Missing Authorization
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress