Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in admin_widgets_welcome function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Cross-Site Request Forgery via migrateCommonToProductOnly function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Campaign URL Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Create Link
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘redirectionPageContent’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Missing Authorization in ajaxCalculatePrice function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Calendar Event Multi View
Vulnerability: Insufficient Authorization
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘addRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Top 10 – WordPress Popular posts by WebberZone
Vulnerability: Missing Authorization on tptn_ajax_clearcache
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Google Maps v3 Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Login WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PayGreen – Ancienne version
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redirection
Vulnerability: Missing Authorization in ‘deleteRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: WP BaiDu Submit
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Custom Settings
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Portfolio Slideshow
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accept Stripe Donation and Payments – AidWP
Vulnerability: Cross Site Request Forgery
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version
Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP
Vulnerability: Broadcast Live Video <= 5.5.15
Patched Version: 5.5.16
Recommended Action: Update to version 5.5.16, or a newer patched version
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Cross-Site Request Forgery via handleSubmitAction function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Read More Excerpt Link
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: WP OAuth Server (OAuth Authentication)
Vulnerability: Authenticated (Subscriber+) Arbitrary Client Deletion (wo_ajax_remove_client)
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘SaveSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: wp2syslog
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in multiple functions in admin/controller.php
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: PHAR Deserialization
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: Saan World Clock
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jobs for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.11
Recommended Action: Update to version 2.5.11, or a newer patched version
Plugin: Contextual Related Posts
Vulnerability: Missing Authorization in crp_ajax_clearcache
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Easy Google Analytics for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in saveconfig function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: WP OAuth Server (OAuth Authentication)
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion (wo_ajax_remove_client)
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version
Plugin: Sitemap Index
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Background
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Exquisite PayPal Donation
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in savetmplfile function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘SaveSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Zeno Font Resizer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Archivist – Custom Archive Templates
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Cross-Site Request Forgery via migrateProductOnlyToCommon function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Fontiran
Vulnerability: Missing Authorization via fi_add_rule and fi_delete_webfont_php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version
Plugin: Educare – Students & Result Management System
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘bulkDelete’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Vulnerability: Cross-Site Request Forgery in add_to_favorite
Patched Version: 3.2.21
Recommended Action: Update to version 3.2.21, or a newer patched version
Plugin: React Webcam
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Missing Authorization in migrateProductOnlyToCommon function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Advanced Database Cleaner
Vulnerability: Cross-Site Request Forgery via aDBc_save_settings_callback
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Top 10 – WordPress Popular posts by WebberZone
Vulnerability: Cross-Site Request Forgery via tptn_ajax_clearcache
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘statusBulkEdit’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Stock market charts from finviz
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: JS Job Manager
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via title
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: 10Web Map Builder for Google Maps
Vulnerability: Unauthenticated SQL Injection via Multiple Parameters
Patched Version: 1.0.73
Recommended Action: Update to version 1.0.73, or a newer patched version
Plugin: Olevmedia Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Unauthenticated Arbitrary Media Deletion
Patched Version: 8.0.9
Recommended Action: Update to version 8.0.9, or a newer patched version
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.10
Recommended Action: Update to version 3.3.10, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in exec_multitask_widgets function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Protected Posts Logout Button
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘instantEditRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Clio Grow Form
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: vSlider Multi Image Slider for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Sticky Ad Bar Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cron Setup and Monitor – Get URL Cron
Vulnerability: Missing Authorization via geturlcron_action_handle
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: Easy Panorama
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Eyes Only: User Access Shortcode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Theme Tweaker
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Gallery – YouTube Gallery and Vimeo Gallery
Vulnerability: Missing Authorization
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in listenTosFieldSavingTask function
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘addRedirectRule’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Circles Gallery
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Admin Settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Visualizer: Tables and Charts Manager for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version
Plugin: Video Gallery – YouTube Gallery and Vimeo Gallery
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Podlove Subscribe button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Simple PDF Viewer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via googlepdf Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘saveRedirectSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Quick Contact Form
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 8.0.4
Recommended Action: Update to version 8.0.4, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 2.1.50
Recommended Action: Update to version 2.1.50, or a newer patched version
Plugin: WordPress Email Marketing Plugin – WP Email Capture
Vulnerability: Cross Site Request Forgery
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version
Plugin: Archivist – Custom Archive Templates
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: Feed Changer & Remover
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version
Plugin: WP Table Builder – WordPress Table Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Click to Call or Chat Buttons
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Cron Setup and Monitor – Get URL Cron
Vulnerability: Cross-Site Request Forgery via geturlcron_action_handle
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: Shipyaari Shipping Management
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Post Rating
Vulnerability: Missing Authorization to Vote Manipulation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: real.Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Inline Tweet Sharer – Twitter Sharing Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
Vulnerability: Missing Authorization in Settings Import to Stored Cross-Site Scripting
Patched Version: 2.13.45
Recommended Action: Update to version 2.13.45, or a newer patched version
Plugin: FireCask Like & Share Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: OAuth Single Sign On – SSO (OAuth Client)
Vulnerability: No subtitle
Patched Version: 6.24.2
Recommended Action: Update to version 6.24.2, or a newer patched version
Plugin: Get Use APIs – JSON Content Importer
Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version
Plugin: Publish to Schedule
Vulnerability: Cross-Site Request Forgery leading to Plugin Option Changes
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Tapfiliate
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.13
Recommended Action: Update to version 3.0.13, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘loadRedirectSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘liveSearch’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: WP资源下载管理
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Podlove Subscribe button
Vulnerability: Cross-Site Request Forgery via process_form function
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Bing Site Verification plugin using Meta Tag
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Admin Settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in widgets_watch_data function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Campaign URL Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘loadSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Vulnerability: Cross-Site Request Forgery in rttpg_spare_me
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: Quick Paypal Payments
Vulnerability: Authenticated (Contributor+) Cross Site Scripting
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘addRedirectRule’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in exec_admin_widget function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Protected Posts Logout Button
Vulnerability: Missing Authorization on pplb_options_save
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Japanized For WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version
Plugin: WP Open Social
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Client Portal – Private user pages and login
Vulnerability: Cross-Site Request Forgery via cp_create_private_pages_for_all_users
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Protected Posts Logout Button
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Contextual Related Posts
Vulnerability: Cross-Site Request Forgery in crpClearCache
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.6.0
Recommended Action: Update to version 7.6.0, or a newer patched version
Plugin: Companion Sitemap Generator – HTML & XML
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: WP Custom Fields Search
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.35
Recommended Action: Update to version 1.2.35, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in savetranslation function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘logFilter’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in savetranslationstay function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Wallet for WooCommerce
Vulnerability: Cross-Site Request Forgery via admin_options
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: WordPress Books Gallery
Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Changes
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘deleteRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Responsive Clients Logo Gallery Plugin for WordPress – Smart Logo Showcase Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘cronLogDeleteOption’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Sponsors Carousel
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting in show
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Service Area Postcode Checker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redirection
Vulnerability: Missing Authorization in ‘logPageContent’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Missing Authorization in migrateCommonToProductOnly function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘selectAll’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Strong Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in save_admin_widgets function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘bulkDelete’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version
Plugin: WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Cross Site Request Forgery
Patched Version: 6.0.3.0
Recommended Action: Update to version 6.0.3.0, or a newer patched version
Plugin: Nooz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Podlove Subscribe button
Vulnerability: Cross-Site Request Forgery via save function
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Media Library Assistant
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.06
Recommended Action: Update to version 3.06, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘statusBulkEdit’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Minify HTML
Vulnerability: Cross-Site Request Forgery in minify_html_menu_options
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: Authenticated (Contributor+) Stored Cross-Scripting via Shortcode
Patched Version: 3.0.33
Recommended Action: Update to version 3.0.33, or a newer patched version
Plugin: Gutenberg Blocks by WordPress Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: vSlider Multi Image Slider for WordPress
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.49.1
Recommended Action: Update to version 2.4.49.1, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘saveRedirectSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Ultimate WP Query Search Filter
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Upload File Type Settings Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Missing Authorization in ajaxCalculateSeveralProducts function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: WP Dynamic Keywords Injector
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.16
Recommended Action: Update to version 2.3.16, or a newer patched version
Plugin: Meta Slider and Carousel with Lightbox
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Wp-Insert
Vulnerability: No subtitle
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: WordPress Старт
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.5.15
Recommended Action: Update to version 7.5.15, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Cross-Site Request Forgery leading to Form Metadata Deletion
Patched Version: 5.1.9.3
Recommended Action: Update to version 5.1.9.3, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘instantEditRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
