Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Blind SQL Injection via current_page_type
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version
Plugin: WPCargo Track & Trace
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 6.9.0
Recommended Action: Update to version 6.9.0, or a newer patched version
Plugin: Login with phone number
Vulnerability: Unauthenticated Remote Plugin Deletion
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: WooCommerce
Vulnerability: Incorrect Authorization Checks on REST API Endpoints
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: Simple Quotation
Vulnerability: SQL injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.22.3
Recommended Action: Update to version 1.22.3, or a newer patched version
Plugin: Flexi – Guest Submit
Vulnerability: Guest Submit < 4.20
Patched Version: 4.20
Recommended Action: Update to version 4.20, or a newer patched version
Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: ARI Fancy Lightbox – Popup for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Cookie Information | Free GDPR Consent Solution
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: WordPress Multisite Content Copier/Updater Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version
Plugin: Advanced Contact form 7 DB
Vulnerability: Authenticated Arbitrary File Deletion
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Contact Form Submissions
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Simple Tracking
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Zero Spam for WordPress
Vulnerability: Admin+ SQL Injection
Patched Version: 5.2.11
Recommended Action: Update to version 5.2.11, or a newer patched version
Plugin: WooCommerce
Vulnerability: Path Traversal via Tax Importer
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: Contact Form 7 Connector
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version
Plugin: Sync QCloud COS
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version
Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version
Plugin: Kunze Law
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: WP Voting Contest Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version
Plugin: Hide Admin Bar Based on User Roles
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Blind SQL Injection via IP
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version
Plugin: CommonsBooking
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
Plugin: Easy Embed for HubSpot Forms, CTAs, Links, Files & add HubSpot to WP Search Results
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Header Footer Code Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version
Plugin: Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News)
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Home Page Menu
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: WP Content Copy Protection
Vulnerability: Cross-Site Request Forgery to Setting Update
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting via browser
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version
Plugin: BulletProof Security
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.27
Recommended Action: Update to version 1.2.27, or a newer patched version
Plugin: GDMylist
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Quotation
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: User Profile & User Registration Forms <= 3.6.1
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version
Plugin: List Petfinder Pets
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting via platform
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version
Plugin: Seo 301 Meta
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Vulnerability: SQL Injection
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Plugin: Patreon WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Team Circle Image Slider With Lightbox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
