Watch Out Wednesday – February 3, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authentication Bypass
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.74
Recommended Action: Update to version 3.74, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated WordPress Options Changes via AJAX
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Account Creation
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: YITH WooCommerce Gift Cards Premium

Vulnerability: Arbitrary File Upload
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Account Changes
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Super Forms – Drag & Drop Form Builder

Vulnerability: Arbitrary File Upload
Patched Version: 4.9.800
Recommended Action: Update to version 4.9.800, or a newer patched version

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Post/Page Deletion
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: wpDataTables (Premium)

Vulnerability: SQL Injection
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: WP Editor

Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Unauthenticated Events Export
Patched Version: 5.16.5
Recommended Action: Update to version 5.16.5, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.16.5
Recommended Action: Update to version 5.16.5, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated SQL Injection
Patched Version: 5.16.6
Recommended Action: Update to version 5.16.6, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated Arbitrary File Upload leading to Remote Code Execution
Patched Version: 5.16.5
Recommended Action: Update to version 5.16.5, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Missing Authorization
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: No subtitle
Patched Version: 3.72
Recommended Action: Update to version 3.72, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.09.05
Recommended Action: Update to version 4.09.05, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Options Changes via wp_route
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress