Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WooCommerce Point of Sale
Vulnerability: Insecure Direct Object Reference to Privilege Escalation via Arbitrary User Email Change
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.15.4
Recommended Action: Update to version 2.15.4, or a newer patched version
Plugin: MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Missing Authorization
Patched Version: 2.0.25
Recommended Action: Update to version 2.0.25, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version
Plugin: Avada (Fusion) Builder
Vulnerability: Authenticated (Contributor+) Protected Post Disclosure
Patched Version: 3.11.13
Recommended Action: Update to version 3.11.13, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 3.8.23
Recommended Action: Update to version 3.8.23, or a newer patched version
Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: WP Data Access – App, Table, Form and Chart Builder plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.5.23
Recommended Action: Update to version 5.5.23, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Form Submission Disclosure
Patched Version: 2.17.4
Recommended Action: Update to version 2.17.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
