Login
Facebook-f Linkedin-in Youtube

Watch Out Wednesday – January 12, 2022

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Core: WordPress

Vulnerability: SQL Injection via WP_Meta_Query
Patched Version: 4.1.34
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Ban Bypass
Patched Version: 2.26.5
Recommended Action: Update to version 2.26.5, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Adaptive Images for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.69
Recommended Action: Update to version 0.6.69, or a newer patched version

Plugin: Ultimate Reviews

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Rearrange Woocommerce Products

Vulnerability: Subscriber+ SQL Injection
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages

Vulnerability: WPLegalPages <= 2.7.0
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: SEUR Oficial

Vulnerability: Authenticated Arbitrary File Download
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Unauthenticated Arbitrary Ticket Deletion
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Block for Apple Maps

Vulnerability: Uncontrolled Resource Consumption
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Translate WordPress with GTranslate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.7
Recommended Action: Update to version 2.9.7, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched Version: 5.4.1
Recommended Action: Update to version 5.4.1, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Subscriber+ Arbitrary Country Ban
Patched Version: 2.26.5
Recommended Action: Update to version 2.26.5, or a newer patched version

Plugin: Mortgage Calculators WP

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.53
Recommended Action: Update to version 1.53, or a newer patched version

Core: WordPress

Vulnerability: Super Admin Multi-Site Installation Object Injection
Patched Version: 3.7.37
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.37, 3.8.37, 3.9.35, 4.0.34, 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Plugin: IP2Location Country Blocker

Vulnerability: Arbitrary Country Ban via Cross-Site Request Forgery
Patched Version: 2.26.6
Recommended Action: Update to version 2.26.6, or a newer patched version

Plugin: CLUEVO LMS, E-Learning Platform

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Author+) Stored Cross Site Scripting
Patched Version: 3.7.37
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.37, 3.8.37, 3.9.35, 4.0.34, 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Plugin: Powerkit – Supercharge your WordPress Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: RVM – Responsive Vector Maps

Vulnerability: Responsive Vector Maps <= 6.4.1
Patched Version: 6.4.2
Recommended Action: Update to version 6.4.2, or a newer patched version

Plugin: WP-DownloadManager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.68.7
Recommended Action: Update to version 1.68.7, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.26
Recommended Action: Update to version 5.0.26, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Picture of Odell Duppins Jr

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.

Recent Posts

WordPress

Login