Watch Out Wednesday – January 17, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Asgaros Forum

Vulnerability: Unauthenticated PHP Object Injection in prepare_unread_status
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Display custom fields in the frontend – Post and User Profile Fields

Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Post Meta Disclosure
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: cformsII

Vulnerability: Unauthenticated stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Unauthenticated Stored Cross-Site Scripting via profile_title
Patched Version: 1.0.8.1
Recommended Action: Update to version 1.0.8.1, or a newer patched version

Plugin: Order Export & Order Import for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Quiz Maker

Vulnerability: Denial of Service
Patched Version: 6.5.0.6
Recommended Action: Update to version 6.5.0.6, or a newer patched version

Plugin: EventON

Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.5.8 (Pro) & <= 2.2.7 (Free)
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.32.0
Recommended Action: Update to version 1.32.0, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update
Patched Version: 3.10.9
Recommended Action: Update to version 3.10.9, or a newer patched version

Plugin: Voting Record

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BA Plus – Before & After Image Slider FREE

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Smart Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Display custom fields in the frontend – Post and User Profile Fields

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via vg_display_data
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Post views Stats

Vulnerability: Reflected Cross-Site Scripting via from and to
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Custom Dashboard Widgets

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via cdw_DashboardWidgets
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Customer Area

Vulnerability: Insecure Direct Object Reference to Address Modification
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Missing Authorization via fire_cron REST endpoint
Patched Version: 1.24.7
Recommended Action: Update to version 1.24.7, or a newer patched version

Plugin: WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.4.0
Recommended Action: Update to version 8.4.0, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Insufficient Authorization
Patched Version: 4.9.9
Recommended Action: Update to version 4.9.9, or a newer patched version

Plugin: WP Testimonials

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: salesking

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.6.30
Recommended Action: Update to version 1.6.30, or a newer patched version

Plugin: Woocommerce Vietnam Checkout

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Information Exposure via ma_debug
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version

Plugin: Profile Builder Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Cross-Site Request Forgery via create_file_db_manager
Patched Version: 0.1.0.9
Recommended Action: Update to version 0.1.0.9, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.7
Recommended Action: Update to version 8.0.7, or a newer patched version

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: EventON

Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.7 (Free)
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: salesking

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.6.30
Recommended Action: Update to version 1.6.30, or a newer patched version

Plugin: SimpleMap Store Locator

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FastDup – Fastest WordPress Migration & Duplicator

Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Information Exposure in Debug Logs
Patched Version: 2.12.7
Recommended Action: Update to version 2.12.7, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.23
Recommended Action: Update to version 4.0.23, or a newer patched version

Plugin: Portfolio for Elementor & Image Gallery | PowerFolio

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Shortcodes Finder

Vulnerability: Reflected Cross-Site Scripting via nonce
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Delhivery Logistics Courier

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Woo Search

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.97
Recommended Action: Update to version 2.97, or a newer patched version

Plugin: Frontpage Manager

Vulnerability: Cross-Site Request Forgery via admin_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Spell Check

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.18
Recommended Action: Update to version 9.18, or a newer patched version

Plugin: Better Anchor Links

Vulnerability: Cross-Site Request Forgery via admin/options.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Profile Builder Pro

Vulnerability: Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: Contact Form 7 – Dynamic Text Extension

Vulnerability: Insecure Direct Object Reference
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: WordPress Manutenção

Vulnerability: IP Spoofing to Maintenance Mode Bypass
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Constant Contact Forms by MailMunch

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Plugin for Google Reviews

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Authenticated (Shop Manager+) SQL Injection
Patched Version: 3.7.7
Recommended Action: Update to version 3.7.7, or a newer patched version

Plugin: EventON

Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.7 (Free)
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Contact Form 7 Connector

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Hidden Login Page Location Disclosure
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version

Plugin: CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor

Vulnerability: Cross-Site Request Forgery via reset_form
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: salesking

Vulnerability: Missing Authorization to Settings Change
Patched Version: 1.6.30
Recommended Action: Update to version 1.6.30, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: WP Register Profile With Shortcode

Vulnerability: Cross-Site Request Forgery to User Password Reset
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: WP Customer Area

Vulnerability: Insecure Direct Object Reference to Account Address Disclosure
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: Product Import Export for WooCommerce – Import Export Product CSV Suite

Vulnerability: Authenticated(Shop Manager+) Arbitrary File Upload via upload_import_file
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Ultimate Maps by Supsystic

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.16
Recommended Action: Update to version 1.2.16, or a newer patched version

Plugin: EventON

Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.7 (Free)
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: WPZOOM Shortcodes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: HD Quiz

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: Export Products, Order & Customers for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Image Tag Manager

Vulnerability: Reflected Cross-Site Scripting via default_class
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Display custom fields in the frontend – Post and User Profile Fields

Vulnerability: Authenticated (Contributor+) Code Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Stock Locations for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authorization Bypass via type connect-app API
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: EventON

Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.7 (Free)
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget
Patched Version: 2.10.28
Recommended Action: Update to version 2.10.28, or a newer patched version

Plugin: Product Enquiry for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Profile Builder Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: Voting Record

Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: peepso-photos

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 6.3.1.0
Recommended Action: Update to version 6.3.1.0, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Unauthenticated Stored Cross-Site Scripting via getColumnContent_Page
Patched Version: 18.5.8
Recommended Action: Update to version 18.5.8, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.