Watch Out Wednesday – January 4, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Collapse-O-Matic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: Accordion Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OneClick Chat to Order

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.4.2
Recommended Action: Update to version 1.0.4.2, or a newer patched version

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.5.8
Recommended Action: Update to version 3.5.5.8, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.25
Recommended Action: Update to version 3.3.25, or a newer patched version

Plugin: ShiftNav – Responsive Mobile Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Members Import

Vulnerability: Self Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CPT Bootstrap Carousel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Mailjet Email Marketing

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: Portfolio for Elementor & Image Gallery | PowerFolio

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Word Balloon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.19.3
Recommended Action: Update to version 4.19.3, or a newer patched version

Plugin: PDF Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: WordPress Bitcoin Payments – Blockonomics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Structured Content (JSON-LD) #wpsc

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Icon Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: MediaElement.js – HTML5 Video & Audio Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPZOOM Portfolio Lite – Filterable Portfolio Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version

Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Knowledge Base

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Missing Authentication leading to Sensitive Information Disclosure (Private Post Leakage)
Patched Version: 3.5.5.9
Recommended Action: Update to version 3.5.5.9, or a newer patched version

Plugin: Image SEO – AI-Driven Image SEO Optimizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Bold Timeline Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Survey Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization & Cross-Site Request Forgery
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: WP Popups – WordPress Popup builder

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: 2.1.4.8
Recommended Action: Update to version 2.1.4.8, or a newer patched version

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.72
Recommended Action: Update to version 1.0.72, or a newer patched version

Plugin: Joli Table Of Contents

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: User Verification – Email Verification, Email OTP, Block Spam Email, Passwordless login

Vulnerability: Privilege Escalation
Patched Version: 1.0.94
Recommended Action: Update to version 1.0.94, or a newer patched version

Plugin: Product Carousel, Product Slider, Product Grid Gallery, and Product Table for WooCommerce – WooProduct Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Print-O-Matic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Analyticator

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.22
Recommended Action: Update to version 2.2.22, or a newer patched version

Plugin: PixCodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Auto Publish for Google My Business

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: BruteBank – WP Security & Firewall

Vulnerability: WP Security & Firewall <= 1.8
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Genesis Columns Advanced

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Simple Sitemap – Create a Responsive HTML Sitemap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Blocks
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.