Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Document Embedder – Document Embedder Plugin
Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.3.24
Recommended Action: Update to version 4.3.24, or a newer patched version
Plugin: Document Embedder – Document Embedder Plugin
Vulnerability: Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Visual CSS Style Editor
Vulnerability: Reflected Cross-Site Scripting via wyp_page_type parameter
Patched Version: 7.5.4
Recommended Action: Update to version 7.5.4, or a newer patched version
Plugin: Link Library
Vulnerability: Missing Authorization Checks
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version
Plugin: Orange Form
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.9
Recommended Action: Update to version 7.2.9, or a newer patched version
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Arbitrary Post Deletion via Cross-Site Request Forgery
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version
Plugin: Include Me
Vulnerability: Local File Inclusion leading to Authenticated Remote Code Execution
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: PHP Everywhere
Vulnerability: Remote Code Execution by Contributor+ users via gutenberg block
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Learning Courses
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: PHP Everywhere
Vulnerability: Authenticated (Contributor+) Remote Code Execution via Metabox
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Asset CleanUp: Page Speed Booster
Vulnerability: Reflected Cross-Site Scripting via AJAX Action
Patched Version: 1.3.8.5
Recommended Action: Update to version 1.3.8.5, or a newer patched version
Plugin: Futurio Extra
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Amazon Affiliate
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.17.1
Recommended Action: Update to version 3.17.1, or a newer patched version
Plugin: Advanced Cron Manager – debug & control
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Cross-Site Request Forgery to Arbitrary Ticket Deletion
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: SVG Support
Vulnerability: No subtitle
Patched Version: 2.3.20
Recommended Action: Update to version 2.3.20, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Orange Form
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Photo Album Plus
Vulnerability: Stored Cross-Site Scripting
Patched Version: 8.1.00
Recommended Action: Update to version 8.1.00, or a newer patched version
Plugin: TrustMate.io – WooCommerce integration
Vulnerability: Authenticated (Subscriber+) Arbitrary Settings Update
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version
Plugin: CF7 Skins for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Error Log Viewer by BestWebSoft
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: TrustMate.io – WooCommerce integration
Vulnerability: Authenticated (Subscriber+) Arbitrary Blog Option Update
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version
Plugin: Link Library
Vulnerability: Cross-Site Request Forgery to Library Settings Reset
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version
Plugin: PHP Everywhere
Vulnerability: Remote Code Execution by Subscriber+ users via shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Subscriber+ SQL Injection
Patched Version: 2.18.10
Recommended Action: Update to version 2.18.10, or a newer patched version
Plugin: Asset CleanUp: Page Speed Booster
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.8.5
Recommended Action: Update to version 1.3.8.5, or a newer patched version
Plugin: AGCA – Custom Dashboard & Login Page
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
