Watch Out Wednesday – July 10, 2024

Home » Watch Out Wednesday – July 10, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Tabs For WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Call / Contact Button

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: Send email only on Reply to My Comment

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TOCHAT.BE

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Jetpack Boost – Website Speed, Performance and Critical CSS

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Default Thumbnail Plus

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Missing Authorization
Patched Version: 3.1.22
Recommended Action: Update to version 3.1.22, or a newer patched version

Plugin: Inline Related Posts

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Cliengo – Chatbot

Vulnerability: Chatbot <= 3.0.2
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Easy Pixels

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ocean Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Limited Local File Inclusion via Widgets
Patched Version: 8.4.1
Recommended Action: Update to version 8.4.1, or a newer patched version

Plugin: Modern Events Calendar

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 7.12.0
Recommended Action: Update to version 7.12.0, or a newer patched version

Plugin: Login by Auth0

Vulnerability: Reflected Cross-Site Scripting via wle
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Timeline Module for Beaver Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Social Media Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: WP Cookie Law Info

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BlogLentor – Blog Designer Pack for Elementor

Plugin: Schema App Structured Data

Vulnerability: Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Boostify Header Footer Builder for Elementor

Vulnerability: Missing Authorization to Page/Post Creation
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Snippet Shortcodes

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: EventON

Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates
Patched Version: 2.2.16
Recommended Action: Update to version 2.2.16, or a newer patched version

Plugin: Meks Easy Ads Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Just Custom Fields

Vulnerability: Missing Authorization via AJAX actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Theme Demo Import

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Plugin Notes Plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Ultimate Classified Listings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Happy WooCommerce FAQs & AI FAQ Generator (Formarly XPlainer)

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Cliengo – Chatbot

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Create by Mediavine

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: WP2Speed Faster – Optimize PageSpeed Insights Score 90-100

Vulnerability: Improper Authorization due to use of Hardcoded Credentials
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Openpos – WooCommerce Point Of Sale(POS)

Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: WPFavicon

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HelloAsso

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: ShopBuilder – Elementor WooCommerce Builder Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: Paid Memberships Pro – Member Directory Add On

Vulnerability: Member Directory Add On < 1.2.6
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Cross-Site Request Forgery to Afilliate Deletion
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: Schema App Structured Data

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Sitepact's Contact Form 7 Extension For Klaviyo

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Advanced File Manager Shortcodes

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: FormDeck: Simple Form Builder with WhatsApp Floating Forms

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version

Plugin: Comment Reply Email

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Product Designer

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: IMGspider – 图片采集抓取插件

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload via ‘upload_img_file’
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Square Thumbnails

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Keap Official Opt-in Forms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Squelch Tabs and Accordions Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via tab Shortcode
Patched Version: 0.4.9
Recommended Action: Update to version 0.4.9, or a newer patched version

Plugin: OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Use of Polyfill.io
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WpStickyBar – Sticky Bar, Sticky Header

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP To Do

Plugin: Premium Addons for Elementor

Vulnerability: Regular Expressions Denial of Service
Patched Version: 4.10.36
Recommended Action: Update to version 4.10.36, or a newer patched version

Plugin: SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue

Vulnerability: Compile SCSS to CSS automatically <= 1.3.10
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Ajax Contact Form

Vulnerability: Cross-Site Request Forgery to Arbitrary Email Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: پلاگین پرداخت دلخواه

Vulnerability: Cross-Site Request Forgery to Form Setting Reset
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version

Plugin: WP2Speed Faster – Optimize PageSpeed Insights Score 90-100

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leaky Paywall

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.21.3
Recommended Action: Update to version 4.21.3, or a newer patched version

Plugin: OSM Map Widget for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Extensions for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via EE Events and EE Flipbox Widget
Patched Version: 2.0.33
Recommended Action: Update to version 2.0.33, or a newer patched version

Plugin: Testimonials Widget

Plugin: Media Hygiene: Remove or Delete Unused Images and More!

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Generate PDF using Contact Form 7

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: WP Ajax Contact Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ConeBlog – Elementor Blog Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Pricing Table

Vulnerability: Cross-Site Request Forgery via ajax()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PZ Frontend Manager

Vulnerability: Cross-Site Request Forgery to Profile Picture Update
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Template Kit – Export

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version

Plugin: Comment Images Reloaded

Vulnerability: Authenticated (Subscriber+) Arbitrary Media Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP User Switch

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Generate PDF using Contact Form 7

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Marquee Text Widget, Testimonials Widget, and Testimonial Slider Widgets
Patched Version: 8.4.2
Recommended Action: Update to version 8.4.2, or a newer patched version

Plugin: Houzez Theme – Functionality

Vulnerability: Functionality <= 3.2.2
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: WPBITS Addons For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: IMGspider – 图片采集抓取插件

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload via ‘upload’
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Missing Authorization
Patched Version: 1.3.2.9
Recommended Action: Update to version 1.3.2.9, or a newer patched version

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.13.4
Recommended Action: Update to version 2.13.4, or a newer patched version

Plugin: Ultimate WordPress Auction Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Swift Performance Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.6.21
Recommended Action: Update to version 2.3.6.21, or a newer patched version

Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: IP Address Spoofing to Antispam Bypass
Patched Version: 1.5.113
Recommended Action: Update to version 1.5.113, or a newer patched version

Plugin: Webico Slider Flatsome Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wbc_image Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Track Geolocation Of Users Using Contact Form 7

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: SportsPress – Sports Club & League Manager

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.22
Recommended Action: Update to version 2.7.22, or a newer patched version

Plugin: Donation Block For PayPal

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Various Widgets
Patched Version: 8.4
Recommended Action: Update to version 8.4, or a newer patched version

Plugin: Responsive Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Insecure Direct Object Reference to Arbitrary Attachment Deletion
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Attachment File Icons (AF Icons)

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnDash LMS – Reports

Vulnerability: Reports Free <= 1.8.2.1
Patched Version: 1.8.2.2
Recommended Action: Update to version 1.8.2.2, or a newer patched version

Plugin: Happy WooCommerce FAQs & AI FAQ Generator (Formarly XPlainer)

Vulnerability: WooCommerce Product FAQ <= 1.6.3
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: WP Accessibility Helper (WAH)

Vulnerability: Missing Authorization
Patched Version: 0.6.3
Recommended Action: Update to version 0.6.3, or a newer patched version

Plugin: OSM – OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Missing Authorization
Patched Version: 4.8.3
Recommended Action: Update to version 4.8.3, or a newer patched version

Plugin: Social Sharing Plugin – Kiwi

Vulnerability: Information Disclosure
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: One Click Order Re-Order

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Word Balloon

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.22.0
Recommended Action: Update to version 4.22.0, or a newer patched version

Plugin: Advanced File Manager Shortcodes

Vulnerability: Authenticated (Contributor+) Directory Traversal
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.3.99
Recommended Action: Update to version 3.3.99, or a newer patched version

Plugin: BlossomThemes Email Newsletter

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Link To Bible

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: CopySafe Web Protection

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.15
Recommended Action: Update to version 3.15, or a newer patched version

Plugin: Panda Video

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Ultimate Classified Listings

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Panda Video

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Slideshow SE

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.2.28
Recommended Action: Update to version 2.2.28, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Grid
Patched Version: 8.4
Recommended Action: Update to version 8.4, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Time-Based SQL Injection
Patched Version: 1.5.113
Recommended Action: Update to version 1.5.113, or a newer patched version

Plugin: Advanced Classifieds & Directory Pro

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Get Better Reviews for WooCommerce

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Just Custom Fields

Vulnerability: Cross-Site Request Forgery via AJAX actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Business Card

Vulnerability: Authenticated (Admin+) Arbitrary File Uplaod
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: bbPress Notify (No-Spam)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.18.4
Recommended Action: Update to version 2.18.4, or a newer patched version

Plugin: I Recommend This

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.35
Recommended Action: Update to version 4.10.35, or a newer patched version

Plugin: Houzez CRM

Vulnerability: Authenticated (Seller+) SQL Injection
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Blog, Posts and Category Filter for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post and Category Filter Widget
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Simple Post Notes

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Simple Alert Boxes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Alert Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

Vulnerability: Authenticated (Contributor+) Arbitrary File Inclusion via Shortcode
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Authenticated (Subscriber+) Privilege Escalation via User Meta Update
Patched Version: 3.3.99
Recommended Action: Update to version 3.3.99, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: FileBird Document Library

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Missing Authorization via save_block_css
Patched Version: 7.7.5
Recommended Action: Update to version 7.7.5, or a newer patched version

Plugin: Cliengo – Chatbot

Vulnerability: Chatbot <= 3.0.2
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Theme Demo Import

Plugin: Tagembed: Embed Twitter Feed, Google Reviews, YouTube Videos, TikTok, RSS Feed & More Social Media Feeds

Vulnerability: Missing Authorization
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Pricing Table

Plugin: WpStickyBar – Sticky Bar, Sticky Header

Plugin: Image Photo Gallery Final Tiles Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Gutenberg Forms – WordPress Form Builder Plugin

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Social Share

Plugin: Apollo13 Framework Extensions

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: WooCommerce – Social Login

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: CZ Loan Management

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Basic <= 3.8.3.4
Patched Version: 3.8.3.5
Recommended Action: Update to version 3.8.3.5, or a newer patched version

Plugin: Product Table by WBW

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Missing Authorization to Unauthorized Donation
Patched Version: 1.8.1.8
Recommended Action: Update to version 1.8.1.8, or a newer patched version

Plugin: Easy Social Like Box – Popup – Sidebar Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Seraphinite Accelerator Pro

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 2.21.13.1
Recommended Action: Update to version 2.21.13.1, or a newer patched version

Plugin: User Activity Log Pro

Plugin: IQ Testimonials

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Missing Authorization via AJAX
Patched Version: 7.7.5
Recommended Action: Update to version 7.7.5, or a newer patched version

Plugin: Nested Pages

Vulnerability: Cross-Site Request Forgery to Local File Inclusion
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: JetThemeCore for Elementor

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 3.8.5
Recommended Action: Update to version 3.8.5, or a newer patched version

Plugin: Happy WooCommerce FAQs & AI FAQ Generator (Formarly XPlainer)

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: WPUpper Share Buttons

Vulnerability: Missing Authorization
Patched Version: 3.50
Recommended Action: Update to version 3.50, or a newer patched version

Plugin: Openpos – WooCommerce Point Of Sale(POS)

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: OSM – OpenStreetMap

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version

Plugin: WordPress Notification Bar

Plugin: Premium Blocks – Gutenberg Blocks for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version

Plugin: Advanced AJAX Page Loader

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.6.1
Recommended Action: Update to version 8.6.1, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: ElementsReady Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: oik

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via bw_button Shortcode
Patched Version: 4.12.0
Recommended Action: Update to version 4.12.0, or a newer patched version

Plugin: ScrollTo Bottom

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Missing Authorization via ajax_license_check()
Patched Version: 1.8.1.8
Recommended Action: Update to version 1.8.1.8, or a newer patched version

Plugin: WS Contact Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Gum Elementor Addon

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ’email’
Patched Version: 1.5.113
Recommended Action: Update to version 1.5.113, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Cross-Site Request Forgery via action_restore_events
Patched Version: 6.5.1.5
Recommended Action: Update to version 6.5.1.5, or a newer patched version

Plugin: Floating Social Media Links

Plugin: ScrollTo Top

Plugin: MakeCommerce for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: CC & BCC for Woocommerce Order Emails

Plugin: Web Directory Free

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: PayPlus Payment Gateway

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 7.0.8
Recommended Action: Update to version 7.0.8, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Missing Authorization to Unauthenticated Media Upload
Patched Version: 3.11.8
Recommended Action: Update to version 3.11.8, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization via generate_ai_content
Patched Version: 2.13.8
Recommended Action: Update to version 2.13.8, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Missing Authorization via REST API
Patched Version: 7.7.5
Recommended Action: Update to version 7.7.5, or a newer patched version

Plugin: Internal Link Juicer: SEO Auto Linker for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.24.4
Recommended Action: Update to version 2.24.4, or a newer patched version

Plugin: Genesis Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Sharing Block Attributes
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Login Logo Editor

Plugin: Easy Custom Code (LESS/CSS/JS) – Live editing

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘username’
Patched Version: 1.5.113
Recommended Action: Update to version 1.5.113, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion via ‘progress_type’
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Send email only on Reply to My Comment

Plugin: Openpos – WooCommerce Point Of Sale(POS)

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 7.0.2
Recommended Action: Update to version 7.0.2, or a newer patched version

Plugin: SEO SIMPLE PACK

Vulnerability: Information Exposure
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 9.0.2
Recommended Action: Update to version 9.0.2, or a newer patched version

Plugin: WP Lightbox 2

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.0.6.7
Recommended Action: Update to version 3.0.6.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.