Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Event Timeline – Vertical Timeline
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcode for Current Date
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Simple Membership
Vulnerability: Membership Privilege Escalation
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: WSM Downloader
Vulnerability: Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.21.3
Recommended Action: Update to version 2.21.3, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version
Plugin: Copyright Proof
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.21.3
Recommended Action: Update to version 2.21.3, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Unauthenticated PHAR Deserialization
Patched Version: 2.9.8.6
Recommended Action: Update to version 2.9.8.6, or a newer patched version
Plugin: Royal Custom CSS for Page and Post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing
Vulnerability: Subscriber+ Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Dynamic Font Replacement DFR4WP EN
Vulnerability: Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Payment Button for PayPal
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3.8
Recommended Action: Update to version 1.2.3.8, or a newer patched version
Plugin: Keep Backup Daily
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart
Vulnerability: Cross-Site Request Forgery to Settings/Options Update
Patched Version: 6.10.24
Recommended Action: Update to version 6.10.24, or a newer patched version
Plugin: Simple Membership
Vulnerability: Membership Privilege Escalation
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version
Plugin: Flexi Quote Rotator
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Web and WooCommerce Addons for WPBakery Builder
Vulnerability: Missing Authorization Checks
Patched Version: 1.4.4.2
Recommended Action: Update to version 1.4.4.2, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.9.8.6
Recommended Action: Update to version 2.9.8.6, or a newer patched version
Plugin: MakeStories (for Google Web Stories)
Vulnerability: Cross-Ste Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: Simple SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.92
Recommended Action: Update to version 1.7.92, or a newer patched version
Plugin: Easy Username Updater
Vulnerability: Cross-Site Request Forgery to Username Change
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: WordPress project source code download
Vulnerability: Unauthenticated Backup Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.14
Recommended Action: Update to version 1.6.14, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Slide Anything – Responsive Content / HTML Slider and Carousel
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.47
Recommended Action: Update to version 2.3.47, or a newer patched version
Plugin: Microsoft Advertising Universal Event Tracking (UET)
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site
Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart
Vulnerability: Insufficient Access Control on Multiple AJAX Actions
Patched Version: 6.10.23
Recommended Action: Update to version 6.10.23, or a newer patched version
Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services
Vulnerability: Sensitive Information Disclosure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Social Share Buttons by Supsystic
Vulnerability: SQL Injection
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Progressive License
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Flexi Quote Rotator
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WSM Downloader
Vulnerability: Domain Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YOP Poll
Vulnerability: IP Spoofing via X-Forwarded-For header
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
