Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Insert Special Characters
Vulnerability: Improper Input Validation
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Google Maps Anywhere
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Crowdsignal Dashboard – Polls, Surveys & more
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Melapress File Monitor
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Transposh WordPress Translation
Vulnerability: Unauthorized Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
Vulnerability: Missing Authorization
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Web en Mantenimiento
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form DB – Elementor
Vulnerability: Elementor <= 1.7
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Auto More Tag
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Post Manager
Vulnerability: PHP Object Injection
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Homepage Product Organizer for WooCommerce
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Comments Extra Fields For Post,Pages and CPT
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version
Plugin: Broken Link Checker
Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 1.11.17
Recommended Action: Update to version 1.11.17, or a newer patched version
Plugin: WP-UserOnline
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.88.0
Recommended Action: Update to version 2.88.0, or a newer patched version
Plugin: MultiSafepay plugin for WooCommerce
Vulnerability: Arbitrary File Read
Patched Version: 4.16.0
Recommended Action: Update to version 4.16.0, or a newer patched version
Plugin: WP OAuth2 Server
Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: mTouch Quiz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: WPDating
Vulnerability: SQL Injection
Patched Version: 7.4.1
Recommended Action: Update to version 7.4.1, or a newer patched version
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Administrator+ Stored Cross-Site Scripting
Patched Version: 3.3.17
Recommended Action: Update to version 3.3.17, or a newer patched version
Plugin: Thinkific Uploader
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP DS Blog Map
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 7.2.3
Recommended Action: Update to version 7.2.3, or a newer patched version
Plugin: Name Directory
Vulnerability: Unauthorized Settings Update
Patched Version: 1.25.5
Recommended Action: Update to version 1.25.5, or a newer patched version
Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Transposh WordPress Translation
Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Chat – Click To Chat App Button
Vulnerability: Administrator+ Stored Cross-Site Scripting
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version
Plugin: DW Promobar
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Better Tag Cloud
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Student Results
Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Publisher Media Kit
Vulnerability: Regular Expression Denial of Service
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Rough Chart
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Student Results
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Custom Fields (ACF)
Vulnerability: File Upload
Patched Version: 5.12.3
Recommended Action: Update to version 5.12.3, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: SQL Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: E Unlocked – Student Result
Vulnerability: Student Result <= 1.0.4
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Retro Winamp Block
Vulnerability: Denial of Service
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Username Enumeration
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Autoptimize
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Settings
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
