Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Social Tape
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version
Plugin: WordPress Photo Gallery – Image Gallery
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: My Site Audit
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: HM Multiple Roles
Vulnerability: Privilege Escalation via Arbitrary Role Change
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: SQL Injection
Patched Version: 3.2.6.8
Recommended Action: Update to version 3.2.6.8, or a newer patched version
Plugin: Wonder PDF Embed
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: File Upload Path Traversal
Patched Version: 1.5.75
Recommended Action: Update to version 1.5.75, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.13.60
Recommended Action: Update to version 1.13.60, or a newer patched version
Plugin: YouTube Embed
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version
Plugin: Mimetic Books
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Translate WordPress – Google Language Translator
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Admin Access via Password Reset
Patched Version: 3.4.9
Recommended Action: Update to version 3.4.9, or a newer patched version
Plugin: తెలుగు బైబిల్ వచనములు
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KN Fix Your Title
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: No subtitle
Patched Version: 7.8.8
Recommended Action: Update to version 7.8.8, or a newer patched version
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: VDZ VERIFICATION (Custom Meta Tags)
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: RestroPress – Online Food Ordering System
Vulnerability: Cross-Site Request Forgery to Cart Manipulation
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Stored Cross-Site Scripting via Uploaded SVG
Patched Version: 1.5.75
Recommended Action: Update to version 1.5.75, or a newer patched version
Plugin: Webcam Microphone Screen Recorder HTML5
Vulnerability: Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: VikRentCar Car Rental Management System
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version
Plugin: Giveaway
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Stored Cross-Site Scripting via Uploaded SVG
Patched Version: 1.5.79
Recommended Action: Update to version 1.5.79, or a newer patched version
Plugin: Custom Login Redirect
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Verse-O-Matic
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wonder Video Embed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: PhoneTrack Meu Site Manager
Vulnerability: Cross-Site Scripting
Patched Version: 0.1.1
Recommended Action: Update to version 0.1.1, or a newer patched version
Plugin: Shantz WordPress QOTD
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.14.12
Recommended Action: Update to version 1.14.12, or a newer patched version
Plugin: Light Messages
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP SEO TDK
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RestroPress – Online Food Ordering System
Vulnerability: Missing Authorization
Patched Version: 2.8.3.1
Recommended Action: Update to version 2.8.3.1, or a newer patched version
Plugin: Current Book
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.