Watch Out Wednesday – July 26, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Remove Duplicate Posts

Vulnerability: Missing Authorization to Post Deletion
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: WP-FlyBox

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Clone Menu

Vulnerability: Missing Authorization to Menu Clone
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Donations Made Easy – Smart Donations

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subscribe to Category

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elastic Email Sender

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: WordPress Language

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Quick Post Duplicator

Vulnerability: Missing Authorization
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Disabler

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting via ‘data’
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: Quasar form free – Contact Form Builder for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘id’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gestion-Pymes

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.29
Recommended Action: Update to version 3.1.29, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version

Plugin: wpShopGermany IT-RECHT KANZLEI

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WP Brutal AI

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version

Plugin: Simple Author Box

Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary User Sensitive Information Exposure
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version

Plugin: WordPress Database Administrator

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPML String Translation

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘context’
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Post Connector

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Mobile Address Bar Changer

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Oxygen

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Media Library Categories

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Convert Pro

Vulnerability: Missing Authorization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: CodeBard's Patron Button and Widgets for Patreon

Vulnerability: Reflected Cross-Site Scripting via ‘site_account’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: TS Webfonts for さくらのレンタルサーバ

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Client Portal : SuiteDash Direct Login

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Custom Field For WP Job Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Post List With Featured Image

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Art Decoration Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Booster Elementor Addons

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Missing Authorization to Contributor+ Form Submission Export
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: Perelink Pro

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Content Spoofing
Patched Version: 2.9.9.3.5
Recommended Action: Update to version 2.9.9.3.5, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.29
Recommended Action: Update to version 3.1.29, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: WP-EMail

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.69.1
Recommended Action: Update to version 2.69.1, or a newer patched version

Plugin: Integration for WooCommerce and QuickBooks

Vulnerability: Open Redirect via setup_plugin
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Schema Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: TS Webfonts for さくらのレンタルサーバ

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: QR code MeCard/vCard generator

Vulnerability: Missing Authorization via wqm_make_url_permanent
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Post Affiliate Pro

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.25.0
Recommended Action: Update to version 1.25.0, or a newer patched version

Plugin: GTmetrix for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.4.8
Recommended Action: Update to version 0.4.8, or a newer patched version

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Exifography

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Onepage Builder – Easiest Landing Page Builder For WordPress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Audio Player with Playlist Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: LWS Affiliation

Vulnerability: Unauthenticated Remote/Local File Inclusion
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Taboola

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 20.2
Recommended Action: Update to version 20.2, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: DOM-Based iFrame Injection
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: Simple Googlebot Visit

Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: User Activity Log

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Instant CSS

Vulnerability: Missing Authorization via AJAX Actions
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Sensitive Information Exposure
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Post to Google My Business (Google Business Profile)

Vulnerability: Cross-Site Request Forgery to Dismiss Notification
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Missing Authorization
Patched Version: 6.1.3
Recommended Action: Update to version 6.1.3, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version

Plugin: Smarty for WordPress

Vulnerability: Cross-Site Request Forgery via displaySmartyManagementPage
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: WP Emoji One

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View

Vulnerability: Cross-Site Request Forgery via wpstream_update_local_event_settings
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Missing Authorization to Form Submission Export
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: Photo Engine (Media Organizer & Lightroom)

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference in ajax_generate_auth_token
Patched Version: 6.2.6
Recommended Action: Update to version 6.2.6, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Unauthenticated MailChimp API Key Disclosure
Patched Version: 5.8.2
Recommended Action: Update to version 5.8.2, or a newer patched version

Plugin: Google Map Shortcode

Vulnerability: Cross-Site Request Forgery to Plugin Setting Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WRC Pricing Tables – Responsive CSS3 Pricing Tables

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: WP-CopyProtect [Protect your blog posts]

Vulnerability: Cross-Site Request Forgery via CopyProtect_options_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jupiter X Core

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version

Plugin: Local Development

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin

Vulnerability: Open Redirect via setup_plugin
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress