Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Remove Duplicate Posts
Vulnerability: Missing Authorization to Post Deletion
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: WP-FlyBox
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Clone Menu
Vulnerability: Missing Authorization to Menu Clone
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Subscribe to Category
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elastic Email Sender
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: WordPress Language
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Quick Post Duplicator
Vulnerability: Missing Authorization
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Disabler
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Reflected Cross-Site Scripting via ‘data’
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version
Plugin: Quasar form free – Contact Form Builder for WordPress
Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘id’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gestion-Pymes
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.29
Recommended Action: Update to version 3.1.29, or a newer patched version
Plugin: tagDiv Composer
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version
Plugin: wpShopGermany IT-RECHT KANZLEI
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: WP Brutal AI
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version
Plugin: Simple Author Box
Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary User Sensitive Information Exposure
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version
Plugin: WordPress Database Administrator
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPML String Translation
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘context’
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: Post Connector
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: Mobile Address Bar Changer
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Oxygen
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Media Library Categories
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Convert Pro
Vulnerability: Missing Authorization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: CodeBard's Patron Button and Widgets for Patreon
Vulnerability: Reflected Cross-Site Scripting via ‘site_account’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: TS Webfonts for さくらのレンタルサーバ
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Client Portal : SuiteDash Direct Login
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: Custom Field For WP Job Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Post List With Featured Image
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Art Decoration Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booster Elementor Addons
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Missing Authorization to Contributor+ Form Submission Export
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version
Plugin: Perelink Pro
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: Content Spoofing
Patched Version: 2.9.9.3.5
Recommended Action: Update to version 2.9.9.3.5, or a newer patched version
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.29
Recommended Action: Update to version 3.1.29, or a newer patched version
Plugin: Custom Field Template
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: WP-EMail
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.69.1
Recommended Action: Update to version 2.69.1, or a newer patched version
Plugin: Integration for WooCommerce and QuickBooks
Vulnerability: Open Redirect via setup_plugin
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Schema Pro
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: TS Webfonts for さくらのレンタルサーバ
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: QR code MeCard/vCard generator
Vulnerability: Missing Authorization via wqm_make_url_permanent
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Post Affiliate Pro
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.25.0
Recommended Action: Update to version 1.25.0, or a newer patched version
Plugin: GTmetrix for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.4.8
Recommended Action: Update to version 0.4.8, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Exifography
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Onepage Builder – Easiest Landing Page Builder For WordPress
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Audio Player with Playlist Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: LWS Affiliation
Vulnerability: Unauthenticated Remote/Local File Inclusion
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Taboola
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 20.2
Recommended Action: Update to version 20.2, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: DOM-Based iFrame Injection
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version
Plugin: Simple Googlebot Visit
Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: User Activity Log
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Instant CSS
Vulnerability: Missing Authorization via AJAX Actions
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Video Conferencing with Zoom
Vulnerability: Sensitive Information Exposure
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: Post to Google My Business (Google Business Profile)
Vulnerability: Cross-Site Request Forgery to Dismiss Notification
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version
Plugin: The Events Calendar
Vulnerability: Missing Authorization
Patched Version: 6.1.3
Recommended Action: Update to version 6.1.3, or a newer patched version
Plugin: MultiParcels Shipping For WooCommerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version
Plugin: Smarty for WordPress
Vulnerability: Cross-Site Request Forgery via displaySmartyManagementPage
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: WP Emoji One
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View
Vulnerability: Cross-Site Request Forgery via wpstream_update_local_event_settings
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Missing Authorization to Form Submission Export
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version
Plugin: Photo Engine (Media Organizer & Lightroom)
Vulnerability: Authenticated (Author+) Insecure Direct Object Reference in ajax_generate_auth_token
Patched Version: 6.2.6
Recommended Action: Update to version 6.2.6, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Unauthenticated MailChimp API Key Disclosure
Patched Version: 5.8.2
Recommended Action: Update to version 5.8.2, or a newer patched version
Plugin: Google Map Shortcode
Vulnerability: Cross-Site Request Forgery to Plugin Setting Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WRC Pricing Tables – Responsive CSS3 Pricing Tables
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: WP-CopyProtect [Protect your blog posts]
Vulnerability: Cross-Site Request Forgery via CopyProtect_options_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jupiter X Core
Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version
Plugin: Local Development
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin
Vulnerability: Open Redirect via setup_plugin
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.