Watch Out Wednesday – July 28, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Broken Link Manager

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HD Quiz

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: Easy Testimonial Manager

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.51
Recommended Action: Update to version 1.6.51, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: No subtitle
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: Timeline Calendar

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Post

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin Custom Login

Vulnerability: No subtitle
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Contact Form 7 Captcha

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.0.9
Recommended Action: Update to version 0.0.9, or a newer patched version

Plugin: Email Subscriber

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Shipment Tracking for WooCommerce

Vulnerability: Authenticated WordPress Options Change
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Comment Highlighter

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: Post Index

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slider Hero with Video Background, Animation

Vulnerability: SQL Injection
Patched Version: 8.2.7
Recommended Action: Update to version 8.2.7, or a newer patched version

Plugin: SEO Backlinks

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Blue Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Social Media Share Buttons – Social Sharing for Everyone

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: SendGrid

Vulnerability: Authorization Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AceIDE

Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Authenticated Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.4.13
Recommended Action: Update to version 5.4.13, or a newer patched version

Plugin: Side Menu Lite – add sticky fixed buttons

Vulnerability: add sticky fixed buttons < 2.2.6
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Cashtomer

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Edit Comments

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Membership SwiftCloud.io

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Translate WordPress – Google Language Translator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version

Plugin: Project Status

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: M-vSlider

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPFront Scroll Top

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Favicon by RealFaviconGenerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version

Plugin: Qyrr – simply and modern QR-Code creation

Vulnerability: Cross-Site Scripting
Patched Version: 0.8
Recommended Action: Update to version 0.8, or a newer patched version

Plugin: Paytm – Donation Plugin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: Maintenance

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.03
Recommended Action: Update to version 4.03, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Authenticated Local File Inclusion
Patched Version: 1.3.7.1
Recommended Action: Update to version 1.3.7.1, or a newer patched version

Plugin: Embed Youtube Video

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Translate WordPress with GTranslate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.65
Recommended Action: Update to version 2.8.65, or a newer patched version

Plugin: Edit Comments

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Grid Gallery – Photo Image Grid Gallery

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Diary & Availability Calendar

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NewsPlugin

Vulnerability: No subtitle
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.6.51
Recommended Action: Update to version 1.6.51, or a newer patched version

Plugin: Simple Events Calendar

Vulnerability: Authenticated SQL Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress