Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Broken Link Manager
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HD Quiz
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: Easy Testimonial Manager
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.51
Recommended Action: Update to version 1.6.51, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: No subtitle
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: Timeline Calendar
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Post
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Admin Custom Login
Vulnerability: No subtitle
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: Contact Form 7 Captcha
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.0.9
Recommended Action: Update to version 0.0.9, or a newer patched version
Plugin: Email Subscriber
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Shipment Tracking for WooCommerce
Vulnerability: Authenticated WordPress Options Change
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version
Plugin: Comment Highlighter
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version
Plugin: Post Index
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slider Hero with Video Background, Animation
Vulnerability: SQL Injection
Patched Version: 8.2.7
Recommended Action: Update to version 8.2.7, or a newer patched version
Plugin: SEO Backlinks
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Blue Admin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Social Media Share Buttons – Social Sharing for Everyone
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: SendGrid
Vulnerability: Authorization Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AceIDE
Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Authenticated Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.4.13
Recommended Action: Update to version 5.4.13, or a newer patched version
Plugin: Side Menu Lite – add sticky fixed buttons
Vulnerability: add sticky fixed buttons < 2.2.6
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: Cashtomer
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Edit Comments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Membership SwiftCloud.io
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Translate WordPress – Google Language Translator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version
Plugin: Project Status
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: M-vSlider
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPFront Scroll Top
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Favicon by RealFaviconGenerator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version
Plugin: Qyrr – simply and modern QR-Code creation
Vulnerability: Cross-Site Scripting
Patched Version: 0.8
Recommended Action: Update to version 0.8, or a newer patched version
Plugin: Paytm – Donation Plugin
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version
Plugin: Maintenance
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.03
Recommended Action: Update to version 4.03, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Authenticated Local File Inclusion
Patched Version: 1.3.7.1
Recommended Action: Update to version 1.3.7.1, or a newer patched version
Plugin: Embed Youtube Video
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Translate WordPress with GTranslate
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.65
Recommended Action: Update to version 2.8.65, or a newer patched version
Plugin: Edit Comments
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Grid Gallery – Photo Image Grid Gallery
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Diary & Availability Calendar
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NewsPlugin
Vulnerability: No subtitle
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.6.51
Recommended Action: Update to version 1.6.51, or a newer patched version
Plugin: Simple Events Calendar
Vulnerability: Authenticated SQL Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.