Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Authentication Bypass
Patched Version: 7.6.5
Recommended Action: Update to version 7.6.5, or a newer patched version
Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder
Vulnerability: Privilege Escalation
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Auto Location for WP Job Manager
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Trustprofile and reviews for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.25
Recommended Action: Update to version 3.25, or a newer patched version
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Reflected Cross-Site Scripting via ‘wpforo_debug’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 4.68
Recommended Action: Update to version 4.68, or a newer patched version
Plugin: WPGraphQL
Vulnerability: Authenticated (Editor+) Server-Side Request Forgery
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version
Plugin: Form Builder | Create Responsive Contact Forms
Vulnerability: Unauthenticated CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Privilege Escalation via Arbitrary User Meta Updates
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: WP-Cirrus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sublanguage
Vulnerability: Missing Authorization
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version
Plugin: WP Social AutoConnect
Vulnerability: Cross-Site Request Forgery via jfb_admin_page
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress
Vulnerability: LMS for WordPress <= 1.6.7
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: Header Footer Code Manager
Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 1.1.35
Recommended Action: Update to version 1.1.35, or a newer patched version
Plugin: Easy Accordion FAQ and Knowledge Base Software for WordPress
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version
Plugin: Side Cart Woocommerce | Woocommerce Cart
Vulnerability: No subtitle
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 4.68
Recommended Action: Update to version 4.68, or a newer patched version
Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.46.1
Recommended Action: Update to version 2.46.1, or a newer patched version
Plugin: Enhanced Text Widget
Vulnerability: Missing Authorization
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: Post to CSV by BestWebSoft
Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: WPFactory Helper
Vulnerability: Reflected Cross-Site Scripting via item_slug
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Reservation.Studio widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: Baidu Tongji generator
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Short URL
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: WP Content Copy Protection & No Right Click
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version
Plugin: Request a Quote
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version
Plugin: Zippy
Vulnerability: Authenticated(Author+) PHP Object Injection via unzipPosts
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: My Content Management
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: WebwinkelKeur: Webshop keurmerk & reviews for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.25
Recommended Action: Update to version 3.25, or a newer patched version
Plugin: Mobile Call Now & Map Buttons
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Short URL
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 3.0.2.1
Recommended Action: Update to version 3.0.2.1, or a newer patched version
Plugin: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews
Vulnerability: Missing Authorization via activate_addon
Patched Version: 3.3.69
Recommended Action: Update to version 3.3.69, or a newer patched version
Plugin: WCP OpenWeather
Vulnerability: Reflected Cross-Site Scripting via ‘tab’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP RSS Images
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Regenerate & Select Crop
Vulnerability: Missing Authorization on multiple AJAX actions
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version
Plugin: Simple Site Verify
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Menubar
Vulnerability: Cross-Site Request Forgery in wpm-admin.php
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version
Plugin: Image Regenerate & Select Crop
Vulnerability: Missing Authorization
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Authenticated (Subscriber+) LDAP Injection
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Kingkong Board
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cryptocurrency Widgets – Price Ticker & Coins List
Vulnerability: Missing Authorization
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Web3 – Crypto wallet Login & NFT token gating
Vulnerability: Authentication Bypass
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.68
Recommended Action: Update to version 4.68, or a newer patched version
Plugin: Image Regenerate & Select Crop
Vulnerability: Cross-Site Request Forgery on multiple AJAX actions
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version
Plugin: Animated Number Counters
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Missing Authorization
Patched Version: 4.2.3.1
Recommended Action: Update to version 4.2.3.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Missing Authorization to Information Exposure
Patched Version: 4.2.3.1
Recommended Action: Update to version 4.2.3.1, or a newer patched version
Plugin: Layer Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SrbTransLatin – Serbian Latinisation
Vulnerability: Stored/Reflected Cross-Site Scripting via Third Party Library
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
