Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Woocommerce Tabs Plugin, Add Custom Product Tabs
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Title Field Validation
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Global Multisite Search
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Express Shop
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: YITH Request a Quote for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Food Store – Online Food Delivery & Pickup
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: WP Upload Restriction
Vulnerability: Missing Authorization Checks
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Adapta RGPD
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.7.2
Recommended Action: Update to version 3.0.7.2, or a newer patched version
Plugin: Woo MerchantX
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CRM: Contact Management Simplified – UkuuPeople
Vulnerability: Cross-Site Request Forgery to Favorite Addition/Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forms
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.12.3
Recommended Action: Update to version 1.12.3, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version
Plugin: BNG Gateway For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NMI Gateway For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Locations
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Abandoned Cart Recovery for WooCommerce
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4.1
Recommended Action: Update to version 1.0.4.1, or a newer patched version
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Cross-site request forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Haxcan
Vulnerability: Authenticated (Admin+) Path Traversal to Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TNIT Filter Gallery Plugin
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.0.7
Recommended Action: Update to version 0.0.7, or a newer patched version
Plugin: Email Template Designer – WP HTML Mail
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: WooCommerce Extra Cost
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Generate Images (AI) – Magic Post Thumbnail
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: PWA for WP & AMP
Vulnerability: Arbitrary File Upload
Patched Version: 1.7.33
Recommended Action: Update to version 1.7.33, or a newer patched version
Plugin: Amministrazione Trasparente
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 7.1.1
Recommended Action: Update to version 7.1.1, or a newer patched version
Plugin: Calendar Event Multi View
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.01
Recommended Action: Update to version 1.4.01, or a newer patched version
Plugin: Leaflet Map
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Marmoset Viewer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: Category slider for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Request For Quote
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: WooCommerce Custom Registration Form
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Speed Booster Pack ⚡ PageSpeed Optimization Suite
Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: KONTXT Improves WordPress Search
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin
Vulnerability: Authorization Bypass
Patched Version: 1.2.35.2
Recommended Action: Update to version 1.2.35.2, or a newer patched version
Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Community Events
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: WooCommerce Blocks
Vulnerability: Authenticated Blind SQL Injection
Patched Version: 2.5.16
Recommended Action: Update to one of the following versions, or a newer patched version: 2.5.16, 2.6.2, 2.7.2, 2.8.1, 2.9.1, 3.0.1, 3.1.1, 3.2.1, 3.3.1, 3.4.1, 3.5.1, 3.6.1, 3.7.2, 3.8.1, 3.9.1, 4.0.1, 4.1.1, 4.2.1, 4.3.1, 4.4.3, 4.5.3, 4.6.1, 4.7.1, 4.8.1, 4.9.2, 5.0.1, 5.1.1, 5.2.1, 5.3.2, 5.4.1, 5.5.1
Plugin: Instantio – WooCommerce Quick Checkout | Direct Checkout, Floating Cart, Side Cart & Popup Cart
Vulnerability: Cross Site Request Forgery
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: PWA for WP & AMP
Vulnerability: Missing Authorization
Patched Version: 1.7.33
Recommended Action: Update to version 1.7.33, or a newer patched version
Plugin: Popular Brand Icons – Simple Icons
Vulnerability: Simple Icons <= 2.7.7
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: WP Upload Restriction
Vulnerability: Missing Authorization Checks
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Leaflet Map
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.9.1
Recommended Action: Update to version 5.4.9.1, or a newer patched version
Plugin: MZ Mindbody API
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: BuddyPress Customer.io Analytics Integration
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Strong Testimonials
Vulnerability: Authorization Bypass
Patched Version: 2.51.3
Recommended Action: Update to version 2.51.3, or a newer patched version
Plugin: WP Prayer
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Journey Analytics
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version
Plugin: Fontsampler
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.4.13
Recommended Action: Update to version 0.4.13, or a newer patched version
Plugin: KONTXT Content Advisor
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: MZ MBO Access
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: intimate Payments Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slider Hero with Video Background, Animation
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version
Plugin: WordPress Popular Posts
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version
Plugin: SEO
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Travel Light
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Vuukle Comments, Reactions, Share Bar, Revenue
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.