Watch Out Wednesday – July 7, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Woocommerce Tabs Plugin, Add Custom Product Tabs

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Title Field Validation

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Global Multisite Search

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Express Shop

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: YITH Request a Quote for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Food Store – Online Food Delivery & Pickup

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: WP Upload Restriction

Vulnerability: Missing Authorization Checks
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Adapta RGPD

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.7.2
Recommended Action: Update to version 3.0.7.2, or a newer patched version

Plugin: Woo MerchantX

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CRM: Contact Management Simplified – UkuuPeople

Vulnerability: Cross-Site Request Forgery to Favorite Addition/Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forms

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.12.3
Recommended Action: Update to version 1.12.3, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: BNG Gateway For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NMI Gateway For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Locations

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Abandoned Cart Recovery for WooCommerce

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4.1
Recommended Action: Update to version 1.0.4.1, or a newer patched version

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Cross-site request forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Haxcan

Vulnerability: Authenticated (Admin+) Path Traversal to Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TNIT Filter Gallery Plugin

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.0.7
Recommended Action: Update to version 0.0.7, or a newer patched version

Plugin: Email Template Designer – WP HTML Mail

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WooCommerce Extra Cost

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Generate Images (AI) – Magic Post Thumbnail

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: PWA for WP & AMP

Vulnerability: Arbitrary File Upload
Patched Version: 1.7.33
Recommended Action: Update to version 1.7.33, or a newer patched version

Plugin: Amministrazione Trasparente

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 7.1.1
Recommended Action: Update to version 7.1.1, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.01
Recommended Action: Update to version 1.4.01, or a newer patched version

Plugin: Leaflet Map

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Marmoset Viewer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Category slider for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Request For Quote

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: WooCommerce Custom Registration Form

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Speed Booster Pack ⚡ PageSpeed Optimization Suite

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: KONTXT Improves WordPress Search

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin

Vulnerability: Authorization Bypass
Patched Version: 1.2.35.2
Recommended Action: Update to version 1.2.35.2, or a newer patched version

Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Community Events

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: WooCommerce Blocks

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 2.5.16
Recommended Action: Update to one of the following versions, or a newer patched version: 2.5.16, 2.6.2, 2.7.2, 2.8.1, 2.9.1, 3.0.1, 3.1.1, 3.2.1, 3.3.1, 3.4.1, 3.5.1, 3.6.1, 3.7.2, 3.8.1, 3.9.1, 4.0.1, 4.1.1, 4.2.1, 4.3.1, 4.4.3, 4.5.3, 4.6.1, 4.7.1, 4.8.1, 4.9.2, 5.0.1, 5.1.1, 5.2.1, 5.3.2, 5.4.1, 5.5.1

Plugin: Instantio – WooCommerce Quick Checkout | Direct Checkout, Floating Cart, Side Cart & Popup Cart

Vulnerability: Cross Site Request Forgery
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: PWA for WP & AMP

Vulnerability: Missing Authorization
Patched Version: 1.7.33
Recommended Action: Update to version 1.7.33, or a newer patched version

Plugin: Popular Brand Icons – Simple Icons

Vulnerability: Simple Icons <= 2.7.7
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: WP Upload Restriction

Vulnerability: Missing Authorization Checks
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Leaflet Map

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.9.1
Recommended Action: Update to version 5.4.9.1, or a newer patched version

Plugin: MZ Mindbody API

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: BuddyPress Customer.io Analytics Integration

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Strong Testimonials

Vulnerability: Authorization Bypass
Patched Version: 2.51.3
Recommended Action: Update to version 2.51.3, or a newer patched version

Plugin: WP Prayer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Journey Analytics

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Fontsampler

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.4.13
Recommended Action: Update to version 0.4.13, or a newer patched version

Plugin: KONTXT Content Advisor

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: MZ MBO Access

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: intimate Payments Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slider Hero with Video Background, Animation

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version

Plugin: SEO

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Travel Light

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Vuukle Comments, Reactions, Share Bar, Revenue

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress