Watch Out Wednesday – June 1, 2022

Home » Watch Out Wednesday – June 1, 2022

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Cross-Linker

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: underConstruction

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.21
Recommended Action: Update to version 1.21, or a newer patched version

Plugin: Image Slider by NextCode – Photo & Video Slider

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.25.6
Recommended Action: Update to version 1.25.6, or a newer patched version

Plugin: Display Data on your site! Create Dynamic Content Templates from any form of data. Works with ACF, Pods, BuddyPress/ BuddyBoss

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Admin Management Xtended

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: My Private Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Amazon Einzeltitellinks

Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPMK Ajax Finder

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Slider by NextCode – Photo & Video Slider

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Vulnerability: Stored Cross-Site Scripting via Content Element ID
Patched Version: 1.15.2
Recommended Action: Update to version 1.15.2, or a newer patched version

Plugin: Elements For Elementor

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: WordPress to Freshsales Integration

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version

Plugin: PDF24 Article To PDF

Plugin: Video Conferencing with Zoom

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: WPlite

Plugin: Plausible Analytics

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Automatic Domain Changer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Easy PayPal Events

Vulnerability: Reflected Cross-Site Scripting via Page
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: OTP Login Woocommerce (Login with OTP)

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: Reflected Cross-Site Scripting via Page
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: XML Sitemap Generator for Google

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Germanized for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Weberino Timed Quiz

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Multi-page Toolkit

Plugin: Trade Runner

Vulnerability: Cross-Site Scripting
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: Subscriptions & Memberships for PayPal

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Easy PayPal Shopping Cart

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Events Made Easy

Vulnerability: SQL Injection
Patched Version: 2.2.81
Recommended Action: Update to version 2.2.81, or a newer patched version

Plugin: Restaurant Reservations

Vulnerability: SQL Injection
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Rotating Posts

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mobile browser color select

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ping List Pro

Plugin: WP Sentry

Plugin: PDF24 Articles To PDF

Plugin: Direct Checkout for WooCommerce – Skip Cart with Buy Buttons

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Mail Subscribe List

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.18
Recommended Action: Update to version 2.1.18, or a newer patched version

Plugin: Running Line

Plugin: WP Post Styling

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Print, PDF, Email by PrintFriendly

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: WPSID Shortcode

Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-EMail

Vulnerability: Spam Protection Bypass
Patched Version: 2.69.0
Recommended Action: Update to version 2.69.0, or a newer patched version

Plugin: WP-EMail

Vulnerability: Cross-Site Request Forgery to Log Deletion
Patched Version: 2.69.0
Recommended Action: Update to version 2.69.0, or a newer patched version

Plugin: Private Messages For WordPress

Plugin: Wbcom Designs – BuddyPress Group Reviews

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Exports and Reports

Vulnerability: CSV Injection
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: WP Post Statistics (Visitors & Visits Counter)

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Inline Google Maps

Plugin: Envato Sales By Item

Vulnerability: Unauthenticated SQL Injection via AJAX call
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.9
Recommended Action: Update to version 5.5.9, or a newer patched version

Plugin: Smartkit

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.4.6
Recommended Action: Update to version 7.4.6, or a newer patched version

Plugin: Cookie Params

Vulnerability: Reflected Cross-Site Scripting and Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tiny Contact Form

Plugin: Private Messages For WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.7
Recommended Action: Update to version 3.7.7, or a newer patched version

Plugin: PPC Tracker WordPress Plugin

Vulnerability: Stored Cross-Site Scripting via IP
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Dropdown and scrollable Text

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: New User Approve

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: CaPa Protect

Plugin: ClimateClick: Climate Action for all

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.9.22
Recommended Action: Update to version 1.0.9.22, or a newer patched version

Plugin: Export All URLs

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: More Featured Images

Plugin: Codup Read Only Admin

Vulnerability: Cross Site Scripting
Patched Version: 1.1.1.8
Recommended Action: Update to version 1.1.1.8, or a newer patched version

Plugin: Social Share Buttons by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: OpenBook Book Data

Plugin: Image Slider by NextCode – Photo & Video Slider

Vulnerability: Cross-Site Request Forgery to Slide Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.3.9.6
Recommended Action: Update to version 2.3.9.6, or a newer patched version

Plugin: Mail Subscribe List

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: No External Links

Vulnerability: Cross-Site Scripting
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version

Plugin: underConstruction

Vulnerability: Cross-Site Request Forgery to Construction Mode Disabled
Patched Version: 1.20
Recommended Action: Update to version 1.20, or a newer patched version

Plugin: BuddyPress & BuddyBoss Member Profile Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.22
Recommended Action: Update to version 1.4.22, or a newer patched version

Plugin: Zengo Custom Thumbnail Image Gallery

Plugin: Better Find and Replace

Vulnerability: Admin+ SQL Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: MailPress

Plugin: Coming Soon & Maintenance Mode by Colorlib

Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 1.0.99
Recommended Action: Update to version 1.0.99, or a newer patched version

Plugin: Clean-Contact

Plugin: Seamless Donations is Sunset

Vulnerability: Cross-Site Request Forgery to Settings Chage
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Hotel Booking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: VS Contact Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.6
Recommended Action: Update to version 11.6, or a newer patched version

Plugin: PressForward

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Pricing Tables WordPress Plugin – Easy Pricing Tables

Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: WP Zillow Review Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Custom Colors for Real Estate Manager

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.