Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking
Vulnerability: Arbitrary File Upload
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version
Plugin: WP Contact Slider – Slide Out Contact Form for WordPress to display Contact Form 7, Gravity Forms, WP Forms, Ninja Forms, plain text/HTML & other shortcodes
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via import
Patched Version: 3.6.11
Recommended Action: Update to version 3.6.11, or a newer patched version
Plugin: Gallery – Image and Video Gallery with Thumbnails
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Easy Testimonials
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version
Plugin: Table Rate Shipping Method for WooCommerce by Flexible Shipping
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.9
Recommended Action: Update to version 4.11.9, or a newer patched version
Plugin: Age Gate
Vulnerability: Cross-Site Scripting via Data Import
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version
Plugin: Social Share Buttons by Supsystic
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Gallery Bank – WordPress Photo Gallery Plugin
Vulnerability: Stored Cross-Site Scripting via Media Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: API KEY for Google Maps
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Qubely – Advanced Gutenberg Blocks
Vulnerability: Incorrect Authorization
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Gallery Bank – WordPress Photo Gallery Plugin
Vulnerability: Stored Cross-Site Scripting via Gallery Description
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Yampi Checkout
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Social Share Buttons by Supsystic
Vulnerability: Missing Authorization
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Gravity PDF
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6.6
Recommended Action: Update to version 4.1.6.6, or a newer patched version
Plugin: Copify
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Cross-Site Scripting via field label
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version
Plugin: Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.18.2
Recommended Action: Update to version 2.18.2, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Unauthenticated DOM-based Reflected Cross-Site Scripting
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version
Plugin: ToolBar to Share
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
