Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Reset – Most Advanced WordPress Reset Tool
Vulnerability: Authenticated Stored Cross-Site Scripting via extra_data Parameter
Patched Version: 1.90
Recommended Action: Update to version 1.90, or a newer patched version
Plugin: Admin Columns
Vulnerability: No subtitle
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: Event Calendar WD version
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.45
Recommended Action: Update to version 1.1.45, or a newer patched version
Plugin: All 404 Redirect to Homepage
Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.35
Recommended Action: Update to version 2.0.35, or a newer patched version
Plugin: NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall
Vulnerability: Authenticated PHAR Deserialization
Patched Version: 4.3.4
Recommended Action: Update to version 4.3.4, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Information Disclosure
Patched Version: 2.0.8
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.8, 2.1.6, 2.2.9, 2.3.9, 2.4.6, 2.5.4, 2.6.5, 2.7.4, 2.8.4, 2.9.5, 3.0.5, 3.1.4, 3.2.4, 3.3.5, 3.4.5, 3.5.5, 3.6.3, 3.7.4, 3.8.4, 3.9.8, 4.0.5, 4.1.2, 4.2.3, 4.3.3, 4.4.3, 4.5.1, 4.6.1, 4.7.2, 4.8.3, 4.9.1, 5.0.1, 5.1.2, 5.2.3, 5.3.2, 5.4.2, 5.5.3, 5.6.3, 5.7.3, 5.8.2, 5.9.2, 6.0.2, 6.1.3, 6.2.3, 6.3.5, 6.4.4, 6.5.2, 6.6.3, 6.7.2, 6.8.3, 6.9.2, 7.0.3, 7.1.3, 7.2.3, 7.3.3, 7.4.3, 7.5.5, 7.6.2, 7.7.4, 7.8.2, 7.9.2, 8.0.1, 8.1.2, 8.2.4, 8.3.1, 8.4.3, 8.5.1, 8.6.2, 8.7.2, 8.8.3, 8.9.2, 9.0.3, 9.1.1, 9.2.2, 9.3.3, 9.4.2, 9.5.3, 9.6.2, 9.7.1
Plugin: Fancy Product Designer
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version
Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More
Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Gallery from files
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.5
Recommended Action: Update to version 4.8.5, or a newer patched version
Plugin: Stock in & out
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More
Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: The Plus Addons for Elementor Page Builder
Vulnerability: Open Redirect
Patched Version: 4.1.10
Recommended Action: Update to version 4.1.10, or a newer patched version
Plugin: Side Menu – add fixed side buttons
Vulnerability: SQL Injection
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Xllentech English Islamic Calendar
Vulnerability: SQL Injection
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
Plugin: WordPress Bitcoin Payments – Blockonomics
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More
Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Visitors
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More
Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: The Plus Addons for Elementor Page Builder
Vulnerability: Open Redirect
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version
Plugin: The Plus Addons for Elementor Page Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.12
Recommended Action: Update to version 4.1.12, or a newer patched version
Plugin: Gallery from files
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Yes/No Chart
Vulnerability: Authenticated SQL Injection
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Open Redirect
Patched Version: 4.8.5
Recommended Action: Update to version 4.8.5, or a newer patched version
Plugin: WP Config File Editor
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More
Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Sendit WP Newsletter
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.