Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: SQL Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: RSVPMaker
Vulnerability: Server-Side Request Forgery
Patched Version: 8.7.4
Recommended Action: Update to version 8.7.4, or a newer patched version
Plugin: Portfolio Responsive Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Any Hostname
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz Maker
Vulnerability: SQL Injection
Patched Version: 6.2.0.9
Recommended Action: Update to version 6.2.0.9, or a newer patched version
Plugin: User Profile Picture
Vulnerability: Authenticated Insecure Direct Object Reference
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: WP Offload SES Lite
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Plugin: Awesome Weather Widget
Vulnerability: Reflected Cross-site Scripting via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Calendar WD version
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.46
Recommended Action: Update to version 1.1.46, or a newer patched version
Plugin: Popup Like box – Page Plugin
Vulnerability: SQL Injection
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: Portfolio Responsive Gallery
Vulnerability: Blind SQL Injection
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version
Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 6.05
Recommended Action: Update to version 6.05, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Responsive Image Gallery <= 4.4.3
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version
Plugin: WordPress Popular Posts
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: 3.1.3
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Side Menu Lite – add sticky fixed buttons
Vulnerability: SQL Injection
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Bookshelf
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Yada Wiki
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: Edwiser Bridge – WordPress Moodle LMS Integration
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: 3.1.3
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: 3.1.3
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: YouTube Embed, Playlist and Popup by WpDevArt
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: Event Geek
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: 3.1.3
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Steam Group Viewer
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Slider by Ays- Responsive Slider and Carousel
Vulnerability: SQL Injection
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Popup Like box – Page Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: W3 Total Cache
Vulnerability: Reflected Cross-Site Scripting via extension
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Image Slider by Ays- Responsive Slider and Carousel
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Survey Maker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: SQL Injection
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: FAQ Builder AYS
Vulnerability: Blind SQL Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Handsome Testimonials & Reviews
Vulnerability: Authenticated SQL Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Migrate Users
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Authenticated SQL Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: WP Image Zoom
Vulnerability: Local File Inclusion
Patched Version: 1.47.1
Recommended Action: Update to version 1.47.1, or a newer patched version
Plugin: Survey Maker
Vulnerability: Authenticated SQL Injection
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: event-espresso-core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.10.7.p
Recommended Action: Update to version 4.10.7.p, or a newer patched version
Plugin: W3 Total Cache
Vulnerability: Reflected Cross-Site Scripting via extension
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: DrawBlog
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
