Watch Out Wednesday – June 9, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Recently

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.19
Recommended Action: Update to version 7.1.19, or a newer patched version

Plugin: wordpress-form-manager

Vulnerability: Authenticated Remote Command Execution
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Smart Slider 3

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.0.9
Recommended Action: Update to version 3.5.0.9, or a newer patched version

Plugin: Social Sharing Plugin – Kiwi

Vulnerability: 2.1.2
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Location Manager

Vulnerability: SQL Injection
Patched Version: 2.1.0.10
Recommended Action: Update to version 2.1.0.10, or a newer patched version

Plugin: Multiple Roles

Vulnerability: No subtitle
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Qtranslate Slug

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Prayer

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: WP Hardening (discontinued)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Stripe Payment Plugin for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: wpDiscuz 7.0
Patched Version: 7.0.5
Recommended Action: Update to version 7.0.5, or a newer patched version

Plugin: Payment forms, Buy now buttons, and Invoicing System | GetPaid

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Custom css-js-php

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: Object Injection
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.1.18
Recommended Action: Update to version 7.1.18, or a newer patched version

Plugin: Comments Like Dislike

Vulnerability: Add Like/Dislike Bypass
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Recently

Vulnerability: Arbitrary File Upload to Remote Code Exectution
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Stock in & out

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Hardening (discontinued)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress