Watch Out Wednesday – March 1, 2023

Home » Watch Out Wednesday – March 1, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Smart Slider 3

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.1.14
Recommended Action: Update to version 3.5.1.14, or a newer patched version

Plugin: Maspik – Advanced Spam Protection

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.9
Recommended Action: Update to version 0.7.9, or a newer patched version

Plugin: WP Time Slots Booking Form

Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.1.77
Recommended Action: Update to version 1.1.77, or a newer patched version

Plugin: Read More Excerpt Link

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Ultimate Form Builder <= 8.3.2
Patched Version: 8.3.3
Recommended Action: Update to version 8.3.3, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcodes
Patched Version: 2.9.12
Recommended Action: Update to version 2.9.12, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version

Plugin: Zendrop – Global Dropshipping

Vulnerability: SQL Injection in setMetaData
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: All In One Favicon

Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: Drag and Drop Multiple File Upload for WooCommerce

Vulnerability: Missing Authorization in upload and delete_file
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: WP Google Tag Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Text Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version

Plugin: Search in Place

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.0.105
Recommended Action: Update to version 1.0.105, or a newer patched version

Plugin: Houzez Login Register

Vulnerability: Privilege Escalation
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘startProcess’ to Arbitrary Redirect via ‘update_link_redirect’ task
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: We’re Open!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.47
Recommended Action: Update to version 1.47, or a newer patched version

Plugin: Preview Link Generator

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Free WooCommerce Theme 99fy Extension

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Arbitrary Post Access via Shortcode
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.19
Recommended Action: Update to version 11.19, or a newer patched version

Plugin: My YouTube Channel

Vulnerability: Cross-Site Request Forgery to Cache Deletion
Patched Version: 3.23.4
Recommended Action: Update to version 3.23.4, or a newer patched version

Plugin: WP Insurance – WordPress Insurance Service Plugin

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: VK All in One Expansion Unit

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: 9.87.1.0
Recommended Action: Update to version 9.87.1.0, or a newer patched version

Plugin: WP-RecentComments

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Advanced Text Widget

Vulnerability: Missing Authorization via atw_dismiss_admin_notice
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Several Parameters
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Debug Assistant

Vulnerability: Cross-Site Request Forgery via imlt_create_admin
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WP Repost

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WC Sales Notification

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Custom Login Page

Plugin: Simple Portfolio Gallery

Plugin: Insecure Content Warning

Vulnerability: Remote Code Execution
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Etsy Shop

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘regenerateSitemaps’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: WP Meteor Website Speed Optimization Addon

Vulnerability: Cross-Site Request Forgery via processAjaxNoticeDismiss
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Simple YouTube Responsive

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: phpinfo() WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: HT Portfolio – WordPress Portfolio Plugin for Elementor

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘checkAllCategoryInSitemap’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Dashboard Widgets Suite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Coupon Zen

Vulnerability: Cross-Site Request Forgery to Plugin Activation
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: For the visually impaired

Vulnerability: Cross-Site Request Forgery to Plugin Settings Changes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization to Arbitrary Password Reset
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: HT Politic – For Political WordPress Themes / Website

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Chat Bee

Plugin: Admin Block Country

Vulnerability: Cross-Site Request Forgery via admin_block_country_initial_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Affiliate Links

Vulnerability: Cross-Site Request Forgery via aalChangeOptions function
Patched Version: 6.3.0.3
Recommended Action: Update to version 6.3.0.3, or a newer patched version

Plugin: WP Plugin Manager – Deactivate plugins per page

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Zendrop – Global Dropshipping

Vulnerability: Arbitrary File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Cross-Site Request Forgery via ‘setIgnore’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Paytm Payment Gateway

Vulnerability: Authenticated (Editor+) SQL Injection via ‘post’
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Ever Compare – Products Compare Plugin for WooCommerce

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘wpmsGGSaveInformation’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Drag and Drop Multiple File Upload for WooCommerce

Vulnerability: Cross-Site Request Forgery in upload and delete_file
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: WP TFeed

Vulnerability: Cross-Site Request Forgery via aptf_delete_cache
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Meta SEO

Vulnerability: Cross-Site Request Forgery via ‘regenerateSitemaps’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: WP Social Bookmarking Light

Plugin: Publish to Schedule

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Conditional Checkout Fields & Edit Checkout Fields for WooCommerce

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TypeSquare Webfonts for ConoHa

Plugin: HT Slider For Elementor

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Upload Resume

Vulnerability: Authenticated Sensitive Information Disclosure via resume_upload_form_list shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Redirection

Vulnerability: Missing Authorization in ‘LoadTab’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: GN Publisher: Google News Compatible RSS Feeds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: HT Event – WordPress Event Manager Plugin for Elementor

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin

Vulnerability: Cross-Site Request Forgery via settings_page function
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: WP Time Slots Booking Form

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.1.77
Recommended Action: Update to version 1.1.77, or a newer patched version

Plugin: GoToWP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hero Banner Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: WP Shamsi – افزونه تاریخ شمسی و فارسی ساز وردپرس

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Attachment Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Education – Education WordPress Plugin for Elementor

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.1.121
Recommended Action: Update to version 1.1.121, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Ajax Load More <= 5.6.0.2
Patched Version: 5.6.0.3
Recommended Action: Update to version 5.6.0.3, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘listPostsCategory’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘addRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery to Quiz Restoration
Patched Version: 8.1.0
Recommended Action: Update to version 8.1.0, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘saveSitemapSettings’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Smart YouTube PRO

Vulnerability: Cross-Site Request Forgery via handle_colorbox_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPB Advanced FAQ

Plugin: WP Film Studio – WordPress Movie Maker/Production Plugin

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: CPT – Speakers

Plugin: Dynamic XML Sitemaps Generator for Google

Vulnerability: Cross-Site Request Forgery to Plugin Settings Changes
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: CM Answers – Powerful WordPress Forum Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: GMAce

Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: QuickSwish – WooCommerce Product Quick View

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Client Portal – Private user pages and login

Vulnerability: Cross-Site Request Forgery via cp_create_private_pages_for_all_users function
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: WP No External Links

Plugin: Calculated Fields Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.151
Recommended Action: Update to version 1.1.151, or a newer patched version

Plugin: OoohBoi Steroids for Elementor

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Attachment Deletion
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Custom Content Shortcode

Plugin: Simple File List

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version

Plugin: GMAce

Vulnerability: Cross-Site Request Forgery via gmace_manager_client
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: asMember

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Cross-Site Request Forgery in dnd_upload_cf7_upload and dnd_codedropz_upload_delete
Patched Version: 1.3.6.6
Recommended Action: Update to version 1.3.6.6, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Missing Authorization on tptn_chart_data
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Rus-To-Lat

Vulnerability: Cross-Site Request Forgery to Plugins Options Changes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Content Shortcode

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Repost

Plugin: Simple Slug Translate

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Cross-Site Request Forgery leading to Plugin/Subscription Deletion
Patched Version: 6.0.3.0
Recommended Action: Update to version 6.0.3.0, or a newer patched version

Plugin: Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Apollo13 Framework Extensions

Vulnerability: Missing Authorization
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: WooCommerce Multiple Customer Addresses & Shipping

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Arbitrary Address Creation/Deletion/View/Updates
Patched Version: 21.7
Recommended Action: Update to version 21.7, or a newer patched version

Plugin: Debug Assistant

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: <= 3.2.4
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: WP News – WordPress News / Magazine Plugin

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Simple Local Avatars

Vulnerability: Regular Expression Denial of Service (ReDoS)
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Cross-Site Request Forgery via ‘delete’ in mooauth_client_applist_page
Patched Version: 6.24.2
Recommended Action: Update to version 6.24.2, or a newer patched version

Plugin: WordPress Tooltips

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 8.2.7
Recommended Action: Update to version 8.2.7, or a newer patched version

Plugin: Sheets to WP Table Live Sync | Google Sheets Table Plugin for WordPress with Spreadsheet Integration – FlexTable

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version

Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 1.5.85
Recommended Action: Update to version 1.5.85, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 4.9.3.3
Recommended Action: Update to version 4.9.3.3, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Ultimate Form Builder <= 8.3.2
Patched Version: 8.3.3
Recommended Action: Update to version 8.3.3, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.