Watch Out Wednesday – March 22, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery via admin_galleries
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version

Plugin: Lead Generated

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.25
Recommended Action: Update to version 1.25, or a newer patched version

Plugin: Slide Anything – Responsive Content / HTML Slider and Carousel

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: Userlike – WordPress Live Chat plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery via admin_slides
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Vertical scroll recent post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Store Locator WordPress

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via ‘category_name’, ‘description’, ‘description_2’ parameters
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version

Plugin: Tussendoor – Open RDW

Vulnerability: Reflected Cross-Site Scripting via open_data_rdw_kenteken
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: Force First and Last Name as Display Name

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.29.1
Recommended Action: Update to version 3.29.1, or a newer patched version

Plugin: Klaviyo

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version

Plugin: Branded Social Images – Open Graph Images with logo and extra text layer

Vulnerability: Missing Authorization leading to Unauthenticated Plugin Settings Updates
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Privilege Escalation via updraft_central_ajax_handler
Patched Version: 1.23.3
Recommended Action: Update to one of the following versions, or a newer patched version: 1.23.3, 2.23.3

Plugin: VigilanTor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version

Plugin: Team Member – Multi Language Supported Team Plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Reflected Cross-Site Scripting via ‘page’ and ‘tab’
Patched Version: 12.1.21
Recommended Action: Update to version 12.1.21, or a newer patched version

Plugin: Lazy Social Comments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Surbma | GDPR Proof Cookie Consent & Notice Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 17.6.0
Recommended Action: Update to version 17.6.0, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: WP Simple Events

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JS Job Manager

Vulnerability: Missing Authorization
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: PHP Object Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Stylish Cost Calculator

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.9.0
Recommended Action: Update to version 7.9.0, or a newer patched version

Plugin: Estatik Mortgage Calculator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Tiles

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Website Monetization by MageNet

Vulnerability: Cross-Site Request Forgery via admin_magenet_settings
Patched Version: 1.0.29.2
Recommended Action: Update to version 1.0.29.2, or a newer patched version

Plugin: Bulk Resize Media

Vulnerability: Cross-Site Request Forgery via bulk_resize_resize_image
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard

Vulnerability: Contact Form 7 Standard <= 5.0.6.3 and <= 2.11.0
Patched Version: 2.11.1
Recommended Action: Update to one of the following versions, or a newer patched version: 2.11.1, 5.0.6.4

Plugin: Slideshow Gallery LITE

Vulnerability: Authenticated(Admin+) SQL Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Import External Images

Vulnerability: Cross-Site Request Forgery via external_image_import_all_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: InPost Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘imgurl’
Patched Version: 2.1.4.2
Recommended Action: Update to version 2.1.4.2, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Relected Cross-Site Scripting via ‘tax_name’
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Scheduled Announcements Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: Disqus Conditional Load

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings.
Patched Version: 11.1.2
Recommended Action: Update to version 11.1.2, or a newer patched version

Plugin: WP Shortcode by MyThemeShop

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Administrator)+ SQL Injection
Patched Version: 2.7.9.4
Recommended Action: Update to version 2.7.9.4, or a newer patched version

Plugin: Hotel Booking Lite

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: SMTP2GO for WordPress – Email Made Easy

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: WP Popup Banners

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Settings
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version

Plugin: WSB Brands

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via $logo
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: PB SEO Friendly Images

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting via form fields
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Missing Authorization
Patched Version: 12.1.21
Recommended Action: Update to version 12.1.21, or a newer patched version

Plugin: HT Feed

Vulnerability: Cross-Site Request Forgery leading to Limited Plugin Activation
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.3.32
Recommended Action: Update to version 1.3.32, or a newer patched version

Plugin: Content Filter – Censor All Offensive Content From Your Site

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Custom Options Plus

Vulnerability: Cross-Site Request Forgery via custom_options_plus_adm
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Custom Author Profiles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Store Locator for WordPress with Google Maps – LotsOfLocales

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 3.98.8
Recommended Action: Update to version 3.98.8, or a newer patched version

Plugin: Contact Form 7 Redirect & Thank You Page

Vulnerability: Cross-Site Request Forgery via cf7rl_admin_table
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Enhanced Plugin Admin

Vulnerability: Cross-Site Request Forgery via epa_options_page
Patched Version: 1.17
Recommended Action: Update to version 1.17, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 1.8.15
Recommended Action: Update to version 1.8.15, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: WP Popup Banners

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘value’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Amazon S3 Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Cross-Site Request Forgery leading to Uninstall Form Submission
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version

Plugin: BigContact Contact Page

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Updates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Weather Station

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.13
Recommended Action: Update to version 3.8.13, or a newer patched version

Plugin: Google XML Sitemap for Mobile

Vulnerability: Cross-Site Request Forgery via mobile_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Express Checkout (Accept PayPal Payments Easily)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Information Exposure via wp_email_capture_options_process
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Cross-Site Request Forgery via Plugin Options Update
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: wpml

Vulnerability: Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: GamiPress – Youtube integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Simple Mobile URL Redirect

Vulnerability: Cross-Site Request Forgery leading to Mobile Redirect Updates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cyberus Key

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘uid’ in ‘cyberkey_settings’ Plugin Setting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Contact Form 7 – PayPal & Stripe Add-on

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘mep_get_option’ function
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.9
Recommended Action: Update to version 3.4.9, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Name
Patched Version: 21.5.1
Recommended Action: Update to version 21.5.1, or a newer patched version

Plugin: ConvertBox Auto Embed WordPress plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.20
Recommended Action: Update to version 1.0.20, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.11.5
Recommended Action: Update to version 6.11.5, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.3.32
Recommended Action: Update to version 1.3.32, or a newer patched version

Plugin: Events Made Easy

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘search_name’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Basic Elements

Vulnerability: Missing Authorization to Plugin Settings Update via wpbe_save_settings
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: JetEngine

Vulnerability: Authenticated(Author+) Arbitrary File Upload to Remote Code Execution
Patched Version: 3.1.3.1
Recommended Action: Update to version 3.1.3.1, or a newer patched version

Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

Vulnerability: Unauthenticated Path Traversal
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Backup Bank: WordPress Backup Plugin

Vulnerability: Missing Authorization via post_user_feedback_backup_bank
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Time Sheets

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.29.3
Recommended Action: Update to version 1.29.3, or a newer patched version

Plugin: WordPress Simple Shopping Cart

Vulnerability: Information Disclosure
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: Be POPIA Compliant

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: WP Tiles

Vulnerability: Authenticated(Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Cyberus Key

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Return and Warranty Management System for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TreePress – Easy Family Trees & Ancestor Profiles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘post_title’ parameter
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Open Graphite

Vulnerability: Reflected Cross-Site Scripting via topic parameter
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Google XML Sitemap for Videos

Vulnerability: Cross-Site Request Forgery via video_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Table of Contents

Vulnerability: Missing Authorization via eztoc_reset_options_to_default
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.