Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View
Vulnerability: Cross-Site Request Forgery via wpstream_settings
Patched Version: 4.4.10.6
Recommended Action: Update to version 4.4.10.6, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘pt_cancel_subscription’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Toolset Types – Custom Post Types, Custom Fields and Taxonomies
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.4.18
Recommended Action: Update to version 3.4.18, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version
Plugin: CP Contact Form with PayPal
Vulnerability: Authenticated Feedback Submission
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version
Plugin: DeepL API translation plugin
Vulnerability: Cross-Site Request Forgery via saveSettings
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version
Plugin: Simple CSV/XLS Exporter
Vulnerability: CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Schedulicity – Easy Online Scheduling
Vulnerability: Easy Online Scheduling <= 2.21
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Meteor Website Speed Optimization Addon
Vulnerability: No subtitle
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Blog Floating Button
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version
Plugin: LWS Tools
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘update_profile_preference’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Leyka
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.30
Recommended Action: Update to version 3.30, or a newer patched version
Plugin: Button Generator – easily Button Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: WP Speed Optimization By Add Expires Headers & Optimized Minify Plugin
Vulnerability: Cross-Site Request Forgery via [placeholder]
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Information Disclosure via REST API
Patched Version: 6.0.4.1
Recommended Action: Update to version 6.0.4.1, or a newer patched version
Plugin: DecaLog
Vulnerability: Cross-Site Request Forgery via get_settings_page
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Hotel Listing
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: About Me 3000 widget
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Watu Quiz
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.9.1
Recommended Action: Update to version 3.3.9.1, or a newer patched version
Plugin: ClickFunnels
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Vimeo Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: reCaptcha Protection Bypass
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy
Vulnerability: Authenticated (Author+) Server-Side Request Forgery via instant_images_download
Patched Version: 5.1.0.2
Recommended Action: Update to version 5.1.0.2, or a newer patched version
Plugin: Fontiran
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.1
Patched Version: 6.4.2
Recommended Action: Update to version 6.4.2, or a newer patched version
Plugin: Cost Calculator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Vulnerability: Missing Authorization in pgc_sgb_action_wizard
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Resize at Upload Plus
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Poll | Vote | Contest – Best Poll Plugin for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.7
Recommended Action: Update to version 4.8.7, or a newer patched version
Plugin: Namaste! LMS
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘accept_other_payment_methods’, ‘other_payment_methods’ Parameters
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Email Logs
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: When Last Login
Vulnerability: Cross-Site Request Forgery via wll_hide_subscription_notice
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: FareHarbor for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version
Plugin: WP Clean Up
Vulnerability: Cross-Site Request Forgery via wp_clean_up_optimize
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: IP Spoofing via HTTP header
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version
Plugin: Cookie Notice & Compliance for GDPR / CCPA
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘cookies_revoke_shortcode’ Shortcode
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: menu shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cookie Notice & Compliance for GDPR / CCPA
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘cookies_policy_link’ Shortcodes
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: Manage Upload Limit
Vulnerability: Reflected Cross-Site Scripting via upload_limit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CPO Content Types
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Leyka
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.30
Recommended Action: Update to version 3.30, or a newer patched version
Plugin: Easy Testimonial Slider and Form
Vulnerability: Unauthenticated Reflected Cross-Site Scripting via search_term
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘paytium_sw_save_api_keys’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: WP Translitera
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘check_for_verified_profiles’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting via Shortcodes
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: New Adman
Vulnerability: Cross-Site Request Forgery via plugin_menu
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Vulnerability: Authenticated (Vendor+) SQL Injection
Patched Version: 3.7.13
Recommended Action: Update to version 3.7.13, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 20.2.1
Recommended Action: Update to version 20.2.1, or a newer patched version
Plugin: Fontiran
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Classic Editor and Classic Widgets
Vulnerability: Cross-Site Request Forgery via render_settings_page
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing
Vulnerability: Authenticated (Subscriber+) Local File Inclusion via ‘style’
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘create_mollie_account’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Event Espresso – Event Registration & Ticketing Sales
Vulnerability: Feature Bypass
Patched Version: 4.10.45.decaf
Recommended Action: Update to version 4.10.45.decaf, or a newer patched version
Plugin: New Adman
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elegant Custom Fonts
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: GTmetrix for WordPress
Vulnerability: Reflected Cross-Site Scripting via ‘url’
Patched Version: 0.4.6
Recommended Action: Update to version 0.4.6, or a newer patched version
Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation
Vulnerability: Authenticated (Subscriber+) Sensitive Information Disclosure via Shortcode
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version
Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes
Vulnerability: Information Exposure
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.121
Recommended Action: Update to version 1.1.121, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘paytium_notice_dismiss’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Rife Elementor Extensions & Templates
Vulnerability: Missing Authorization via import_templates
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD
Vulnerability: Reflected Cross-Site Scripting via cart_search
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version
Plugin: JCH Optimize
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘check_mollie_account_details’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Search in Place
Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.0.105
Recommended Action: Update to version 1.0.105, or a newer patched version
Plugin: Sales Report Email for WooCommerce
Vulnerability: Missing Authorization for Email Functionality
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Admin CSS MU
Vulnerability: Server-Side Request Forgery
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Missing Authorization in ‘create_mollie_profile’
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
