Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: VK Blocks Pro
Vulnerability: Stored (Contributor+) Cross-Site Scripting in Post
Patched Version: 1.54.0
Recommended Action: Update to version 1.54.0, or a newer patched version
Plugin: Zero Spam for WordPress
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version
Plugin: Post Snippets – Custom WordPress Code Snippets Customizer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘snippet_content’
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Point Rewards, Referral Points, Reward for Points, User Badges, and Gamification
Vulnerability: Missing Authorization
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: WPO365 | Mail Integration for Office 365 / Outlook
Vulnerability: reflected Cross-Site Scripting via error_description
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: Stored (Contributor+) Cross-Site Scripting in CTA Post
Patched Version: 9.88.2.0
Recommended Action: Update to version 9.88.2.0, or a newer patched version
Plugin: WPPizza – A Restaurant Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.17.2
Recommended Action: Update to version 3.17.2, or a newer patched version
Plugin: Team Circle Image Slider With Lightbox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version
Plugin: Wise Chat
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version
Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Point Rewards, Referral Points, Reward for Points, User Badges, and Gamification
Vulnerability: Cross-Site Request Forgery to Settings Change
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Radio Station by netmix® – Manage and play your Show Schedule in WordPress!
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.32
Recommended Action: Update to version 7.32, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: Stored (Contributor+) Cross-Site Scripting in Profile Setting
Patched Version: 9.88.2.0
Recommended Action: Update to version 9.88.2.0, or a newer patched version
Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Vulnerability: Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: Easy Hide Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: UserAgent-Spy
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Appointments
Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 3.11.10
Recommended Action: Update to version 3.11.10, or a newer patched version
Plugin: WP Abstracts
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Hide My WP Ghost – Security & Firewall
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 5.0.20
Recommended Action: Update to version 5.0.20, or a newer patched version
Plugin: wordpress vertical image slider plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 4.9.4
Recommended Action: Update to version 4.9.4, or a newer patched version
Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Vulnerability: Missing Authorization to Settings Modification
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Missing Authorization
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Web Stories
Vulnerability: Insufficient Authorization
Patched Version: 1.32.0
Recommended Action: Update to version 1.32.0, or a newer patched version
Plugin: Restaurant Menu – Food Ordering System – Table Reservation
Vulnerability: Ordering
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: SALERT – Fake Sales Notification WooCommerce
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.14.2
Recommended Action: Update to version 7.14.2, or a newer patched version
Plugin: My WP Customize Admin/Frontend
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.21.1
Recommended Action: Update to version 1.21.1, or a newer patched version
Plugin: Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: Multi Rating
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OSM – OpenStreetMap
Vulnerability: OpenStreetMap <= 6.0.5
Patched Version: 6.0.6
Recommended Action: Update to version 6.0.6, or a newer patched version
Plugin: Easy Hide Login
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Easy Form by AYS – Form Builder Plugin for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: DX Delete Attached Media
Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: TK Google Fonts GDPR Compliant
Vulnerability: Authorization Bypass
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: Yoast SEO: Local
Vulnerability: Cross-Site Request Forgery
Patched Version: 14.9
Recommended Action: Update to version 14.9, or a newer patched version
Plugin: Multi Rating
Vulnerability: Cross-Site Request Forgery to Arbitrary Ratings Value Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Library Viewer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version
Plugin: Snow Monkey Forms
Vulnerability: Directory Traversal via ‘view’ REST endpiont
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: Manager for Icomoon
Vulnerability: Unauthenticated Arbitrary File Upload via ‘upload’
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Manager for Icomoon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
Vulnerability: Cross-Site Request Forgery via shortpixel_ai_handle_page_action
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 7.5.35.7212
Recommended Action: Update to version 7.5.35.7212, or a newer patched version
Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Vulnerability: Cross-Site Request Forgery via wpbe_update_page_field
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Participants Database
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Participants Database
Vulnerability: Cross-Site Request Forgery via _process_general
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: GTmetrix for WordPress
Vulnerability: Reflected Cross-Site Scripting via ‘report_id’ and ‘event_id’
Patched Version: 0.4.7
Recommended Action: Update to version 0.4.7, or a newer patched version
Plugin: Library Viewer
Vulnerability: Open Redirect via ‘redirect_to’
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version
Plugin: Albo Pretorio On line
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version
Plugin: Yoast SEO: Local
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 14.9
Recommended Action: Update to version 14.9, or a newer patched version
Plugin: Hostel
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Manage Bookings
Patched Version: 1.1.5.2
Recommended Action: Update to version 1.1.5.2, or a newer patched version
Plugin: Download Manager
Vulnerability: Insufficient Authorization to Information Disclosure
Patched Version: 3.2.71
Recommended Action: Update to version 3.2.71, or a newer patched version
Plugin: Pro Mime Types – Manage file media types
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: TP Education
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Yoast SEO Premium
Vulnerability: Missing Authorization to Zapier Key Reset
Patched Version: 20.5
Recommended Action: Update to version 20.5, or a newer patched version
Plugin: SALERT – Fake Sales Notification WooCommerce
Vulnerability: Missing Authorization via salert_save_settings_with_ajax()
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Zero Spam for WordPress
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Reflected Cross-Site Scripting via ays_gpg_settings_tab
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version
Plugin: QuBot – Chatbot Builder with Templates
Vulnerability: Unauthenticated Self-Based Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Contact Form 7 extension for Google Map fields
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
Plugin: VK Blocks Pro
Vulnerability: Stored (Contributor+) Cross-Site Scripting in Tag Edit
Patched Version: 1.54.0
Recommended Action: Update to version 1.54.0, or a newer patched version
Plugin: Albo Pretorio On line
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Reflected Cross-Site Scripting via ‘post_status’
Patched Version: 5.12.6
Recommended Action: Update to one of the following versions, or a newer patched version: 5.12.6, 6.1.6
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Unauthenticated SQL Injection via form_id
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version
Plugin: Multi Rating
Vulnerability: Missing Authorization to Arbitrary Ratings Value Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pro Mime Types – Manage file media types
Vulnerability: Manage file media types <= 1.0.7
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: MW WP Form
Vulnerability: Directory Traversal via _file_upload
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Block Referer Spam
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.9.5
Recommended Action: Update to version 1.1.9.5, or a newer patched version
Plugin: CM WordPress Search And Replace Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: CM Pop-Up Banners for WordPress
Vulnerability: Authenticated (Subscriber+) SQL Injection via getStatistics
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
