Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Simple Admin Language Change
Vulnerability: Authorization Bypass
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.59
Recommended Action: Update to version 1.6.59, or a newer patched version
Plugin: Product Slider for WooCommerce by PickPlugins
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.22
Recommended Action: Update to version 1.13.22, or a newer patched version
Plugin: Leads and Visitor Insights
Vulnerability: Authorization Bypass
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Missing Authorization
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version
Plugin: Product Filter by WBW
Vulnerability: Missing Authorization
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Hana Flv Player
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ship To eCourier
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: UltimateWoo – The Ultimate WooCommerce Plugin with Unlimited Usage
Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Leads and Visitor Insights
Vulnerability: Unauthenticated Arbitrary License Change
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: ReDi Restaurant Reservation
Vulnerability: Stored Cross-Site Scripting
Patched Version: 21.0426
Recommended Action: Update to version 21.0426, or a newer patched version
Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.21.1
Recommended Action: Update to version 4.21.1, or a newer patched version
Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.36.2
Recommended Action: Update to version 2.36.2, or a newer patched version
Plugin: DSGVO All in one for WP
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Authenticated Code Injection
Patched Version: 4.1.0.2
Recommended Action: Update to version 4.1.0.2, or a newer patched version
Plugin: Zlick Paywall
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version
Plugin: Autoptimize
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.20
Recommended Action: Update to version 2.1.20, or a newer patched version
Plugin: Wishlist and Compare for WooCommerce
Vulnerability: Authorization Bypass
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Parcel Tracker eCourier
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Watcheezy Live chat plugin for WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
