Watch Out Wednesday – May 12, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Simple Admin Language Change

Vulnerability: Authorization Bypass
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.59
Recommended Action: Update to version 1.6.59, or a newer patched version

Plugin: Product Slider for WooCommerce by PickPlugins

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.22
Recommended Action: Update to version 1.13.22, or a newer patched version

Plugin: Leads and Visitor Insights

Vulnerability: Authorization Bypass
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Missing Authorization
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version

Plugin: Product Filter by WBW

Vulnerability: Missing Authorization
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Hana Flv Player

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ship To eCourier

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: UltimateWoo – The Ultimate WooCommerce Plugin with Unlimited Usage

Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leads and Visitor Insights

Vulnerability: Unauthenticated Arbitrary License Change
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: ReDi Restaurant Reservation

Vulnerability: Stored Cross-Site Scripting
Patched Version: 21.0426
Recommended Action: Update to version 21.0426, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.21.1
Recommended Action: Update to version 4.21.1, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.36.2
Recommended Action: Update to version 2.36.2, or a newer patched version

Plugin: DSGVO All in one for WP

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated Code Injection
Patched Version: 4.1.0.2
Recommended Action: Update to version 4.1.0.2, or a newer patched version

Plugin: Zlick Paywall

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version

Plugin: Autoptimize

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.20
Recommended Action: Update to version 2.1.20, or a newer patched version

Plugin: Wishlist and Compare for WooCommerce

Vulnerability: Authorization Bypass
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Parcel Tracker eCourier

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Watcheezy Live chat plugin for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress