Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Simple Adsense Insertion
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Database Backup for WordPress
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more!
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.9.4
Recommended Action: Update to version 1.4.9.4, or a newer patched version
Plugin: Throws SPAM Away
Vulnerability: Cross-Site Request Forgery to Comment Modification
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Loginizer
Vulnerability: Reflected Cross-Site Scripting via ‘name’
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: LiveSync for WordPress
Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Files Download Delay
Vulnerability: Missing Authorization to Settings Reset
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Useful Banner Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: iQ Block Country
Vulnerability: Protection Bypass due to IP Spoofing
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version
Plugin: Reviews Block for Google
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Advanced Admin Search
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Donations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress File Upload
Vulnerability: Cross-Site Scripting
Patched Version: 4.16.4
Recommended Action: Update to version 4.16.4, or a newer patched version
Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress
Vulnerability: Cross-Site Scripting via Cloudflare Country Code
Patched Version: 1.15.1
Recommended Action: Update to version 1.15.1, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Social Proof Popups & Real-Time Notifications – Herd Effects
Vulnerability: Local File Inclusion
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version
Plugin: Video Slider – Slider Carousel
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: Hot Linked Image Cacher
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPify Woo Czech
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.7
Recommended Action: Update to version 3.5.7, or a newer patched version
Plugin: Quick Restaurant Reservations
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: WooCommerce Green Wallet Gateway
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: FiboSearch – Ajax Search for WooCommerce
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.17.0
Recommended Action: Update to version 1.17.0, or a newer patched version
Plugin: User Meta – User Profile Builder and User management plugin
Vulnerability: Path Traversal
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: RSVPMaker
Vulnerability: Unauthenticated SQL Injection
Patched Version: 9.3.3
Recommended Action: Update to version 9.3.3, or a newer patched version
Plugin: FormCraft – Form Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: FundEngine – Donation and Crowdfunding Platform
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: WP Athletics
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Keyword Rank Tracker
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site
Vulnerability: Authenticated Local File Inclusion
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Bestbooks
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Athletics
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Enqueue Anything
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 13.2.2
Recommended Action: Update to version 13.2.2, or a newer patched version
Plugin: Insert Special Characters
Vulnerability: Regular Expression Denial of Service (ReDoS)
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Hover Effects – easily create any hover effect
Vulnerability: Authenticated Local File Inclusion
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: //// WP BORN BABIES PLUGIN ///
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All in One Invite Codes
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
