Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Vulnerability: Authenticated Stored Cross-Site scripting via FB Pixel ID and Google Analytics ID
Patched Version: 1.6.13
Recommended Action: Update to version 1.6.13, or a newer patched version
Plugin: Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.4.0.1
Recommended Action: Update to version 4.4.0.1, or a newer patched version
Plugin: Registration | User Registration and Invitation Codes Plugin for WordPress
Vulnerability: PHP Object Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Database Backup for WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting via backup_receipient Parameter
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated Stored Cross-Site Scripting via Gallery Title
Patched Version: 1.5.67
Recommended Action: Update to version 1.5.67, or a newer patched version
Plugin: WP Super Cache
Vulnerability: Authenticated Remote Code Execution
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Tradetracker-Store
Vulnerability: Authenticated SQL Injection
Patched Version: 4.6.60
Recommended Action: Update to version 4.6.60, or a newer patched version
Plugin: WooCommerce Amazon Pay
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Weekly Schedule
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: External Media
Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version
Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Vulnerability: Insecure Direct Object Reference
Patched Version: 4.21.2
Recommended Action: Update to version 4.21.2, or a newer patched version
Plugin: Hotscot Contact Form
Vulnerability: SQL Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Related Posts for WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: WP Prayer
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.