Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_bulk_activate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_duplicate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: WordPress NextGen GalleryView
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UTM Tracker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chilexpress woo oficial
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
Vulnerability: 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_deactivate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: User Activity Log
Vulnerability: Authenticated(Administrator+) SQL Injection via txtsearch
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Interactive Image Map Plugin – Draw Attention
Vulnerability: Missing Authorization to Arbitrary Post Featured Image Modification
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version
Plugin: LH Password Changer
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.11.1
Recommended Action: Update to version 2.7.11.1, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Student+) SQL Injection
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Woocommerce Order address Print
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Headless CMS
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google Map Shortcode
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: QueryWall: Plug'n Play Firewall
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recently Viewed Products
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: bbp style pack
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version
Plugin: This Day In History
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Google Maps
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version
Plugin: Download Theme
Vulnerability: Cross-Site Request Forgery via dtwap_download()
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: WP Tiles
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rename Media Files: Improve Your WordPress SEO
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Unite Gallery Lite
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.62
Recommended Action: Update to version 1.7.62, or a newer patched version
Plugin: Conditional Menus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Video Contest WordPress Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Favorites
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: Blog-in-Blog
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OAuth Single Sign On – SSO (OAuth Client)
Vulnerability: Missing Authorization
Patched Version: 6.23.4
Recommended Action: Update to version 6.23.4, or a newer patched version
Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
Vulnerability: 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.52
Recommended Action: Update to version 7.13.52, or a newer patched version
Plugin: Disable WordPress Update Notifications and auto-update Email Notifications
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: Telegram Bot & Channel
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: Display post meta, term meta, comment meta, and user meta
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Cirrus
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Flickr Justified Gallery
Vulnerability: Cross-Site Request Forgery via fjgwpp_settings()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Worthy – VG WORT Integration für WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0-0cde1c2
Recommended Action: Update to version 1.7.0-0cde1c2, or a newer patched version
Plugin: SlideOnline
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SKU Label Changer For WooCommerce
Vulnerability: Missing Authorization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Tutor Instructor+) SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Wordapp
Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Call Now Icon Animate
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Contest WordPress Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Directory Kit
Vulnerability: Unauthenticated Local File Inclusion via wdk_public_action
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Nested Pages
Vulnerability: Missing Authorization to Authenticated (Editor+) Plugin Settings Reset
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: WP Report Post
Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Product Categories Selection Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BBS e-Popup
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IP Metaboxes
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google Fonts For WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Cross-Site Request Forgery to Form Duplication
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Vulnerability: Cross-Site Request Forgery via create_profile
Patched Version: 1.0.7.1
Recommended Action: Update to version 1.0.7.1, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Authenticated (Author+) Arbitrary File Manipulation
Patched Version: 10.0.1
Recommended Action: Update to one of the following versions, or a newer patched version: 10.0.1, 10.1.1, 10.2.2, 10.3.1, 10.4.1, 10.5.2, 10.6.2, 10.7.1, 10.8.1, 10.9.2, 11.0.1, 11.1.3, 11.2.1, 11.3.3, 11.4.1, 11.5.2, 11.6.1, 11.7.2, 11.8.5, 11.9.2, 12.0.1, 12.1.1, 2.0.9, 2.1.7, 2.2.10, 2.3.10, 2.4.7, 2.5.5, 2.6.6, 2.7.5, 2.8.5, 2.9.6, 3.0.6, 3.1.5, 3.2.5, 3.3.6, 3.4.6, 3.5.6, 3.6.4, 3.7.5, 3.8.5, 3.9.9, 4.0.6, 4.1.3, 4.2.4, 4.3.4, 4.4.4, 4.5.2, 4.6.2, 4.7.3, 4.8.4, 4.9.2, 5.0.2, 5.1.3, 5.2.4, 5.3.3, 5.4.3, 5.5.4, 5.6.4, 5.7.4, 5.8.3, 5.9.3, 6.0.3, 6.1.4, 6.2.4, 6.3.6, 6.4.5, 6.5.3, 6.6.4, 6.7.3, 6.8.4, 6.9.3, 7.0.4, 7.1.4, 7.2.4, 7.3.4, 7.4.4, 7.5.6, 7.6.3, 7.7.5, 7.8.3, 7.9.3, 8.0.2, 8.1.3, 8.2.5, 8.3.2, 8.4.4, 8.5.2, 8.6.3, 8.7.3, 8.8.4, 8.9.3, 9.0.4, 9.1.2, 9.2.3, 9.3.4, 9.4.3, 9.5.4, 9.6.3, 9.7.2, 9.8.2, 9.9.2
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Download Monitor
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version
Plugin: WP Custom Cursors | WordPress Cursor Plugin
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_bulk_deactivate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.6
Recommended Action: Update to version 6.4.6, or a newer patched version
Plugin: Product Vendors
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.77
Recommended Action: Update to version 2.1.77, or a newer patched version
Plugin: Button Generator – easily Button Builder
Vulnerability: Cross-Site Request Forgery in tools-data-base.php
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
Vulnerability: 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_bulk_delete_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.7.11.1
Recommended Action: Update to version 2.7.11.1, or a newer patched version
Plugin: Login Configurator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_delete_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Vulnerability: Cross-Site Request Forgery via update_automator_connect
Patched Version: 4.15
Recommended Action: Update to version 4.15, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: Yoast SEO: Local
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 15.0
Recommended Action: Update to version 15.0, or a newer patched version
Plugin: WebToffee WP Backup and Migration
Vulnerability: Missing Authorization via wt_delete_schedule
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Responsive Tabs For WPBakery Page Builder (formerly Visual Composer)
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Blog-in-Blog
Vulnerability: Authenticated (Editor+) Local File Inclusion via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bulk Order Form for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Gravity Forms
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Woocommerce Follow-ups
Vulnerability: Authenticated (Follow-up emails manager+) SQL Injection
Patched Version: 4.9.51
Recommended Action: Update to version 4.9.51, or a newer patched version
Plugin: CRM Perks Forms – WordPress Form Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Product Gallery Slider, Additional Variation Images for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: Product Vendors
Vulnerability: Authenticated (Vendor admin+) SQL Injection
Patched Version: 2.1.77
Recommended Action: Update to version 2.1.77, or a newer patched version
Plugin: Easy Google Maps
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Authentication Bypass
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version
Plugin: Portfolio Gallery – Photo Gallery
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Vulnerability: Cross-Site Request Fogery via ‘do_admin_action’
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: IP Metaboxes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Upload Resume
Vulnerability: Captcha Bypass via resume_upload_form
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
