Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: wpForo Forum
Vulnerability: Cross-Site Scripting via langid parameter
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: WTI Like Post
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Core: WordPress
Vulnerability: Authenticated (Author+) Cross-Site Scripting via File Uploads
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1
Plugin: wpForo Forum
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.9.25
Recommended Action: Update to version 1.9.25, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting in the Block Editor
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1
Plugin: Page Builder by SiteOrigin
Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 2.10.16
Recommended Action: Update to version 2.10.16, or a newer patched version
Core: WordPress
Vulnerability: Password Reset Link Non-Expiration
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1
Core: WordPress
Vulnerability: Reflected Cross Site Scripting
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1
Plugin: wpForo Forum
Vulnerability: Cross-Site Scripting via wpf-dw-td-value class
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Core: WordPress
Vulnerability: Authenticated Cross-Site Scripting via Customizer
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1
Plugin: wpForo Forum
Vulnerability: Cross-Site Scripting via s parameter
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Core: WordPress
Vulnerability: Private Post Disclosure
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1
Plugin: WooCommerce
Vulnerability: Unauthorized Post Meta Creation/Modification
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
