Watch Out Wednesday – November 1, 2023

Home » Watch Out Wednesday – November 1, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: VK Filter Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Image vertical reel scroll slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Comment Uploaded Image Filename
Patched Version: 7.6.12
Recommended Action: Update to version 7.6.12, or a newer patched version

Plugin: Jquery accordion slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: Image horizontal reel scroll slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 13.3
Recommended Action: Update to version 13.3, or a newer patched version

Plugin: Admin and Site Enhancements (ASE)

Vulnerability: Password Protection Mode Security Feature Bypass
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Up down image slideshow gallery

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: Custom Header Images

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Simple Galleries

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Lead Deletion
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: HTML filter and csv-file search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: Missing Authorization
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version

Plugin: gAppointments – Appointment booking addon for Gravity Forms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version

Plugin: Google Maps made Simple

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Simple HTML Sitemap

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Login Screen Manager

Plugin: SAHU TikTok Pixel for E-Commerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bonus for Woo

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to Stripe Integration Deletion
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: Autolinks Manager – SEO Auto Linker

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.05
Recommended Action: Update to version 1.10.05, or a newer patched version

Plugin: Blog Grid & Post Grid – Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry, Category Post Grid By News & Blog Designer Pack

Vulnerability: Unauthenticated Remote Code Execution via Local File Inclusion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Auto Excerpt everywhere

Plugin: Animated Counters

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: EasyRecipe

Plugin: IdeaPush

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.53
Recommended Action: Update to version 8.53, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Insufficient Authorization to Unauthorized Post Deletion
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Admin Bar & Dashboard Access Control

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Superb slideshow gallery

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 13.2
Recommended Action: Update to version 13.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Missing Authorization via handleBeforeGateway
Patched Version: 2.33.2
Recommended Action: Update to version 2.33.2, or a newer patched version

Plugin: Jquery news ticker

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: PubyDoc – Data Tables and Charts

Plugin: WP Meta and Date Remover

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via settings
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Linker – URL shortener & track outbound link clicks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: FareHarbor for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Shortcode Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Medialist

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Remove Add to Cart WooCommerce

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Bellows Accordion Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Wp photo text slider 50

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 8.1
Recommended Action: Update to version 8.1, or a newer patched version

Plugin: Wp anything slider

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 9.2
Recommended Action: Update to version 9.2, or a newer patched version

Plugin: Slick Popup: Contact Form 7 Popup Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.15
Recommended Action: Update to version 1.7.15, or a newer patched version

Plugin: Ads by datafeedr.com

Vulnerability: Unauthenticated (Limited) Remote Code Execution
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: CloudNet360

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Word Count

Vulnerability: Missing Authorization via calculate_statistics
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Post Popup

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Protection Bypass of Renamed Login Page via URL Encoding
Patched Version: 5.2.5
Recommended Action: Update to version 5.2.5, or a newer patched version

Plugin: Information Reel

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 10.1
Recommended Action: Update to version 10.1, or a newer patched version

Plugin: User Avatar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Left right image slideshow gallery

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: Article analytics

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Generate Dummy Posts

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.27.0
Recommended Action: Update to version 1.27.0, or a newer patched version

Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Vulnerability: Missing Authorization to Content Deletion
Patched Version: 2.17.0
Recommended Action: Update to version 2.17.0, or a newer patched version

Plugin: Export WP Page to Static HTML/CSS

Vulnerability: Cross-Site Request Forgery via Multiple AJAX Actions
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: My Shortcodes

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ni WooCommerce Sales Report

Vulnerability: Missing Authorization via ajax_sales_order
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: wp image slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Missing Authorization
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: iframe forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via iframe Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PHP to Page

Vulnerability: Authenticated (Subscriber+) Local File Inclusion to Remote Code Execution via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Unauthenticated Login Page Disclosure
Patched Version: 9.0.1
Recommended Action: Update to version 9.0.1, or a newer patched version

Plugin: Magic Embeds

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: WP EXtra

Vulnerability: Missing Authorization to Arbitrary Email Sending
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Store Exporter <= 2.7.2
Patched Version: 2.7.2.1
Recommended Action: Update to version 2.7.2.1, or a newer patched version

Plugin: Parcel Pro

Vulnerability: Open Redirect via ‘redirect’
Patched Version: 1.6.12
Recommended Action: Update to version 1.6.12, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Improper Server-Side Checks to Booking Payment Bypass
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: WooODT Lite – Delivery & pickup date time location for WooCommerce

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Seraphinite Accelerator

Vulnerability: Arbitrary Redirect via ‘redir’
Patched Version: 2.20.29
Recommended Action: Update to version 2.20.29, or a newer patched version

Plugin: Seraphinite Accelerator

Vulnerability: Reflected Cross-Site Scripting via ‘rt’
Patched Version: 2.20.29
Recommended Action: Update to version 2.20.29, or a newer patched version

Plugin: ImageLinks Interactive Image Builder for WordPress

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Simple Shortcodes

Plugin: Grid Plus – Unlimited grid layout

Vulnerability: Authenticated (Subscriber+) Local File Inclusion via Shortcode
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WP CTA – Call To Action Plugin, Sticky CTA, Floating Buttons, Floating Tab Plugin

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.12.2
Recommended Action: Update to version 1.12.2, or a newer patched version

Plugin: Accordion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: WDSocialWidgets

Plugin: Related Products for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.16
Recommended Action: Update to version 3.3.16, or a newer patched version

Plugin: Original texts Yandex WebMaster

Plugin: WordPress Knowledge base & Documentation Plugin – WP Knowledgebase

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Cross-Site Request Forgery via accua_forms_list_page_table
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Live updates from Excel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: idbbee

Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WP fade in text news

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: FLOWFACT WP Connector

Plugin: GD Security Headers

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: DeepL API translation plugin

Vulnerability: Cross-Site Request Forgery via wpdeepl_prune_logs
Patched Version: 2.4.1.2
Recommended Action: Update to version 2.4.1.2, or a newer patched version

Plugin: LogDash Activity Log

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.7.9
Recommended Action: Update to version 3.7.9, or a newer patched version

Plugin: Thumbnail carousel slider

Vulnerability: Cross-Site Request Forgery to Mass Slider Deletion
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Buzzsprout Podcasting

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Weather Atlas Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Simple User Listing

Vulnerability: Reflected Cross-Site Scripting via as
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Popup with fancybox

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: WPPizza – A Restaurant Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.18.3
Recommended Action: Update to version 3.18.3, or a newer patched version

Plugin: Vertical marquee plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 7.2
Recommended Action: Update to version 7.2, or a newer patched version

Plugin: Message ticker

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: Five Star Restaurant Menu and Food Ordering

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.4.11
Recommended Action: Update to version 2.4.11, or a newer patched version

Plugin: Seraphinite Accelerator

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.20.32
Recommended Action: Update to version 2.20.32, or a newer patched version

Plugin: Grid Plus – Unlimited grid layout

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Grid Layout Add/Update/Delete
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Fathom Analytics for WP

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WCP OpenWeather

Plugin: Post Meta Data Manager

Vulnerability: Missing Authorization to User, Term, and Post Meta Deletion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Current Menu Item for Custom Post Types

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Post Meta Data Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to plugin installation
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: Category SEO Meta Tags

Vulnerability: Cross-Site Request Forgery via csmt_admin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to plugin deactivation
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Vulnerability: Unauthenticated Arbitrary Option Deletion
Patched Version: 2.24.18
Recommended Action: Update to version 2.24.18, or a newer patched version

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Alter

Plugin: Pre-Orders for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Task Data
Patched Version: 2.7.11.11
Recommended Action: Update to version 2.7.11.11, or a newer patched version

Plugin: HTML filter and csv-file search

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Product Recommendation Quiz for eCommerce

Vulnerability: Missing Authorization in prq_set_token
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: ICS Calendar

Vulnerability: Authenticated (Contributor+) Arbitrary File Read and Server-Side Request Forgery
Patched Version: 10.12.0.3
Recommended Action: Update to version 10.12.0.3, or a newer patched version

Plugin: Deeper Comments

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mail logging – WP Mail Catcher

Vulnerability: WP Mail Catcher <= 2.1.3
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Neon text

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Glossary

Plugin: Custom My Account for Woocommerce

Plugin: Auto Limit Posts Reloaded

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.