Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Core: WordPress
Vulnerability: ca-bundle.crt contains expired certificate DST Root CA X3
Patched Version: 5.2.13
Recommended Action: Update to one of the following versions, or a newer patched version: 5.2.13, 5.3.10, 5.4.8, 5.5.7, 5.6.6, 5.7.4, 5.8.2
Plugin: Contact Form 7 Database Addon – CFDB7
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6.1
Recommended Action: Update to version 1.2.6.1, or a newer patched version
Plugin: Inspirational Quote Rotator
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Featured Image (Auto Post Thumbnail)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version
Plugin: Meks Easy Photo Feed Widget
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: SportsPress – Sports Club & League Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.9
Recommended Action: Update to version 2.7.9, or a newer patched version
Plugin: Error Log Viewer by BestWebSoft
Vulnerability: Arbitrary File Deletion
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Booking Package
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Unauthenticated Blind SQL Injection via time Parameter
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: WP Reset Pro – Most Advanced WordPress Reset Tool
Vulnerability: Missing Authorization to Database Reset
Patched Version: 5.99
Recommended Action: Update to version 5.99, or a newer patched version
Plugin: Pixel Cat – Conversion Pixel Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 7.0.6.2
Recommended Action: Update to version 7.0.6.2, or a newer patched version
Plugin: Pixel Cat – Conversion Pixel Manager
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: ToTop Link
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Modern Events Calendar Lite
Vulnerability: Reflected Cross-Site Scripting via current_month_divider parameter
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Contact Form 7 Database Addon – CFDB7
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.6.2
Recommended Action: Update to version 1.2.6.2, or a newer patched version
Plugin: Temporary Login Without Password
Vulnerability: Subscriber+ Plugin Settings Update
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Reset Pro – Most Advanced WordPress Reset Tool
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.99
Recommended Action: Update to version 5.99, or a newer patched version
Plugin: Like Button Rating ♥ LikeBtn
Vulnerability: Unauthorised Vote Export to Email & IP Addresses Disclosure
Patched Version: 2.6.38
Recommended Action: Update to version 2.6.38, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Single Post Exporter
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 8.4.3
Recommended Action: Update to version 8.4.3, or a newer patched version
Plugin: All-in-One Video Gallery
Vulnerability: Admin+ Local File Inclusion
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Contact Form Email
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.25
Recommended Action: Update to version 1.3.25, or a newer patched version
Plugin: Mediamatic – Media Library Folders
Vulnerability: SQL Injection
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Contact Form Advanced Database
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEO Booster
Vulnerability: Admin+ SQL Injection
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: User meta shortcodes
Vulnerability: Improper Access Control
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quotes Collection
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mortgage Calculator / Loan Calculator
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.17
Recommended Action: Update to version 1.5.17, or a newer patched version
Plugin: Push Notifications for WordPress (Lite)
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version
Plugin: Page/Post Content Shortcode
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Display Post Metadata
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: WordPress Popular Posts
Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version
Plugin: WP Admin Logo Changer
Vulnerability: Plugin’s Settings Update via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Improved Include Page
Vulnerability: Authenticated (Contributor+) Arbitrary Posts/Pages Access
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Flex Local Fonts
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Nofollow
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shiny Buttons – CSS3 Button Generator for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Security Audit
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.67
Recommended Action: Update to version 6.67, or a newer patched version
Plugin: Caldera Forms – More Than Contact Forms
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: Wp Limits
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Reflected Cross-Site Scripting via ppress_cc_data Parameter
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Activity Log WinterLock
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version
Plugin: Filter Portfolio Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
