Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms
Vulnerability: Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Subscriber+ SQL Injection
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Download Monitor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator
Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.0.4
Recommended Action: Update to version 7.0.4, or a newer patched version
Plugin: Ivory Search – WordPress Search Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: Download Monitor
Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: Hotel Listings
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Easy Google Maps
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.10.1
Recommended Action: Update to version 1.10.1, or a newer patched version
Plugin: Ibtana – Ecommerce Product Addons
Vulnerability: Ecommerce Product Addons <= 0.2.3
Patched Version: 0.2.4
Recommended Action: Update to version 0.2.4, or a newer patched version
Plugin: Contact Form by Supsystic
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.20
Recommended Action: Update to version 1.7.20, or a newer patched version
Plugin: Download Monitor
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress
Vulnerability: Arbitrary Plugin Settings Update to Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated Email Address Disclosure
Patched Version: 13.1.0.7
Recommended Action: Update to version 13.1.0.7, or a newer patched version
Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation
Vulnerability: Unprotected REST-API Endpoints
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: BSK PDF Manager
Vulnerability: Admin+ SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Shop Page WP
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Email Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version
Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version
Plugin: Registrations for the Events Calendar – Event Registration Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Subscriber+ Reflected Cross-Site Scripting
Patched Version: 3.2.18
Recommended Action: Update to version 3.2.18, or a newer patched version
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: WPS Hide Login
Vulnerability: Hidden Login Page Location Disclosure
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Social Media Flying Icons | Floating Social Media Icon
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Before Download
Vulnerability: Admin+ SQL Injection
Patched Version: 6.8
Recommended Action: Update to version 6.8, or a newer patched version
Plugin: Check & Log Email – Easy Email Testing & Mail logging
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: GenerateBlocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
