Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WP Admin UI Customize
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version
Plugin: Form Vibes – Database Manager for Forms
Vulnerability: Authenticated (Admininstrator+) SQL Injection
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: a3 Portfolio
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Image Hover Effects Css3
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Donations via PayPal
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: Find and Replace All
Vulnerability: Cross-Site Request Forgery to Arbitrary Content Replacement
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Font Awesome 4 Menus
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AgentEasy Properties
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Administrator Z
Vulnerability: Unauthorized File Upload via ACF
Patched Version: 2022.9.29
Recommended Action: Update to version 2022.9.29, or a newer patched version
Plugin: 001 Prime Strategy Translate Accelerator
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accessibility
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Find and Replace All
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Salat Times
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Seed Social
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: WPSmartContracts
Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version
Plugin: 4ECPS Web Forms
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.2.18
Recommended Action: Update to version 0.2.18, or a newer patched version
Plugin: WP User Merger
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: reCAPTCHA
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Insecure Direct Object Reference to (Subscriber+) Ticket Export
Patched Version: 6.1.2
Recommended Action: Update to version 6.1.2, or a newer patched version
Plugin: WP Affiliate Platform
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version
Plugin: Download Plugin
Vulnerability: Missing Authorization and Sensitive Information Exposure
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Cyklodev WP Notify
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Affiliate Platform
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version
Plugin: Showing URL in QR Code
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Find and Replace All
Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google Forms
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jeg Elementor Kit
Vulnerability: Authorization Bypass
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version
Plugin: Jeeng Push Notifications
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Jeeng Push Notifications
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Salon Booking System
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.9.4
Recommended Action: Update to version 7.9.4, or a newer patched version
Plugin: Fancier Author Box by ThematoSoup
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HTML Forms – Simple WordPress Forms Plugin
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.3.25
Recommended Action: Update to version 1.3.25, or a newer patched version
Plugin: WP OAuth Server (OAuth Authentication)
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: Checkout Field Editor (Checkout Manager) for WooCommerce
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: WP Affiliate Platform
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version
Plugin: VR Calendar
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: Theme Demo Import
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP User Merger
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Jeg Elementor Kit
Vulnerability: Unauthenticated Authorization Bypass
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version
Plugin: Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list
Vulnerability: CSV Injection
Patched Version: 2.0.69
Recommended Action: Update to version 2.0.69, or a newer patched version
Plugin: AM-HiLi
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LoginPress | wp-login Custom Login Page Customizer
Vulnerability: Missing Authorization to Settings Changes
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Testimonial Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Responsive Lightbox & Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Analytics for WP
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beautiful Cookie Consent Banner
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: OWM Weather
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 5.6.9
Recommended Action: Update to version 5.6.9, or a newer patched version
Plugin: WP User Merger
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: 3DPrint
Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Thumbnails
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
