Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: s2Framework
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: WP Smart Import : Import any XML File to WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Subpages Extended
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Create Block Theme
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Simple Page Ordering
Vulnerability: Regular Expression Denial of Service
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: WP Total Hacks
Vulnerability: Authenticated (Subscriber+) Plugin Options Update to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Official Integration for Billingo
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Gallery Plugin for WordPress – Envira Photo Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.4.7
Recommended Action: Update to version 1.8.4.7, or a newer patched version
Plugin: Simple Page Ordering
Vulnerability: Regular Expression Denial of Service
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds
Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: Smart Slider 3
Vulnerability: PHP Object Injection
Patched Version: 3.5.1.11
Recommended Action: Update to version 3.5.1.11, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.71
Recommended Action: Update to version 3.0.71, or a newer patched version
Plugin: Rock Convert
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: PublishPress Capabilities Pro
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Ocean Extra
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: WP Word Count
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Customizer Export/Import
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.70
Recommended Action: Update to version 3.0.70, or a newer patched version
Plugin: SeoSamba for WordPress Webmasters
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Rock Convert
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: Log HTTP Requests
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: WP Contact Slider – Slide Out Contact Form for WordPress to display Contact Form 7, Gravity Forms, WP Forms, Ninja Forms, plain text/HTML & other shortcodes
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version
Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: WP-Polls
Vulnerability: Race Condition
Patched Version: 2.77.0
Recommended Action: Update to version 2.77.0, or a newer patched version
Plugin: Post Slider
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image/Banner Widget
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Automatic User Roles Switcher
Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
