Watch Out Wednesday – October 18, 2023

Home » Watch Out Wednesday – October 18, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: The Awesome Feed – Custom Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Testimonial Slider and Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Missing Authorization via admin notice dismissal
Patched Version: 1.12.7
Recommended Action: Update to version 1.12.7, or a newer patched version

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Recip.ly Plugin

Vulnerability: Unauthenticated Arbitrary File Upload in uploadImage.php
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Ultimate Taxonomy Manager

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Who Hit The Page – Hit Counter

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ashe Extra

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 1.2.92
Recommended Action: Update to version 1.2.92, or a newer patched version

Plugin: Post Gallery

Plugin: Accessibility Suite by Ability, Inc

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.13
Recommended Action: Update to version 4.13, or a newer patched version

Plugin: Product Category Tree

Plugin: WP Ultimate Review

Vulnerability: Cross-Site Request Forgery via wur_settings_view
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Nexter Extension

Vulnerability: Authenticated(Editor+) Remote Code Execution via metabox
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP Open Street Map

Vulnerability: Cross-Site Request Forgery via wp_openstreetmaps
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.4.2
Recommended Action: Update to version 3.0.4.2, or a newer patched version

Plugin: Get Custom Field Values

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Amministrazione Trasparente

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version

Plugin: Eupago Gateway For Woocommerce

Vulnerability: Cross-Site Request Forgery via eupago_page_content
Patched Version: 3.1.10
Recommended Action: Update to version 3.1.10, or a newer patched version

Core: WordPress

Vulnerability: No subtitle
Patched Version: 4.1.39
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.39, 4.2.36, 4.3.32, 4.4.31, 4.5.30, 4.6.27, 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: Userback

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: which template file

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.0
Recommended Action: Update to version 4.9.0, or a newer patched version

Plugin: History Log by click5

Vulnerability: Authenticated(Administrator+) Time-Based Blind SQL Injection
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Theme Switcha – Easily Switch Themes for Development and Testing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Responsive Pricing Table

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Constant Contact Forms by MailMunch

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Core: WordPress

Vulnerability: 6.3.1
Patched Version: 4.7.27
Recommended Action: Update to one of the following versions, or a newer patched version: 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected Cross-Site Scripting via ‘event_id’
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: PDF Block

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Lava Directory Manager

Vulnerability: Unauthenticated Stored Cross-Site Scripting via New Listing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Webmaster Tools

Vulnerability: Cross-Site Request Forgery vin lionscripts_plg_f
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sort SearchResult By Title

Vulnerability: Cross-Site Request Forgery via settings_page
Patched Version: 11.0
Recommended Action: Update to version 11.0, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Administrator+) Directory Traversal to Arbitrary File Read
Patched Version: 5.6.24
Recommended Action: Update to version 5.6.24, or a newer patched version

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Cross-Site Request Forgery via Multiple AJAX Actions
Patched Version: 121
Recommended Action: Update to version 121, or a newer patched version

Plugin: Contact Form Builder, Contact Widget

Plugin: Add Shortcodes Actions And Filters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: AMP WP – Google AMP For WordPress

Vulnerability: Cross-Site Request Forgery via multiple settings pages
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version

Plugin: Minimum Purchase for WooCommerce

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Captcha Bypass
Patched Version: 1.15.21
Recommended Action: Update to version 1.15.21, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Google Drive Client Secret Exposure
Patched Version: 0.9.92
Recommended Action: Update to version 0.9.92, or a newer patched version

Plugin: CPT Shortcode Generator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smooth Scroll Links [SSL]

Plugin: Ultimate Taxonomy Manager

Plugin: Comments – wpDiscuz

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: HTML5 Maps

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.1.5
Recommended Action: Update to version 1.7.1.5, or a newer patched version

Plugin: Super Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Simple Table Manager

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Image Title
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Libsyn Publisher Hub

Plugin: Custom post types, Custom Fields & more

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated SQL Injection via qc_wpbo_search_response
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version

Plugin: QR Twitter Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: No subtitle
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: WP Lightbox 2

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.0.6.6
Recommended Action: Update to version 3.0.6.6, or a newer patched version

Plugin: WooCommerce Ninja Forms Product Add-ons

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: CPT Shortcode Generator

Plugin: Snap Pixel

Plugin: Rocket Font

Vulnerability: Cross-Site Request Forgery via update_option_check_match_default
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ajax Archive Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Core: WordPress

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Navigation Attributes
Patched Version: 5.9.8
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: Gallery – Image and Video Gallery with Thumbnails

Plugin: Category SEO Meta Tags

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Missing Authorization
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.5.4
Recommended Action: Update to version 6.5.4, or a newer patched version

Core: WordPress

Vulnerability: Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts
Patched Version: 4.1.39
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.39, 4.2.36, 4.3.32, 4.4.31, 4.5.30, 4.6.27, 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: ApplyOnline – Application Form Builder and Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Scroll post excerpt

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Widgets for Google Reviews

Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: 10.9.1
Recommended Action: Update to version 10.9.1, or a newer patched version

Plugin: Comments Ratings

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Missing Authorization to Double Booking
Patched Version: 1.4.24
Recommended Action: Update to version 1.4.24, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Cross-Site Request Forgery on AJAX actions
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: Icons Font Loader – Load Various Web Fonts & Icons on WP

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WC Serial Numbers – Ultimate License Manager for Selling, Licensing & Securely Delivering Digital Content with WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: WP Radio – Worldwide Online Radio Stations Directory for WordPress

Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

Plugin: Copy or Move Comments

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.7.2
Recommended Action: Update to version 1.0.7.2, or a newer patched version

Plugin: Libsyn Publisher Hub

Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Peter’s Custom Anti-Spam

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Sendle Shipping Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.18
Recommended Action: Update to version 5.18, or a newer patched version

Plugin: WooCommerce Stripe Payment Gateway

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version

Plugin: Nexter Extension

Vulnerability: Reflected Cross-Site Scripting via post and post_id
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Skype Legacy Buttons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SpiderVPlayer

Plugin: DX Delete Attached Media

Vulnerability: Cross-Site Request Forgery via add_to_base
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Caret Country Access Limit

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Responsive Column Widgets

Vulnerability: Open Redirect via responsive_column_widgets_link
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: ApplyOnline – Application Form Builder and Manager

Vulnerability: Missing Authorization
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Lazy Load for Videos

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.18.3
Recommended Action: Update to version 2.18.3, or a newer patched version

Plugin: WP Report Post

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: 6.3.1
Patched Version: 5.6.12
Recommended Action: Update to one of the following versions, or a newer patched version: 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: Maileon for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.16.1
Recommended Action: Update to version 2.16.1, or a newer patched version

Plugin: WDSocialWidgets

Plugin: Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization on AJAX actions
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: AGP Font Awesome Collection

Plugin: WebToffee WP Backup and Migration

Vulnerability: Missing Authorization to Settings and Schedule Modification
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Core: WordPress

Vulnerability: 6.3.1
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: Mediabay – Media Library Folders

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting Vulnerability
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EG-Attachments

Vulnerability: Reflected Cross-Site Scripting via ‘paged’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stripe Payment forms for WordPress – WP Full Pay

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.6.34
Recommended Action: Update to version 3.6.34, or a newer patched version

Plugin: mpOperationLogs

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Denial of Service via Cache Poisoning
Patched Version: 4.7.27
Recommended Action: Update to one of the following versions, or a newer patched version: 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Kali Forms <= 2.3.27
Patched Version: 2.3.28
Recommended Action: Update to version 2.3.28, or a newer patched version

Plugin: Next Page

Plugin: Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!

Vulnerability: Improper Authorization to Arbitrary Post Deletion
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fast WP Speed

Plugin: Remote Content Shortcode

Vulnerability: Authenticated(Contributor+) Local File Inclusion via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EMC – Easily Embed Calendly Scheduling Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version

Plugin: PixFields

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.1
Recommended Action: Update to version 0.7.1, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: Video Playlist For YouTube

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated Sensitive Information Exposure via qcld_wb_chatbot_check_user
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version

Plugin: Responsive Tabs

Vulnerability: Authenticated (Contributor+) Content Injection
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: RumbleTalk Live Group Chat – HTML5

Vulnerability: Missing Authorization via handleRequest
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.0.14
Recommended Action: Update to version 1.7.0.14, or a newer patched version

Plugin: Simple Tweet

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Print, PDF, Email by PrintFriendly

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version

Plugin: WP GoToWebinar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 14.46
Recommended Action: Update to version 14.46, or a newer patched version

Plugin: Broken Link Checker | Finder

Vulnerability: Missing Authorization via moblc_auth_save_settings
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Etsy Shop

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Simple File List

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 6.1.10
Recommended Action: Update to version 6.1.10, or a newer patched version

Plugin: Proofreading

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Webmaster Tools

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FreshMail For WordPress

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Information Exposure
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.20.19
Recommended Action: Update to version 1.20.19, or a newer patched version

Plugin: Protección de Datos RGPD

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: LeadSquared Suite

Plugin: WP Attachments

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.12
Recommended Action: Update to version 5.0.12, or a newer patched version

Plugin: Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages

Vulnerability: Cross-Site Request Forgery via eos_dp_pro_delete_transient
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Authenticated (Submitter+) Arbitrary File Deletion
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: IMPress Listings

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MailChimp Forms by MailMunch

Vulnerability: Cross-Site Request Forgery via Multiple AJAX actions
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Feed Statistics

Vulnerability: Cross-Site Request Forgery via init
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form With Captcha

Plugin: Envo Extra

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: BuddyPress Global Search

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tweeple

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gallery – Image and Video Gallery with Thumbnails

Plugin: 404 Solution

Vulnerability: Sensitive Information Exposure
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.104
Recommended Action: Update to version 1.2.104, or a newer patched version

Plugin: WP Discord Invite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.