Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.95
Recommended Action: Update to version 3.6.95, or a newer patched version
Plugin: Helpful
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.4.59
Recommended Action: Update to version 4.4.59, or a newer patched version
Plugin: Accept Donations with PayPal & Stripe
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Insert Pages
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: SEO Redirection Plugin – 301 Redirect Manager
Vulnerability: Subscriber+ SQL Injection
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version
Plugin: Stream
Vulnerability: Admin+ SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Leaky Paywall
Vulnerability: No subtitle
Patched Version: 4.16.6
Recommended Action: Update to version 4.16.6, or a newer patched version
Plugin: YOP Poll
Vulnerability: Author+ Stored Cross-Site Scripting via Preview Module
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version
Plugin: Author Bio Box
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version
Plugin: Speed Booster Pack ⚡ PageSpeed Optimization Suite
Vulnerability: Admin+ SQL Injection
Patched Version: 4.3.3.1
Recommended Action: Update to version 4.3.3.1, or a newer patched version
Plugin: Frontend Post WordPress Plugin – AccessPress Anonymous Post
Vulnerability: Backdoored
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: MouseWheel Smooth Scroll
Vulnerability: Plugin’s Setting Update via Cross-Site Request Forgery
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version
Plugin: Email Log
Vulnerability: Admin+ SQL Injection
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: Insert Pages
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: Download Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 19.9.7
Recommended Action: Update to version 19.9.7, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Stored Cross-Site Scripting via $custom_profile
Patched Version: 4.1.3.2
Recommended Action: Update to version 4.1.3.2, or a newer patched version
Plugin: Colorful Categories
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version
Plugin: Images to WebP
Vulnerability: Local File Inclusion
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.2.1
Recommended Action: Update to version 2.11.2.1, or a newer patched version
Plugin: JobBoardWP – Job Board Listings and Submissions
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Slider Factory – Responsive Photo Slider, Image Slider, Video Slider, Carousel Slideshow
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 6.8.0
Recommended Action: Update to version 6.8.0, or a newer patched version
Plugin: Indeed Job Importer
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version
Plugin: YOP Poll
Vulnerability: Author+ Stored Cross-Site Scripting via Options Module
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version
Plugin: WpGenius Job Listing
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: QR Redirector
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Page Builder <= 2.3.11
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version
Plugin: Relevanssi – A Better Search (Pro)
Vulnerability: A Better Search Free & Premium <= 2.16.3 & 4.14.3
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version
Plugin: IMPress for IDX Broker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: WordPress ERP, HR, CRM, and Project Management Plugin – Business Manager
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing
Vulnerability: Cross-Site Scripting
Patched Version: 1.6.61
Recommended Action: Update to version 1.6.61, or a newer patched version
Plugin: Testimonial – WordPress Testimonial Showcase Plugin Grid Plus Testimonial Slider
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: My Tickets – Accessible Event Ticketing
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.31
Recommended Action: Update to version 1.8.31, or a newer patched version
Plugin: Images to WebP
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: QR Redirector
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: job-portal
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MyBB Cross-Poster
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress + Microsoft Office 365 / Azure AD | LOGIN
Vulnerability: Stored Cross-Site Scripting
Patched Version: 15.4
Recommended Action: Update to version 15.4, or a newer patched version
Plugin: TableOn – WordPress Posts Table Filterable
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: WP Cloudy, weather plugin
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload
Vulnerability: Settings Change via Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Microsoft Clarity
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version
Plugin: Simple JWT Login – Allows you to use JWT on REST endpoints.
Vulnerability: Insecure Password Creation
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: HAL
Vulnerability: No subtitle
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Duplicate Post
Vulnerability: SQL Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Content Staging
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Job Board Vanila Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Support Board
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version
Plugin: Mang Board WP
Vulnerability: SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Job Manager
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple JWT Login – Allows you to use JWT on REST endpoints.
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: MPL-Publisher — Ebook & Audiobook Creator
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.30.3
Recommended Action: Update to version 1.30.3, or a newer patched version
Plugin: KJM Admin Notices
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brizy – Page Builder
Vulnerability: Authenticated File Upload and Path Traversal
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.