Watch Out Wednesday – October 25, 2023

Home » Watch Out Wednesday – October 25, 2023

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: WP Hotel Booking

Vulnerability: Missing Authorization to (Subscriber+) Arbitrary Post Deletion
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: VK Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block
Patched Version: 1.64.0.0
Recommended Action: Update to version 1.64.0.0, or a newer patched version

Plugin: Appointment Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tab Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: TK Google Fonts GDPR Compliant

Vulnerability: Missing Authorization to Font Deletion
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Smart App Banner

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Reusable Text Blocks

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ICS Calendar

Vulnerability: Authenticated(Contributor+) Directory Traversal via _url_get_contents
Patched Version: 10.12.0.2
Recommended Action: Update to version 10.12.0.2, or a newer patched version

Plugin: KD Coming Soon

Vulnerability: Unauthenticated PHP Object Injection via cetitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Login New User After Registration

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via alnuar_auto_login_new_user_after_registration_redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventON

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Cross-Site Request Forgery via bulk_actions
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: 404 Solution

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.34.0
Recommended Action: Update to version 2.34.0, or a newer patched version

Plugin: Post Meta Data Manager

Vulnerability: Missing Authorization to Post, Term, and User Meta Deletion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Group Chat & Video Chat by AtomChat

Vulnerability: Missing Authorization via credits REST API Endpoint
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Delete Usermetas

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: Eonet Manual User Approve

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YOP Poll

Vulnerability: Reusable Captcha via validateImage
Patched Version: 6.5.29
Recommended Action: Update to version 6.5.29, or a newer patched version

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Authenticated(Author+) Insecure Direct Object Reference
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: CallRail Phone Call Tracking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.5.3
Recommended Action: Update to version 0.5.3, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Cross-Site Request Forgery via duplicate_feed
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Mediabay – Media Library Folders

Vulnerability: Missing Authorization via AJAC actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version

Plugin: WC Captcha

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Server Side Request Forgery
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: FeedFocal

Vulnerability: Missing Authorization via feedfocal_api_setup REST function
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Insufficient Authorization to Comment Submission on Deleted Posts
Patched Version: 7.6.11
Recommended Action: Update to version 7.6.11, or a newer patched version

Plugin: Convertful – Your Ultimate On-Site Conversion Tool

Vulnerability: Missing Authorization via add_woo_coupon
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: TCD Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Addons for WPBakery

Vulnerability: Authenticated(Contributor+) Local File Inclusion
Patched Version: 3.19.15
Recommended Action: Update to version 3.19.15, or a newer patched version

Plugin: WP Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Open Graph Metabox

Plugin: Interactive Image Map Plugin – Draw Attention

Vulnerability: Improper Access Control via register_cpt
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version

Plugin: Advanced Menu Widget

Plugin: Triberr

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Smart Online Order for Clover

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: BSK PDF Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: MW WP Form

Vulnerability: Missing Authorization
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Grid Plus – Unlimited grid layout

Vulnerability: Reflected Cross-Site Scripting via grid_id
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Unauthenticated Content Injection
Patched Version: 7.6.11
Recommended Action: Update to version 7.6.11, or a newer patched version

Plugin: WDContactFormBuilder

Plugin: MainWP Dashboard: WordPress Management without the SaaS

Vulnerability: Authenticated(Administrator+) CSS Injection
Patched Version: 4.5.1.3
Recommended Action: Update to version 4.5.1.3, or a newer patched version

Plugin: WP Helper Premium

Vulnerability: Cross-Site Request Forgery via whp_fields
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: TK Google Fonts GDPR Compliant

Vulnerability: Missing Authorization to Font Addition
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: WhatsApp Share Button

Plugin: Internal Link Building

Plugin: Just Custom Fields

Vulnerability: Cross-Site Request Forgery on AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Delete Me

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Cookie Bar

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WP EXtra

Vulnerability: Missing Authorization to .htaccess File Modification
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Theme Blvd Shortcodes

Plugin: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Ultimate Addons for WPBakery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.19.15
Recommended Action: Update to version 3.19.15, or a newer patched version

Plugin: BetterLinks – An Advanced Solution for Affiliate Link Management, Link Shortening, Link Tracking, Link Branding & Marketing

Vulnerability: Improper Authorization to Data Import and Export
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Auto Login New User After Registration

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add Custom Body Class

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Headline Analyzer

Vulnerability: Missing Authorization via REST APIs
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Live Chat with Facebook Messenger

Plugin: DoLogin Security

Vulnerability: Missing Authorization via REST Endpoints
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Vulnerability: Missing Authorization
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Carousel, Recent Post Slider and Banner Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Modern Footnotes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version

Plugin: WP iCal Availability

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Team Showcase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Soisy Pagamento Rateale

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 6.0.2
Recommended Action: Update to version 6.0.2, or a newer patched version

Plugin: Duplicate Theme

Vulnerability: Cross-Site Request Forgery via themeDuplicationAction
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Post Columns

Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

Plugin: Internal Link Building

Plugin: SALESmanago

Vulnerability: Log Injection via Weak Authentication Token
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: MomentoPress for Momento360

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Web Push Notifications – Webpushr

Vulnerability: Cross-Site Request Forgery to Local File Inclusion via menu
Patched Version: 4.35.0
Recommended Action: Update to version 4.35.0, or a newer patched version

Plugin: Archivist – Custom Archive Templates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social proof testimonials and reviews by Repuso

Vulnerability: Missing Authorization
Patched Version: 5.00
Recommended Action: Update to version 5.00, or a newer patched version

Plugin: WP EXtra

Vulnerability: Missing Authorization to Export Settings
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version

Plugin: Just Custom Fields

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Novo-Map : your WP posts on custom google maps

Plugin: CPO Shortcodes

Plugin: Very Simple Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.