Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: SearchWP Premium
Vulnerability: Authenticated (Subscriber+) Nonce Leakage and Authorization Bypass
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version
Plugin: IP Blacklist Cloud
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPForms Pro
Vulnerability: CSV Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: Authenticated (Admin+) Arbitrary Options Update
Patched Version: 9.7.2
Recommended Action: Update to version 9.7.2, or a newer patched version
Plugin: 2kb Amazon Affiliates Store
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Phone Orders for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version
Plugin: IP Blacklist Cloud
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OAuth Client by DigitialPixies
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Insecure Direct Object Reference
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version
Plugin: Traffic Manager
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version
Plugin: WIP Custom Login
Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Auto Upload Images
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version
Plugin: Webmaster Tools Verification
Vulnerability: Missing Authorization to Arbitrary Plugin Deactivation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Advanced Order Export For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Számlázz.hu integráció WooCommerce-hez
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.3.3
Recommended Action: Update to version 5.6.3.3, or a newer patched version
Plugin: Csomagpontok és Címkék WooCommerce-hez
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.0.3
Recommended Action: Update to version 1.9.0.3, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Missing Authorization
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version
Plugin: Auto Upload Images
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Vulnerability: Server-Side Request Forgery
Patched Version: 1.9.10.69
Recommended Action: Update to version 1.9.10.69, or a newer patched version
Plugin: Related Posts for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Multiple Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version
Plugin: Simple Website Banner
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.0.0
Recommended Action: Update to version 1.8.0.0, or a newer patched version
Plugin: Simple SEO
Vulnerability: Cross-Site Request Forgery to Sitemap Deletion/Creation
Patched Version: 1.8.13
Recommended Action: Update to version 1.8.13, or a newer patched version
Plugin: LDD Directory Lite
Vulnerability: <= 3.5
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: CSV Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 12.1.11
Recommended Action: Update to version 12.1.11, or a newer patched version
Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.5.1
Recommended Action: Update to version 2.1.5.1, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version
Plugin: Super Testimonials
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: Mantenimiento web
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.14
Recommended Action: Update to version 0.14, or a newer patched version
Plugin: Simple SEO
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.13
Recommended Action: Update to version 1.8.13, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version
Plugin: OAuth Client by DigitialPixies
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Phone Orders for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version
Plugin: WP Page Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Advanced Floating Content Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Sensitive Information Disclosure
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version
Plugin: Traffic Manager
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
