Login
Facebook-f Linkedin-in Youtube

Watch Out Wednesday – September 1, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: User Activity Log

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: underConstruction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.19
Recommended Action: Update to version 1.19, or a newer patched version

Plugin: Countdown Block

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Translate Multilingual sites – TranslatePress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: MX Time Zone Clocks

Vulnerability: Contributor+ Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: MPL-Publisher — Ebook & Audiobook Creator

Vulnerability: Various Plugins (Various Versions)
Patched Version: 1.29.2
Recommended Action: Update to version 1.29.2, or a newer patched version

Plugin: Geo Controller

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.12
Recommended Action: Update to version 7.13.12, or a newer patched version

Plugin: Nested Pages

Vulnerability: Open Redirect
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version

Plugin: Duplicate Page

Vulnerability: No subtitle
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.20.3
Recommended Action: Update to version 6.20.3, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.67
Recommended Action: Update to version 6.67, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Gutenberg Blocks for Post Grid <= 2.4.9
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: User Activity Log

Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: CoolClock – a Javascript Analog Clock

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: WooCommerce Dynamic Pricing and Discounts

Vulnerability: Unauthenticated Settings Import/Export
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.62
Recommended Action: Update to version 6.62, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Gutenberg Blocks for Post Grid <= 2.4.9
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Private Content Disclosure
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: Docket Cache – Object Cache Accelerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 21.08.02
Recommended Action: Update to version 21.08.02, or a newer patched version

Plugin: Software License Manager

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: WP Map Block – Gutenberg Map Block for Google Map and OpenStreet Map by aBlocks

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: qTranslate X

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 13.1
Recommended Action: Update to version 13.1, or a newer patched version

Plugin: WooCommerce Dynamic Pricing and Discounts

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: WP Gravity Forms HubSpot

Vulnerability: Various Plugins (Various Versions)
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Real Media Library: Media Library Folder & File Manager

Vulnerability: Authenticated (Author) Stored Cross-Site Scripting
Patched Version: 4.14.2
Recommended Action: Update to version 4.14.2, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Subscriber+) Limited Arbitrary Option Update
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist

Vulnerability: WordPress Wave Audio Player with Playlist <= 6.45
Patched Version: 6.50
Recommended Action: Update to version 6.50, or a newer patched version

Plugin: TS Poll – Survey, Versus Poll, Image Poll, Video Poll

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Nested Pages

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion and Modification
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version

Plugin: Cookie Notice & Compliance for GDPR / CCPA

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Picture of Odell Duppins Jr

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.

Recent Posts

WordPress

Login