Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: SlimStat Analytics
Vulnerability: Authenticated (Contributor+) Blind SQL Injection via Shortcode
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version
Plugin: WooCommerce Subscription
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version
Plugin: Defender Security – Malware Scanner, Login Security & Firewall
Vulnerability: Hide Login Page Feature Protection Bypass
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: rtMedia for WordPress, BuddyPress and bbPress
Vulnerability: Missing Authorization via export_settings
Patched Version: 4.6.15
Recommended Action: Update to version 4.6.15, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 4.23.3
Recommended Action: Update to version 4.23.3, or a newer patched version
Plugin: Zotpress
Vulnerability: Reflected Cross-Site Scripting via ‘PHP_SELF’
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Insecure Direct Object Reference
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version
Plugin: Socialdriver
Vulnerability: Prototype Pollution
Patched Version: 2024
Recommended Action: Update to version 2024, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Missing Authorization via ‘start_staging’ and ‘get_staging_progress’
Patched Version: 0.9.91
Recommended Action: Update to version 0.9.91, or a newer patched version
Plugin: Testimonial Slider Shortcode
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Cross-Site Request Forgery via ‘display_results’
Patched Version: 8.1.16
Recommended Action: Update to version 8.1.16, or a newer patched version
Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: Photospace Responsive Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Educare – Students & Result Management System
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Crayon Syntax Highlighter
Vulnerability: Authenticated (Contributor+) Server Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Limited Privilege Escalation via ‘acceptable_defined_roles’
Patched Version: 4.13.2
Recommended Action: Update to version 4.13.2, or a newer patched version
Plugin: Dropbox Folder Share
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simplr Registration Form Plus+
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login with phone number
Vulnerability: Cross-Site Request Forgery to User Password Change
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: Read More & Accordion
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version
Plugin: WooCommerce
Vulnerability: Sensitive Information Exposure
Patched Version: 7.9.0
Recommended Action: Update to version 7.9.0, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Insecure Direct Object Reference to Post Rating Increase/Decrease
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version
Plugin: Booking calendar, Appointment Booking System
Vulnerability: Multiple Authenticated(Editor+) SQL Injection
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: woocommerce-checkout-field-editor
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: Simple Download Counter
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Checkout Field Editor
Vulnerability: Cross-Site Request Forgery to Checkout Fields Update
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: BAN Users
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update & Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Improper Authorization on REST Routes via ‘save_settings_permission’
Patched Version: 4.0.26
Recommended Action: Update to version 4.0.26, or a newer patched version
Plugin: JQuery Accordion Menu Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Staff / Employee Business Directory for Active Directory
Vulnerability: Insufficient Escaping of Stored LDAP Values
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Insecure Direct Object Reference to Comment Rating Increase/Decrease
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version
Plugin: WP Sessions Time Monitoring Full Automatic
Vulnerability: Unauthenticated SQL injection
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 20230902
Recommended Action: Update to version 20230902, or a newer patched version
Plugin: MapPress Maps for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.88.5
Recommended Action: Update to version 2.88.5, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.15.20
Recommended Action: Update to version 1.15.20, or a newer patched version
Plugin: Google Maps Plugin by Intergeo
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: File Manager Pro – Filester
Vulnerability: <= 1.7.6
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Duplicate Post Page Menu & Custom Post Type
Vulnerability: Missing Authorization to Post Duplication
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: WooCommerce Beta Tester
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: EWWW Image Optimizer
Vulnerability: Sensitive Information Exposure
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version
Plugin: Leyka
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.30.7.1
Recommended Action: Update to version 3.30.7.1, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: No subtitle
Patched Version: 4.13.2
Recommended Action: Update to version 4.13.2, or a newer patched version
Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Vulnerability: Authenticated (Client+) Stored Cross-Site Scripting
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version
Plugin: WP Crowdfunding
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Easy Form by AYS – Form Builder Plugin for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Modula Image Gallery
Vulnerability: Incomplete Authorization via ‘save_image’ and ‘save_images’
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated(Shop Manager+) Sensitive Information Exposure
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version
Plugin: WP User Control
Vulnerability: Insecure Password Reset Mechanism
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: My Account Page Editor
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: WP Booking Calendar
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 9.7.3.1
Recommended Action: Update to version 9.7.3.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
