Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: MemberPress Downloads
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version
Plugin: Taskbuilder – WordPress Project & Task Management plugin
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Time-Based TOTP attack to Sensitive Information Exposure
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: NOTICE BOARD
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SearchWP Live Ajax Search
Vulnerability: Directory Traversal and Local File Inclusion
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: We’re Open!
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.42
Recommended Action: Update to version 1.42, or a newer patched version
Plugin: Booster Plus for WooCommerce
Vulnerability: Authenticated (Subscriber+) Order Modification
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version
Plugin: Social Rocket – Social Sharing Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email
Vulnerability: Missing Authorization
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version
Plugin: Image Zoom
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: Database Browser
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Countdown Widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.9.3
Recommended Action: Update to version 3.1.9.3, or a newer patched version
Plugin: Download Monitor
Vulnerability: Authenticated (Administrator+) Arbitrary File Download
Patched Version: 4.5.98
Recommended Action: Update to version 4.5.98, or a newer patched version
Plugin: Cryptocurrency Pricing list and Ticker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Awesome Filterable Portfolio
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Breeze – WordPress Cache Plugin
Vulnerability: Cross-Site Request Forgery via import_json_settings
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.0.8
Recommended Action: Update to version 6.0.8, or a newer patched version
Plugin: CPO Shortcodes
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.27.9
Recommended Action: Update to version 3.27.9, or a newer patched version
Plugin: reSmush.it : The original free image compressor and optimizer plugin
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 0.4.6
Recommended Action: Update to version 0.4.6, or a newer patched version
Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Vulnerability: Authenticated (Administrator+) Arbitrary File Access via Path Traversal
Patched Version: 1.7.5.5
Recommended Action: Update to version 1.7.5.5, or a newer patched version
Plugin: Sucuri Security – Auditing, Malware Scanner and Security Hardening
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.34
Recommended Action: Update to version 1.8.34, or a newer patched version
Plugin: GetYourGuide Ticketing
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Search Logger – Know What Your Visitors Search
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Awesome Filterable Portfolio
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rate My Post – Star Rating Plugin by FeedbackWP
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: Simple File List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.12
Recommended Action: Update to version 4.4.12, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Missing Authorization
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version
Plugin: Disable User Login
Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tidio – Live Chat & AI Chatbots
Vulnerability: Sensitive Information Disclosure
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: Advanced Comment Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: No Page Comment
Vulnerability: Cross-Site-Request Forgery to Settings Change
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Simple File List
Vulnerability: Cross-Site Request Forgery to Page Creation
Patched Version: 4.4.13
Recommended Action: Update to version 4.4.13, or a newer patched version
Plugin: Enable Media Replace
Vulnerability: Authenticated (Administrator+) Path Traversal
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Integration for Billingo & Gravity Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
