Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: demon image annotation
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: Image Zoom
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Custom Cursors | WordPress Cursor Plugin
Vulnerability: Cross-Site Request Forgery to Cursor Manipulation
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: miniOrange Discord Integration
Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin
Vulnerability: Missing Authorization to Cache Deletion
Patched Version: 1.2.50.0
Recommended Action: Update to version 1.2.50.0, or a newer patched version
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 7.5.13
Recommended Action: Update to version 7.5.13, or a newer patched version
Plugin: Forym
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Custom Cursors | WordPress Cursor Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Comment Guestbook
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kraken.io Image Optimizer
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Sensitive Data Exposure
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Cross-Site Request Forgery to File Upload
Patched Version: 21.3
Recommended Action: Update to version 21.3, or a newer patched version
Plugin: FavIcon Switcher
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Customer Reviews for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
Plugin: Oceanwp sticky header
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Page Widget
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Activity Log – Monitor & Record User Changes
Vulnerability: CSV Injection
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Pop-Up Chop Chop
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Helpful
Vulnerability: Sensitive Information Disclosure
Patched Version: 4.5.26
Recommended Action: Update to version 4.5.26, or a newer patched version
Plugin: Manage Notification E-mails
Vulnerability: Cross-Site Request Forgery to Plugin Options Update
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version
Plugin: No Page Comment
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.16.9
Recommended Action: Update to version 1.16.9, or a newer patched version
Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Vulnerability: File Upload Size Limit Bypass
Patched Version: 1.3.6.5
Recommended Action: Update to version 1.3.6.5, or a newer patched version
Plugin: Social Media Follow Buttons Bar
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: Backup Scheduler
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Customer Reviews for WooCommerce
Vulnerability: Multiple Unprotected AJAX Actions
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
Plugin: Make Connector
Vulnerability: Authenticated (Subscriber+) Information Disclosure
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Passster – Password Protect Pages and Content
Vulnerability: Insecure Password Storage to Sensitive Data Exposure
Patched Version: 3.5.5.5.2
Recommended Action: Update to version 3.5.5.5.2, or a newer patched version
Plugin: Meks Easy Social Share
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: 3D Tag Cloud
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version
Plugin: iQ Block Country
Vulnerability: Country Blocking Bypass
Patched Version: 1.2.19
Recommended Action: Update to version 1.2.19, or a newer patched version
Plugin: Tabs – Responsive Tabs with WooCommerce Product Tab Extension
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: Advance WordPress Search Plugin
Vulnerability: Missing Authorization to Plugin Settings Reset
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: WP Custom Cursors | WordPress Cursor Plugin
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Backup Scheduler
Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Export Post Info
Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: WPML
Vulnerability: Unprotected AJAX Actions
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Insecure Direct Object Reference to Forum Status Change
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Seriously Simple Podcasting
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.16.1
Recommended Action: Update to version 2.16.1, or a newer patched version
Plugin: Sabai Discuss
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.14
Recommended Action: Update to version 1.4.14, or a newer patched version
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 6.9.12
Recommended Action: Update to version 6.9.12, or a newer patched version
Plugin: Advance WordPress Search Plugin
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 1.16.9
Recommended Action: Update to version 1.16.9, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
