Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WordPress Contact Forms by Cimatti
Vulnerability: Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: Contact Forms – Drag & Drop Contact Form Builder
Vulnerability: Drag & Drop Contact Form Builder <= 1.0.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Player for YouTube
Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Cookie Bar
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version
Plugin: AGCA – Custom Dashboard & Login Page
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version
Plugin: Flat Preloader
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Admin+ SQL Injection
Patched Version: 2.2.13.1
Recommended Action: Update to version 2.2.13.1, or a newer patched version
Plugin: YITH Maintenance Mode
Vulnerability: Multiple Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: WooCommerce Product Table Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: Connections Business Directory
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 10.4.3
Recommended Action: Update to version 10.4.3, or a newer patched version
Plugin: Visual Form Builder
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Unprotected REST-API to Sensitive Information Disclosure
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Plugin: OG Tags
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Check & Log Email – Easy Email Testing & Mail logging
Vulnerability: Admin+ SQL Injection via Order and OrderBy parameters
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Great Quotes
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP DSGVO Tools (GDPR)
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version
Plugin: WP Debugging
Vulnerability: Unauthenticated Plugin Settings Update
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Cross-Site Scripting
Patched Version: 3.5.8.2
Recommended Action: Update to version 3.5.8.2, or a newer patched version
Plugin: WP User Manager – User Profile Builder & Membership
Vulnerability: Arbitrary User Password Reset
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: ark-commenteditor
Vulnerability: iframe Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Restaurant Menu and Food Ordering
Vulnerability: Admin+ Stored Cross Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
Vulnerability: Privilege Escalation
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: WP Reactions Lite
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: iQ Block Country
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Unprotected REST-API to Email Injection
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Plugin: Countdown and CountUp, WooCommerce Sales Timer
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: WP Table Builder – WordPress Table Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.10
Recommended Action: Update to version 1.3.10, or a newer patched version
Plugin: Cool Tag Cloud
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.26
Recommended Action: Update to version 2.26, or a newer patched version
Plugin: Easy Media Download
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: 3DPrint Lite
Vulnerability: Arbitrary File Upload
Patched Version: 1.9.1.5
Recommended Action: Update to version 1.9.1.5, or a newer patched version
Plugin: Appointment Bookings for Zoom GoogleMeet and more – Wappointment
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: WP Visited Countries Reloaded
Vulnerability: Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: Flat Preloader
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
