Watch Out Wednesday – September 29, 2021

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Contact Forms – Drag & Drop Contact Form Builder

Vulnerability: Drag & Drop Contact Form Builder <= 1.0.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video Player for YouTube

Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Cookie Bar

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version

Plugin: Flat Preloader

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Admin+ SQL Injection
Patched Version: 2.2.13.1
Recommended Action: Update to version 2.2.13.1, or a newer patched version

Plugin: YITH Maintenance Mode

Vulnerability: Multiple Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: WooCommerce Product Table Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Connections Business Directory

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 10.4.3
Recommended Action: Update to version 10.4.3, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Unprotected REST-API to Sensitive Information Disclosure
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: OG Tags

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Check & Log Email – Easy Email Testing & Mail logging

Vulnerability: Admin+ SQL Injection via Order and OrderBy parameters
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Great Quotes

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP DSGVO Tools (GDPR)

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version

Plugin: WP Debugging

Vulnerability: Unauthenticated Plugin Settings Update
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.8.2
Recommended Action: Update to version 3.5.8.2, or a newer patched version

Plugin: WP User Manager – User Profile Builder & Membership

Vulnerability: Arbitrary User Password Reset
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: ark-commenteditor

Vulnerability: iframe Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Restaurant Menu and Food Ordering

Vulnerability: Admin+ Stored Cross Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Vulnerability: Privilege Escalation
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: WP Reactions Lite

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: iQ Block Country

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Unprotected REST-API to Email Injection
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Countdown and CountUp, WooCommerce Sales Timer

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: WP Table Builder – WordPress Table Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.10
Recommended Action: Update to version 1.3.10, or a newer patched version

Plugin: Cool Tag Cloud

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.26
Recommended Action: Update to version 2.26, or a newer patched version

Plugin: Easy Media Download

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: 3DPrint Lite

Vulnerability: Arbitrary File Upload
Patched Version: 1.9.1.5
Recommended Action: Update to version 1.9.1.5, or a newer patched version

Plugin: Appointment Bookings for Zoom GoogleMeet and more – Wappointment

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: WP Visited Countries Reloaded

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Flat Preloader

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Recent Posts

WordPress