Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Weather Effect – Christmas, Santa, Snow Falling, Snowflake Effect
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Product Filter for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 8.2.0
Recommended Action: Update to version 8.2.0, or a newer patched version
Plugin: Meow Gallery
Vulnerability: SQL Injection
Patched Version: 4.1.9
Recommended Action: Update to version 4.1.9, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.7.2
Recommended Action: Update to version 1.2.7.2, or a newer patched version
Plugin: ELEX WooCommerce Google Shopping (Google Product Feed)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2.29
Recommended Action: Update to version 1.2.2.29, or a newer patched version
Plugin: Easy Social Icons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Redux Framework
Vulnerability: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Patched Version: 4.2.13
Recommended Action: Update to version 4.2.13, or a newer patched version
Plugin: CM Tooltip Glossary
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.9.21
Recommended Action: Update to version 3.9.21, or a newer patched version
Plugin: Zoho CRM Lead Magnet
Vulnerability: Cross-Site Scripting
Patched Version: 1.7.2.9
Recommended Action: Update to version 1.7.2.9, or a newer patched version
Plugin: Redux Framework
Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 4.2.13
Recommended Action: Update to version 4.2.13, or a newer patched version
Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Meow Gallery
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Contributor+ Arbitrary File Download
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version
Plugin: Easy Social Icons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Better Find and Replace
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Easy Social Icons
Vulnerability: No subtitle
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Appointment Hour Booking – WordPress Booking Plugin
Vulnerability: No subtitle
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version
Plugin: WP User Manager – User Profile Builder & Membership
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: WP Sitemap Page
Vulnerability: Admin+ Stored Cross Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Vulnerability: Authenticated (admin+) Stored Cross-Site Scripting
Patched Version: 2.1.1.3
Recommended Action: Update to version 2.1.1.3, or a newer patched version
Plugin: Editorial Calendar, Marketing Content, Kanban Board – PublishPress Planner
Vulnerability: Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: WordPress Automatic Plugin
Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 3.53.3
Recommended Action: Update to version 3.53.3, or a newer patched version
Plugin: Weather Effect – Christmas, Santa, Snow Falling, Snowflake Effect
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Pinterest Automatic
Vulnerability: Unuathenticated Arbitrary Options Update
Patched Version: 4.14.4
Recommended Action: Update to version 4.14.4, or a newer patched version
Plugin: My Chatbot
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Support Board
Vulnerability: Multiple Unauthenticated SQL Injections
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: XO Event Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.22.2
Recommended Action: Update to version 5.22.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
