PERFORMANCE & CREATIVITY

We integrate research, strategy, design, engineering and operations to imagine, create and deliver some of the world's most engaging products and services.

Περιοχή
Marousi-Attika
box 15124
Email
info@thinkeasy.gr
dpo@thinkeasy.gr

WordPress Vulnerability Report – January 28, 2023

Ασφάλεια

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

Enable Media Replace

Product image for Enable Media Replace.

PLUGIN SLUGenable-media-replace
INSTALLATIONS600,000+
VULNERABILITYAuthor+ Arbitrary File Upload
PATCHED IN VERSION4.0.2
SEVERITY SCORECritical
The vulnerability has been patched, so you should update to version 4.0.2.

Spectra

Product image for Spectra – WordPress Gutenberg Blocks.

PLUGIN SLUGultimate-addons-for-gutenberg
INSTALLATIONS400,000+
VULNERABILITYStored Cross-Side Scripting
PATCHED IN VERSION1.15.0
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.15.0.

Parsi Date

Product image for Parsi Date.

PLUGIN SLUGwp-parsidate
INSTALLATIONS100,000+
VULNERABILITYReflected Cross-Site Scripting
PATCHED IN VERSION4.0.2
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 4.0.2.

Better Font Awesome

Product image for Better Font Awesome.

PLUGIN SLUGbetter-font-awesome
INSTALLATIONS100,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION2.0.4
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 2.0.4.

LearnPress Plugin

Product image for LearnPress – WordPress LMS Plugin.

PLUGIN SLUGlearnpress
INSTALLATIONS100,000+
VULNERABILITYUnauthenticated LFI; Subscriber+ SQLi; Unauthenticated SQLi
PATCHED IN VERSION4.2.0
SEVERITY SCORECritical
The vulnerability has been patched, so you should update to version 4.2.0.

Customer Reviews for WooCommerce

Product image for Customer Reviews for WooCommerce.

PLUGIN SLUGcustomer-reviews-woocommerce
INSTALLATIONS50,000+
VULNERABILITYContributor+ LFI; Contributor+ Stored XSS
PATCHED IN VERSION5.17.0
SEVERITY SCORECritical
The vulnerability has been patched, so you should update to version 5.17.0.

Themify Portfolio Post

PLUGIN SLUGthemify-portfolio-post
INSTALLATIONS50,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.2.2
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.2.2.

Spotlight Social Feeds

Product image for Spotlight Social Feeds [Block, Shortcode, and Widget].

PLUGIN SLUGspotlight-social-photo-feeds
INSTALLATIONS50,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.4.3
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.4.3.

Meks Flexible Shortcodes

Product image for Meks Flexible Shortcodes.

PLUGIN SLUGmeks-flexible-shortcodes
INSTALLATIONS30,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.3.5
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.3.5.

WP Visitor Statistics (Real Time Traffic)

Product image for WP Visitor Statistics (Real Time Traffic).

PLUGIN SLUGwp-stats-manager
INSTALLATIONS20,000+
VULNERABILITYContributor+ Stored XSS via Shortcode
PATCHED IN VERSION6.5
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 6.5.

WP Google Review Slider

Product image for WP Google Review Slider.

PLUGIN SLUGwp-google-places-review-slider
INSTALLATIONS20,000+
VULNERABILITYSubscriber+ SQLi
PATCHED IN VERSION11.8
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 11.8.








TemplatesNext ToolKit

Product image for TemplatesNext ToolKit.

PLUGIN SLUGtemplatesnext-toolkit
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS via Shortcode; Contributor+ Stored XSS
PATCHED IN VERSION3.2.9
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 3.2.9.

WP Customer Area

Product image for WP Customer Area.

PLUGIN SLUGcustomer-area
INSTALLATIONS10,000+
VULNERABILITYUnauthorised Actions via CSRF
PATCHED IN VERSION8.1.4
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 8.1.4.

Easy Accept Payments for PayPal

Product image for Easy Accept Payments for PayPal.

PLUGIN SLUGwordpress-easy-paypal-payment-or-donation-accept-plugin
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION4.9.10
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 4.9.10.

Easy Affiliate Links

Product image for Easy Affiliate Links.

PLUGIN SLUGeasy-affiliate-links
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION3.7.1
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 3.7.1.

WP TripAdvisor Review Slider

Product image for WP TripAdvisor Review Slider.

PLUGIN SLUGwp-tripadvisor-review-slider
INSTALLATIONS10,000+
VULNERABILITYSubscriber+ SQLi
PATCHED IN VERSION10.8
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 10.8.

 Custom 404 Pro

Product image for Custom 404 Pro.

PLUGIN SLUGcustom-404-pro
INSTALLATIONS10,000+
VULNERABILITYLogs Deletion via CSRF
PATCHED IN VERSION3.7.2
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 3.7.2.

PickPlugins Product Slider for WooCommerce

Product image for Product Slider for WooCommerce by PickPlugins.

PLUGIN SLUGwoocommerce-products-slider
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.13.42
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.13.42.

YaMaps for WordPress Plugin

Product image for YaMaps for WordPress Plugin.

PLUGIN SLUGyamaps
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION0.6.26
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 0.6.26.

Social Like Box and Page by WpDevArt

Product image for Social Like Box and Page by WpDevArt.

PLUGIN SLUGlike-box
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION0.8.41
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 0.8.41.

WP FullCalendar

PLUGIN SLUGwp-fullcalendar
INSTALLATIONS10,000+
VULNERABILITYUnauthenticated Arbitrary Post Access
PATCHED IN VERSION1.5
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 1.5.

WP Font Awesome

Product image for WP Font Awesome.

PLUGIN SLUGwp-font-awesome
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.7.9
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.7.9.

WP Review Slider

Product image for WP Review Slider.

PLUGIN SLUGwp-facebook-reviews
INSTALLATIONS10,000+
VULNERABILITYSubscriber+ SQLi
PATCHED IN VERSION12.2
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 12.2.

Product Slider and Carousel with Category for WooCommerce

Product image for Product Slider and Carousel with Category for WooCommerce.

PLUGIN SLUGwoo-product-slider-and-carousel-with-category
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS via Shortcode
PATCHED IN VERSION2.8
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 2.8.

Zoho Forms

Product image for Form plugin for WordPress – Zoho Forms.

PLUGIN SLUGzoho-forms
INSTALLATIONS10,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION3.0.1
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 3.0.1.

Judge.me Product Reviews for WooCommerce

Product image for Judge.me Product Reviews for WooCommerce.

PLUGIN SLUGjudgeme-product-reviews-woocommerce
INSTALLATIONS8,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.3.21
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.3.21.

Timed Content

PLUGIN SLUGtimed-content
INSTALLATIONS8,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION2.73
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 2.73.

Location Weather

Product image for Location Weather.

PLUGIN SLUGlocation-weather
INSTALLATIONS8,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.3.4
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.3.4.

Responsive Gallery Grid

Product image for Responsive Gallery Grid.

PLUGIN SLUGresponsive-gallery-grid
INSTALLATIONS7,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION2.3.9
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 2.3.9.

Watu Quiz

Product image for Watu Quiz.

PLUGINWatu Quiz
PLUGIN SLUGwatu
INSTALLATIONS6,000+
VULNERABILITYAdmin+ Stored XSS; Reflected XSS
PATCHED IN VERSION3.3.8.3
SEVERITY SCORELow
The vulnerability has been patched, so you should update to version 3.3.8.3.

Lightweight Accordion

Product image for Lightweight Accordion.

PLUGIN SLUGlightweight-accordion
INSTALLATIONS6,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.5.15
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.5.15.

WP Helper Lite

Product image for WP Helper Premium.

PLUGIN SLUGwp-helper-lite
INSTALLATIONS3,000+
VULNERABILITYReflected Cross-Site Scripting
PATCHED IN VERSION4.3
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 4.3.

WP Airbnb Review Slider

Product image for WP Airbnb Review Slider.

PLUGIN SLUGwp-airbnb-review-slider
INSTALLATIONS2,000+
VULNERABILITYSubscriber+ SQLi
PATCHED IN VERSION3.3
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 3.3.

WP Yelp Review Slider

Product image for WP Yelp Review Slider.

PLUGIN SLUGwp-yelp-review-slider
INSTALLATIONS1,000+
VULNERABILITYSubscriber+ SQLi
PATCHED IN VERSION7.1
SEVERITY SCOREHigh
The vulnerability has been patched, so you should update to version 7.1.

Shortcode for Font Awesome

Product image for Shortcode for Font Awesome.

PLUGIN SLUGshortcode-for-font-awesome
INSTALLATIONS700+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.4.1
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.4.1.

uTubeVideo Gallery

PLUGIN SLUGutubevideo-gallery
INSTALLATIONS500+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION2.0.8
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 2.0.8.

GigPress

PLUGINGigPress
PLUGIN SLUGgigpress
VULNERABILITYContributor+ Stored XSS via Shortcode
PATCHED IN VERSION2.3.28
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 2.3.28.

Lightbox Gallery

PLUGIN SLUGlightbox-gallery
VULNERABILITYContributor+ Stored XSS via Shortcode
PATCHED IN VERSION0.9.5
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 0.9.5.

Rich Table of Contents

PLUGIN SLUGrich-table-of-content
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSION1.3.8
SEVERITY SCOREMedium
The vulnerability has been patched, so you should update to version 1.3.8.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

YARPP – Yet Another Related Posts Plugin

Product image for YARPP – Yet Another Related Posts Plugin.

PLUGIN SLUGyet-another-related-posts-plugin
INSTALLATIONS100,000+
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched. You should deactivate the plugin.
 

Easy PayPal Buy Now Button

Product image for Easy PayPal Buy Now Button.

PLUGIN SLUGwp-ecommerce-paypal
INSTALLATIONS30,000+
VULNERABILITYContributor+ Stored XSS in Shortcode
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched. You should deactivate the plugin.
 

Markup

Product image for Markup (JSON-LD) structured in schema.org.

PLUGIN SLUGwp-structuring-markup
INSTALLATIONS30,000+
VULNERABILITYContributor+ Stored XSS via Shortcode
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched. You should deactivate the plugin.
 

Page Builder: Live Composer

Product image for Page Builder: Live Composer.

PLUGIN SLUGlive-composer-page-builder
INSTALLATIONS20,000+
VULNERABILITYContributor+ Stored XSS via Shortcode
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched. You should deactivate the plugin.
 

FL3R FeelBox

PLUGIN SLUGfl3r-feelbox
VULNERABILITYUnauthenticated SQLi
PATCHED IN VERSIONNo Fix
SEVERITY SCOREHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Oi Yandex.Maps

PLUGIN SLUGoi-yamaps
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Youtube Channel Gallery

PLUGIN SLUGyoutube-channel-gallery
VULNERABILITYContributor+ Stored XSS via Shortcode
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Intuitive Custom Post Order

PLUGIN SLUGintuitive-custom-post-order
VULNERABILITYSubscriber+ Arbitrary Menu Order Update
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Youtube Shortcode

PLUGIN SLUGyoutube-shortcode
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Amazon JS

PLUGINAmazon JS
PLUGIN SLUGamazonjs
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Widget Shortcode

PLUGIN SLUGwidget-shortcode
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Amr Shortcode Any Widget

PLUGIN SLUGamr-shortcode-any-widget
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

WP TopBar

PLUGINWP-TopBar
PLUGIN SLUGwp-topbar
VULNERABILITYAdmin+ SQLi
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Widgets on Pages

PLUGIN SLUGwidgets-on-pages
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Twenty20 Image Before-After

PLUGIN SLUGtwenty20
VULNERABILITYContributor+ Stored XSS
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
 

Mapwiz

PLUGINMapwiz
PLUGIN SLUGmapwiz
VULNERABILITYAdmin+ SQLi
PATCHED IN VERSIONNo Fix
SEVERITY SCOREMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.