August 25, 2021 Plugin Vulnerabilities

Is your site up to date?

Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable!

rucy

Plugin: rucy
Vulnerability: CSRF Bypass
Patched in VersionNo known fix 

WP-Backgrounds Lite

Plugin: WP-Backgrounds Lite
Vulnerability: CSRF Bypass
Patched in VersionNo known fix
Severity ScoreMedium

WP Security Question

Plugin: WP Security Question 
Vulnerability: CSRF Bypass
Patched in VersionNo known fix
Severity ScoreMedium

Event Espresso 4 Decaf – Event Registration Event Ticketing

Plugin: WEvent Espresso 4 Decaf – Event Registration Event Ticketing  
Vulnerability: CSRF Bypass
Patched in VersionNo known fix
Severity ScoreMedium

WordPress Photo Gallery – Image Gallery

Plugin: WordPress Photo Gallery – Image Gallery  
Vulnerability: CSRF Bypass
Patched in VersionNo known fix
Severity ScoreMedium

Opal Estate

Plugin: Opal Estate  
Vulnerability: CSRF Bypass
Patched in VersionNo known fix
Severity ScoreMedium

Sync to Etsy Marketplace from WooCommerce

Plugin: Sync to Etsy Marketplace from WooCommerce
Vulnerability: RCSRF Bypass
Patched in Version: 3.3.2
Severity ScoreMedium

RAYS Grid

Plugin: RAYS Grid 
Vulnerability: CSRF Bypass
Patched in VersionNo known fix
Severity ScoreMedium

Sell Media

Plugin: Sell Media 
Vulnerability: CSRF Bypass
Patched in VersionNo known fix
Severity ScoreMedium

Simple eCommerce

Plugin: Simple eCommerce
Vulnerability: Arbitrary File Upload
Patched in VersionNo known fix
Severity ScoreCritical

WP Courses LMS

Plugin: WP Courses LMS
Vulnerability: Authenticated Stored XSS via Video Embed Code
Patched in Version: 2.0.44
Severity ScoreLow

CBX Bookmark & Favorite

Plugin: CBX Bookmark & Favorite
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.6.9
Severity ScoreHigh

The vulnerability is patc
Afterpay Gateway for WooCommerce

Plugin: Afterpay Gateway for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.1
Severity ScoreHigh

 
Amazon Auto Links

Plugin: Amazon Auto Links
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.6.20
Severity ScoreHigh

Post Carousel

Plugin: Post Carousel
Vulnerability: Unauthorised AJAX Calls
Patched in Version: 2.3.5
Severity ScoreMedium

Smash Balloon Social Post Feed

Plugin: Smash Balloon Social Post Feed 
Vulnerability: Unauthenticated Stored XSS
Patched in Version: 2.19.2
Severity ScoreCritical

Stop user Enumeration

Plugin: Stop User Enumeration 
Vulnerability: REST API Bypass
Patched in Version: 1.3.9
Severity ScoreMedium

Language Bar Flags

Plugin: Language Bar Flags
Vulnerability: CSRF to Stored XSS
Patched in VersionNo known fix
Severity ScoreHigh

Email Artillery

Plugin: Email Artillery
Vulnerability: CSRF to Stored XSS
Patched in VersionNo known fix
Severity ScoreHigh

 
SEOPress 5.0.0

Plugin: SEOPress 5.0.0 
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 5.0.4
Severity ScoreMedium

SP Project & Document Manager

Plugin: SP Project & Document Manager 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.26
Severity ScoreHigh

WordPress Advanced Ticket System

Plugin: WordPress Advanced Ticket System
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.0.64
Severity ScoreLow

WPHEKA Request for Quote

Plugin: WPHEKA Request For Quote
Vulnerability: CSRF Bypass
Patched in Version: 1.3
Severity ScoreMedium

All 404 Redirect to Homepage

Plugin: All 404 Redirect to Homepage
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 2.1
Severity ScoreLow

Fileviewer

Plugin: Fileviewer
Vulnerability: Arbitrary File Upload/Deletion via CSRF
Patched in VersionNo known fix
Severity ScoreCritical

Shopp eCommerce

Plugin: Shopp eCommerce
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in VersionNo known fix
Severity ScoreCritical

MF Gig Calendar

Plugin: MF Gig Calendar
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in VersionNo known fix
Severity ScoreHigh

BuddyPress

Plugin: BuddyPress
Vulnerability: Activation Key Disclosure
Patched in Version: 9.1.1
Severity ScoreMedium

Jack on air now

Plugin: Jock on air now
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 5.6.3
Severity ScoreLow

ThinkTwit

Plugin: ThinkTwit
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.7.1
Severity ScoreLow

Shopping Cart & eCommerce Store

Plugin: Shopping Cart & eCommerce Store
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in VersionNo known fix
Severity ScoreHigh

Gutenslider

Plugin: Gutenslider
Vulnerability: Contributor+ Stored XSS
Patched in Version: 5.2.0
Severity ScoreMedium

Visual Link Preview

Plugin: Visual Link Preview
Vulnerability: Unauthorised AJAX Calls
Patched in Version: 2.2.3
Severity ScoreMedium

Print My Blog

Plugin: Print My Blog
Vulnerability: Plugin Deactivation via CSRF
Patched in Version: 3.4.2
Severity ScoreMedium

Splash Header

Plugin: Splash Header 
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.20.8
Severity ScoreLow

youForms for WordPress

Plugin: youForms for WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in VersionNo known fix
Severity ScoreLow

Availability Calendar

Plugin: Availability Calendar
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in VersionNo known fix
Severity ScoreLow

WP Mapa Politico Espana

Plugin: WP Mapa Politico Espana
Vulnerability: Authenticated Stored XSS
Patched in VersionNo known fix
Severity ScoreLow

Alojapro Widget

Plugin: Alojapro Widget
Vulnerability: Authenticated Stored Cross-Site Scripting(XSS)
Patched in VersionNo known fix
Severity ScoreLow

You Shang

Plugin: You Shang
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in VersionNo known fix
Severity ScoreLow

WP Dialog

Plugin: WP Dialog
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in VersionNo known fix
Severity ScoreLow

Donate with QRCode

Plugin: Donate With QRCode
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched in VersionNo known fix
Severity ScoreMedium

WP Mobile Menu

Plugin: Titan Framework  – WP Mobile Menu
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version2.8.2.3
Severity ScoreHigh

W3SCloud Contact Form 7 to Zoho CRM

Plugin: Titan Framework  – W3SCloud Contact Form 7 to Zoho CRM
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version2.1.0
Severity ScoreHigh

Erident Custom Login and Dashboard

Plugin: Erident Custom Login and Dashboard
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version3.5.9
Severity ScoreLow

WP Cerber Security

Plugin: WP Cerber Security
Vulnerability: Rest-API Protection Bypass
Patched in Version8.9.3
Severity ScoreMedium

Flagallery Photo Portfolio

Plugin: Flagallery Photo Portfolio
Vulnerability: Full Path Disclosure
Patched in Version4.25
Severity ScoreMedium

GRAND Flash Album Gallery

Plugin: GRAND Flash Album Gallery 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version1.67
Severity ScoreHigh

2Way VideoCalls and Random Chat

Plugin: 2Way VideoCalls and Random Chat 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version5.2.8
Severity ScoreHigh

The vulnerability is patched, 

Need Security Help? Get WooSecured

We take security seriously. While security measures are built into WordPress and WooCommerce out of the box, there are things store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. Our security services make your life easier by making your data and your customer data safe.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Plugins

August 25, 2021 Plugin Vulnerabilities

Is your site up to date? Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable! Pinterest Automatic

Do You Want To Boost Your Business?

drop us a line and keep in touch