August 25, 2021 Plugin Vulnerabilities

Is your site up to date?

Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable!

rucy

Plugin: rucy
Vulnerability: CSRF Bypass
Patched in Version: No known fix 

WP-Backgrounds Lite

Plugin: WP-Backgrounds Lite
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

WP Security Question

Plugin: WP Security Question 
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

Event Espresso 4 Decaf – Event Registration Event Ticketing

Plugin: WEvent Espresso 4 Decaf – Event Registration Event Ticketing  
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

WordPress Photo Gallery – Image Gallery

Plugin: WordPress Photo Gallery – Image Gallery  
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

Opal Estate

Plugin: Opal Estate  
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

Sync to Etsy Marketplace from WooCommerce

Plugin: Sync to Etsy Marketplace from WooCommerce
Vulnerability: RCSRF Bypass
Patched in Version: 3.3.2
Severity Score: Medium

RAYS Grid

Plugin: RAYS Grid 
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

Sell Media

Plugin: Sell Media 
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

Simple eCommerce

Plugin: Simple eCommerce
Vulnerability: Arbitrary File Upload
Patched in Version: No known fix
Severity Score: Critical

WP Courses LMS

Plugin: WP Courses LMS
Vulnerability: Authenticated Stored XSS via Video Embed Code
Patched in Version: 2.0.44
Severity Score: Low

CBX Bookmark & Favorite

Plugin: CBX Bookmark & Favorite
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.6.9
Severity Score: High

The vulnerability is patc
Afterpay Gateway for WooCommerce

Plugin: Afterpay Gateway for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.1
Severity Score: High

 
Amazon Auto Links

Plugin: Amazon Auto Links
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.6.20
Severity Score: High

Post Carousel

Plugin: Post Carousel
Vulnerability: Unauthorised AJAX Calls
Patched in Version: 2.3.5
Severity Score: Medium

Smash Balloon Social Post Feed

Plugin: Smash Balloon Social Post Feed 
Vulnerability: Unauthenticated Stored XSS
Patched in Version: 2.19.2
Severity Score: Critical

Stop user Enumeration

Plugin: Stop User Enumeration 
Vulnerability: REST API Bypass
Patched in Version: 1.3.9
Severity Score: Medium

Language Bar Flags

Plugin: Language Bar Flags
Vulnerability: CSRF to Stored XSS
Patched in Version: No known fix
Severity Score: High

Email Artillery

Plugin: Email Artillery
Vulnerability: CSRF to Stored XSS
Patched in Version: No known fix
Severity Score: High

 
SEOPress 5.0.0

Plugin: SEOPress 5.0.0 
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 5.0.4
Severity Score: Medium

SP Project & Document Manager

Plugin: SP Project & Document Manager 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.26
Severity Score: High

WordPress Advanced Ticket System

Plugin: WordPress Advanced Ticket System
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.0.64
Severity Score: Low

WPHEKA Request for Quote

Plugin: WPHEKA Request For Quote
Vulnerability: CSRF Bypass
Patched in Version: 1.3
Severity Score: Medium

All 404 Redirect to Homepage

Plugin: All 404 Redirect to Homepage
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 2.1
Severity Score: Low

Fileviewer

Plugin: Fileviewer
Vulnerability: Arbitrary File Upload/Deletion via CSRF
Patched in Version: No known fix
Severity Score: Critical

Shopp eCommerce

Plugin: Shopp eCommerce
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: No known fix
Severity Score: Critical

MF Gig Calendar

Plugin: MF Gig Calendar
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version: No known fix
Severity Score: High

BuddyPress

Plugin: BuddyPress
Vulnerability: Activation Key Disclosure
Patched in Version: 9.1.1
Severity Score: Medium

Jack on air now

Plugin: Jock on air now
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 5.6.3
Severity Score: Low

ThinkTwit

Plugin: ThinkTwit
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.7.1
Severity Score: Low

Shopping Cart & eCommerce Store

Plugin: Shopping Cart & eCommerce Store
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High

Gutenslider

Plugin: Gutenslider
Vulnerability: Contributor+ Stored XSS
Patched in Version: 5.2.0
Severity Score: Medium

Visual Link Preview

Plugin: Visual Link Preview
Vulnerability: Unauthorised AJAX Calls
Patched in Version: 2.2.3
Severity Score: Medium

Print My Blog

Plugin: Print My Blog
Vulnerability: Plugin Deactivation via CSRF
Patched in Version: 3.4.2
Severity Score: Medium

Splash Header

Plugin: Splash Header 
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.20.8
Severity Score: Low

youForms for WordPress

Plugin: youForms for WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low

Availability Calendar

Plugin: Availability Calendar
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low

WP Mapa Politico Espana

Plugin: WP Mapa Politico Espana
Vulnerability: Authenticated Stored XSS
Patched in Version: No known fix
Severity Score: Low

Alojapro Widget

Plugin: Alojapro Widget
Vulnerability: Authenticated Stored Cross-Site Scripting(XSS)
Patched in Version: No known fix
Severity Score: Low

You Shang

Plugin: You Shang
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low

WP Dialog

Plugin: WP Dialog
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low

Donate with QRCode

Plugin: Donate With QRCode
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium

WP Mobile Menu

Plugin: Titan Framework  – WP Mobile Menu
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version: 2.8.2.3
Severity Score: High

W3SCloud Contact Form 7 to Zoho CRM

Plugin: Titan Framework  – W3SCloud Contact Form 7 to Zoho CRM
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: High

Erident Custom Login and Dashboard

Plugin: Erident Custom Login and Dashboard
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 3.5.9
Severity Score: Low

WP Cerber Security

Plugin: WP Cerber Security
Vulnerability: Rest-API Protection Bypass
Patched in Version: 8.9.3
Severity Score: Medium

Flagallery Photo Portfolio

Plugin: Flagallery Photo Portfolio
Vulnerability: Full Path Disclosure
Patched in Version: 4.25
Severity Score: Medium

GRAND Flash Album Gallery

Plugin: GRAND Flash Album Gallery 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.67
Severity Score: High

2Way VideoCalls and Random Chat

Plugin: 2Way VideoCalls and Random Chat 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 5.2.8
Severity Score: High

The vulnerability is patched, 

Need Security Help? Get WooSecured

We take security seriously. While security measures are built into WordPress and WooCommerce out of the box, there are things store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. Our security services make your life easier by making your data and your customer data safe.

Share This Post

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Plugins

eboov.com

From the desk of Joel Otterstrom President of WpConcierges Since the middle of November my mind has been focused on a project. The project is

Plugins

Plugin Vulnerabilities for March 2022

Is your site up to date? Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable! MC4WP Vulnerability:

Do You Want To Boost Your Business?

drop us a line and keep in touch