November 18, 2021 Plugin Vulnerabilities

Is your site up to date?

Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable!

Registrations for the Events Calendar

Plugin: Registrations for the Events Calendar
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 2.7.6

LoginWP

Plugin: LoginWP 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.0.0.5

WooCommerce Currency Switcher

Plugin: WooCommerce Currency Switcher
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.7.1

Secure Copy Content Protection and Content Locking

Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Subscriber+ Email Address Disclosure
Patched in Version: 2.8.2

Bookly

Plugin: Bookly 
Vulnerability: Staff Member Stored Cross-Site Scripting
Patched in Version: 20.3.1

Email Log

Plugin: Email Log
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.4.8

Tawk.to Live Chat

Plugin: Tawk.to Live Chat
Vulnerability: Subscriber+ Visitor Monitoring & Chat Removal
Patched in Version: 0.6.0

WP Data Access

Plugin: WP Data Access
Vulnerability: Admin+ SQL Injection
Patched in Version: 5.0.0

PDF.js Viewer

Plugin: PDF.js Viewer
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.0.2

Backup and Restore

Plugin: Backup and Restore
Vulnerability: Admin+ Arbitrary File Deletion
Patched in Version: No known fix

LearnPress

Plugin: LearnPress 
Vulnerability: Admin+ SQL Injection
Patched in Version: 4.1.4

Get Custom Field Values

Plugin: Get Custom Field Values
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 4.0.1

Booking Package

Plugin: Booking Package
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.5.11

Like Button Rating

Plugin: Like Button Rating
Vulnerability: Unauthorised Vote Export to Email & IP Addresses Disclosure
Patched in Version: 2.6.38

Caldera Forms

Plugin: Caldera Forms
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.9.5

Starter Templates

Plugin: Starter Templates
Vulnerability: Contributor+ Block Import to Stored XSS
Patched in Version: 2.7.1

Contact Form Email

Plugin: Contact Form Email
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.3.25

Video Gallery – Vimeo and YouTube Gallery

Plugin: Video Gallery – Vimeo and YouTube Gallery 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.1.5

WordPress Popular Posts

Plugin: WordPress Popular Posts
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.3.4

WP Mega Menu

Plugin: WP Mega Menu
Vulnerability: Subscriber+ Arbitrary Post Access
Patched in Version: 1.4.1

Cherry Plugin

Plugin: Cherry Plugin 
Vulnerability: Unauthenticated Arbitrary File Upload and Download
Patched in Version: 1.2.7

WP Job Manager

Plugin: WP Job Manager – WordPress plugin | WordPress.org 
Vulnerability: Phar Deserialization
Patched in Version: 1.31.3

WP Mobile Detector

Plugin: WP Mobile Detector
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: 3.6

Telefication

Plugin: Telefication
Vulnerability: Open Relay & Server-Side Request Forgery
Patched in Version: no known fix – plugin closed

Game Server Status

Plugin: Game Server Status 
Vulnerability: Contributor+ SQL Injection
Patched in Version: no known fix – plugin closed

Responsive WordPress Slider

Plugin: Responsive WordPress Slider
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

Fetch Tweets

Plugin: Fetch Tweets 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix – plugin closed

WooCommerce

Plugin: WooCommerce 
Vulnerability: Analytics Report Leaks
Patched in Version: 5.7.0

WooCommerce Admin

Plugin: WooCommerce Admin 
Vulnerability: Analytics Report Leaks
Patched in Version: 2.6.0

Cookie Bar

Plugin: Cookie Bar 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

WP User Manager

Plugin: WP User Manager 
Vulnerability: Arbitrary User Password Reset to Account Compromise
Patched in Version: 2.6.3

Easy Media Download
3DPrint Lite

Plugin: iQ Block Country
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.2.12

Need Security Help? Get WooSecured

We take security seriously. While security measures are built into WordPress and WooCommerce out of the box, there are things store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. Our security services make your life easier by making your data and your customer data safe.

Share This Post

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Plugins

eboov.com

From the desk of Joel Otterstrom President of WpConcierges Since the middle of November my mind has been focused on a project. The project is

Plugins

Plugin Vulnerabilities for March 2022

Is your site up to date? Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable! MC4WP Vulnerability:

Do You Want To Boost Your Business?

drop us a line and keep in touch