September 29, 2021 Plugin Vulnerabilities

Is your site up to date?

Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable!

Comments – wpDiscuz

Plugin: Comments – wpDiscuz
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 7.3.2

Page Generator

Plugin: Page Generator 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.5.9

WordPress to Hootsuite

Plugin: WordPress to Hootsuite
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.9

WordPress to Buffer

Plugin: WordPress to Buffer
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.7.5

Gutenberg PDF Viewer Block

Plugin: Gutenberg PDF Viewer Block 
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.0.1

YITH WooCommerce Product Add-Ons

Plugin: YITH WooCommerce Product Add-Ons
Vulnerability: Authenticated Local File Inclusion
Patched in Version: 2.1.0

To Top

Plugin: To Top  
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 2.3

Header Enhancement

Plugin: Header Enhancement
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.5

Generate Child Theme

Plugin: Generate Child Theme
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.6

Essential Content Types

Plugin: Essential Content Types
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.9

Catch Web Tools

Plugin: Catch Web Tools 
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 2.7

Essential Widgets

Plugin: Software License Manager 
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.9

Catch Under Construction

Plugin: Catch Under Construction 
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.4

Catch Themes Demo Import

Plugin: Catch Themes Demo Import
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.6

Catch Sticky Menu

Plugin: Catch Sticky Menu 
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.7

Catch Scroll Progress Bar

Plugin: Catch Scroll Progress Bar
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.6

Social Gallery and Widget

Plugin: Social Gallery and Widget
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 2.3

Catch Infinite Scroll

Plugin: Catch Infinite Scroll
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.9

Catch Duplicate Switcher

Plugin: Catch Duplicate Switcher 
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.6

Catch Breadcrumb

Plugin: Catch Breadcrumb
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 1.7

Catch IDs

Plugin: Catch IDs 
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 2.4

Tutor LMS

Plugin: Tutor LMS 
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in Version: 1.9.9

WP Import Export Lite

Plugin: WP Import Export Lite 
Vulnerability: Subscriber+ Extensions Update
Patched in Version: 3.9.5

One User Avatar

Plugin: One User Avatar
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.3.7

Scroll Baner

Plugin: Scroll Baner 
Vulnerability: CSRF to RCE
Patched in Version: no known fix

WP Ticket

Plugin: WP Ticket
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.10.4

GamePress

Plugin: GamePress 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix

Wechat Reward

Plugin: Wechat Reward 
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix

Sociable

Plugin: Sociable 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix

BetterDocs

Plugin: BetterDocs 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.9.2

Multiple WooCommerce Add-Ons – multiple plugins

Plugin: Product Filter for WooCommerce 
Vulnerability: Low Priv Arbitrary Blog Options Update/Access/Deletion & Plugin’s Settings Update/Export/Import
Patched in Version: 8.2.0

WP Cookie Choice

Plugin: WP Cookie Choice
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix

Easy Twitter Feed

Plugin: Easy Twitter Feed 
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.2

Html5 Audio Player

Plugin: Html5 Audio Player 
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.1.3

Polo Video Gallery

Plugin: Polo Video Gallery 
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

StreamCast

Plugin: StreamCast  
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.1.1

PDF Light Viewer

Plugin: PDF Light Viewer 
Vulnerability: Authenticated Command Injection
Patched in Version: 1.4.12

MainWP Child Reports

Plugin: MainWP Child Reports 
Vulnerability: Admin+ SQL Injection
Patched in Version: 2.0.8

LearnPress

Plugin: LearnPress
Vulnerability: Unauthorised Plugin’s Setting Change
Patched in Version: 4.1.3.1

OptinMonster

Plugin: OptinMonster 
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version: 2.6.1

Frontend Uploader

Plugin: Frontend Uploader
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

Allow REL= and HTML in Author Bios

Plugin: Allow REL= and HTML in Author Bios – WordPress plugin | WordPress.org
Vulnerability: Author+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

WP HTML Author Bio

Plugin: WP HTML Author Bio
Vulnerability: Author+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

jQuery Reply to Comment

Plugin: jQuery Reply to Comment 
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

Video Gallery – Vimeo and YouTube Gallery

Plugin: Video Gallery – Vimeo and YouTube Gallery
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

Request a Quote

Plugin: Request a Quote 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.3.5

St Daily Tip

Plugin: St Daily Tip
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

Advance Search

Plugin: Advance Search 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.1.3

WP Mega Menu

Plugin: WP Mega Menu
Vulnerability: Subscriber+ Arbitrary Post Access
Patched in Version: 1.4.1

Cherry Plugin

Plugin: Cherry Plugin 
Vulnerability: Unauthenticated Arbitrary File Upload and Download
Patched in Version: 1.2.7

WP Job Manager

Plugin: WP Job Manager – WordPress plugin | WordPress.org 
Vulnerability: Phar Deserialization
Patched in Version: 1.31.3

WP Mobile Detector

Plugin: WP Mobile Detector
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: 3.6

Telefication

Plugin: Telefication
Vulnerability: Open Relay & Server-Side Request Forgery
Patched in Version: no known fix – plugin closed

Game Server Status

Plugin: Game Server Status 
Vulnerability: Contributor+ SQL Injection
Patched in Version: no known fix – plugin closed

Responsive WordPress Slider

Plugin: Responsive WordPress Slider
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

Fetch Tweets

Plugin: Fetch Tweets 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix – plugin closed

WooCommerce

Plugin: WooCommerce 
Vulnerability: Analytics Report Leaks
Patched in Version: 5.7.0

WooCommerce Admin

Plugin: WooCommerce Admin 
Vulnerability: Analytics Report Leaks
Patched in Version: 2.6.0

Cookie Bar

Plugin: Cookie Bar 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix – plugin closed

WP User Manager

Plugin: WP User Manager 
Vulnerability: Arbitrary User Password Reset to Account Compromise
Patched in Version: 2.6.3

Easy Media Download

Plugin: Easy Media Download
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.1.7

3DPrint Lite

Plugin: 3DPrint Lite
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: no known fix – plugin closed

iQ Block Country

Plugin: iQ Block Country
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.2.12

WordPress Popular Posts

Plugin: WordPress Popular Posts 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.3.4

Need Security Help? Get WooSecured

We take security seriously. While security measures are built into WordPress and WooCommerce out of the box, there are things store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. Our security services make your life easier by making your data and your customer data safe.

Share This Post

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Plugins

eboov.com

From the desk of Joel Otterstrom President of WpConcierges Since the middle of November my mind has been focused on a project. The project is

Plugins

Plugin Vulnerabilities for March 2022

Is your site up to date? Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable! MC4WP Vulnerability:

Do You Want To Boost Your Business?

drop us a line and keep in touch