WP Security Roundup

WP Security Roundup: December 13, 2023

This WP Security Roundup shows the latest WordPress vulnerabilities including Alt Manager, Custom Login, System Dashboard and more!

Plugin: Alt Manager

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Custom Post Type Page Template

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Advanced Page Visit Counter

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Livemesh Addons for WPBakery Page Builder

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.6
Recommended Action: Update the WordPress Livemesh Addons for WPBakery Page Builder plugin to the latest available version (at least 3.6).

Plugin: Alma – Pay in installments or later for WooCommerce

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of December 7, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Social Media Feather

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Login With Ajax

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Project Manager

Vulnerability: Broken Access Control vulnerability
Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Custom Login

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: BC Menu Bar Cart Icon For WooCommerce By Binary Carpenter

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Awesome Support

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Smart Forms

Vulnerability: Authenticated Arbitrary Options Change Vulnerability
Patched Version: 2.6.85
Recommended Action: Update the WordPress Smart Forms plugin to the latest available version (at least 2.6.85).

Plugin: Caddy

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.9.8
Recommended Action: Update the WordPress Caddy plugin to the latest available version (at least 1.9.8).

Plugin: PayTR Taksit Tablosu

Vulnerability: Broken Authentication vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of November 17, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Responsive Slick Slider WordPress

Vulnerability: Content Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Square Thumbnails

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Simple HTML Sitemap

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: System Dashboard

Vulnerability: Missing Authorization to Information Disclosure (sd_option_value) vulnerability
Vulnerability: Missing Authorization to Information Disclosure (sd_php_info) vulnerability
Vulnerability: Missing Authorization to Information Disclosure (sd_global_value) vulnerability
Vulnerability: Missing Authorization to Information Disclosure (sd_db_specs) vulnerability
Patched Version: 2.8.8
Recommended Action: Update the WordPress System Dashboard plugin to the latest available version (at least 2.8.8).

Plugin: Elementor Website Builder

Vulnerability: Arbitrary File Upload vulnerability
Patched Version: 3.18.2
Recommended Action: Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.18.2).

Plugin: Shortcoder

Vulnerability: Broken Access Control vulnerability
Patched Version: 6.3.1
Recommended Action: Update the WordPress Shortcoder plugin to the latest available version (at least 6.3.1).

Plugin: Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Annual Archive

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Author Avatars List/Block

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Redirects

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: WPPerformanceTester

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: First Order Discount Woocommerce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Rocket Maintenance Mode & Coming Soon Page

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Optin Forms

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 1, 2023 and is not available for download. Reason: Licensing/Trademark Violation.

Plugin: Multi Currency For WooCommerce

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Partdo Core

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.

Plugin: Bacola Core

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.

Plugin: Medibazar Core

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.

Plugin: Furnob Core

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.

Plugin: Cosmetsy Core

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.

Plugin: Clotya Core

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: The vendor provided no patched version for the validation. No reply from the vendor.