WP Security Roundup: December 6, 2023

This  WP Security Roundup shows the latest WordPress vulnerabilities including PageLayer, Responsive Lightbox, SchedulePress and more!

 

Plugin: Coming soon and Maintenance mode

Vulnerability: IP Filtering Bypass vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Seraphinite Accelerator

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.20.29
Recommended Action: Update the WordPress Seraphinite Accelerator plugin to the latest available version (at least 2.20.29).

Plugin: PowerPack Pro for Elementor

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 2.9.24
Recommended Action: Update the WordPress PowerPack Pro for Elementor plugin to the latest available version (at least 2.9.24).

Plugin: DoFollow Case by Case

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 3.5.0
Recommended Action: Update the WordPress DoFollow Case by Case plugin to the latest available version (at least 3.5.0).

Plugin: PageLayer

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.7.8
Recommended Action: Update the WordPress PageLayer plugin to the latest available version (at least 1.7.8).

Plugin: Nested Pages

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Importify (Dropshipping WooCommerce)

Vulnerability: Sensitive Data Exposure vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Social Pug

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Enhanced Text Widget

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Contact Form 7

Vulnerability: Authenticated (Editor+) Arbitrary File Upload vulnerability
Patched Version: 5.8.4
Recommended Action: Update the WordPress Add-on SweetAlert Contact Form 7 plugin to the latest available version (at least 5.8.4).

Plugin: Backup Migration

Vulnerability: Unauthenticated Arbitrary File Download to Sensitive Information Exposure vulnerability
Patched Version: 1.3.7
Recommended Action: Update the WordPress Backup Migration plugin to the latest available version (at least 1.3.7).

Plugin: CF7 Google Sheets Connector

Vulnerability: Sensitive Data Exposure via Debug Log vulnerability
Patched Version: 5.0.6
Recommended Action: Update the WordPress CF7 Google Sheets Connector plugin to the latest available version (at least 5.0.6).

Plugin: Debug Log Manager

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 2.2.2
Recommended Action: Update the WordPress Debug Log Manager plugin to the latest available version (at least 2.2.2).

Plugin: Chartify

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 1.9.7
Recommended Action: Update the WordPress Chartify plugin to the latest available version (at least 1.9.7).

Plugin: GDPR Cookie Consent by Supsystic

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Site Offline

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Social Share Buttons & Analytics Plugin – GetSocial.io

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Track Geolocation Of Users Using Contact Form 7

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Adifier (Premium Theme)

Vulnerability: WordPress Adifier – Classified Ads WordPress Theme theme <= 3.9.3 – Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Machic Core

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Doofinder for WooCommerce

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Parallax Slider Block

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: NextScripts

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: 4.4.3
Recommended Action: Update the WordPress NextScripts plugin to the latest available version (at least 4.4.3).

Plugin: List all posts by Authors, nested Categories and Title

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Event Manager

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Automatic Youtube Video Posts Plugin

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Event post

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: HDW Player Plugin (Video Player & Video Gallery)

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: which template file

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Pocket URLs

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: Incomplete patch.

Plugin: KP Fastest Tawk.to Chat

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Responsive Lightbox

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.4.6
Recommended Action: Update the WordPress Responsive Lightbox plugin to the latest available version (at least 2.4.6).

Plugin: 10to8 Online Appointment Booking System

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: BrainCert – HTML5 Virtual Classroom

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Innovs HR

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Forms by CaptainForm

Vulnerability: Reflected Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Ads by datafeedr.com

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: BP Better Messages

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.4.1
Recommended Action: Update the WordPress BP Better Messages plugin to the latest available version (at least 2.4.1).

Plugin: Database for CF7

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: MSync

Vulnerability: SQL Injection vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Client Dash

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Ocean Extra

Vulnerability: CSRF Leading to Arbitrary Plugin Activation vulnerability
Patched Version: 2.2.3
Recommended Action: Update the WordPress Ocean Extra plugin to the latest available version (at least 2.2.3).

Plugin: Email Address Encoder

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.0.23
Recommended Action: Update the WordPress Email Address Encoder plugin to the latest available version (at least 1.0.23).

Plugin: teachPress

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 9.0.6
Recommended Action: Update the WordPress teachPress plugin to the latest available version (at least 9.0.6).

Plugin: BSK Forms Blacklist

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Patched Version: 3.7
Recommended Action: Update the WordPress BSK Forms Blacklist plugin to the latest available version (at least 3.7).

Plugin: Export WP Page to Static HTML/CSS

Vulnerability: Missing Authorization via Multiple AJAX Actions vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress Export WP Page to Static HTML/CSS plugin to the latest available version (at least 2.2.0).

Plugin: SchedulePress

Vulnerability: Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications vulnerability
Patched Version: 5.0.5
Recommended Action: Update the WordPress SchedulePress plugin to the latest available version (at least 5.0.5).

Plugin: WCMultiShipping

Vulnerability: Incorrect Authorization vulnerability
Patched Version: 2.3.8
Recommended Action: Update the WordPress WCMultiShipping plugin to the latest available version (at least 2.3.8).

Plugin: SiteOrigin Widgets Bundle

Vulnerability: Authenticated (Admin+) Local File Inclusion vulnerability
Patched Version: 1.51.0
Recommended Action: Update the WordPress SiteOrigin Widgets Bundle plugin to the latest available version (at least 1.51.0).

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Wordpress Maintenance Checklist

WordPress Maintenance Checklist

Get your FREE checklist for everything you need to maintain your WordPress Site.

  • This field is for validation purposes and should be left unchanged.