WP Security Roundup: November 23, 2023

This  WP Security Roundup shows the latest WordPress vulnerabilities including ARMember, EmbedPress, SearchIQ and more!

Plugin: WP Mail Log

Vulnerability: Authenticated (Editor+) SQL Injection via id vulnerability
Patched Version: 1.1.3
Recommended Action: Update the WordPress WP Mail Log plugin to the latest available version (at least 1.1.3).

Plugin: Auto Affiliate Links

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 6.4.2.6
Recommended Action: Update the WordPress Auto Affiliate Links plugin to the latest available version (at least 6.4.2.6

Plugin: Drop Shadow Boxes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.7.14
Recommended Action: Update the WordPress Drop Shadow Boxes plugin to the latest available version (at least 1.7.14)

Plugin: Analytify

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.2.0
Recommended Action: Update the WordPress Analytify plugin to the latest available version (at least 5.2.0).

Plugin: Audio Merchant

Vulnerability: Cross-Site Request Forgery to Settings Modification and Stored Cross-Site Scripting vulnerability
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload vulnerability
Patched Version: None
Recommended Action: Deactivate and delete. This plugin has been closed and is no longer available for download.

Plugin: EmbedPress

Vulnerability: Reflected Cross-Site Scripting via the hash parameter vulnerability
Patched Version: 3.9.2
Recommended Action: Update the WordPress EmbedPress plugin to the latest available version (at least 3.9.2).

Plugin: eCommerce Product Catalog

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 3.3.27
Recommended Action: Update the WordPress eCommerce Product Catalog plugin to the latest available version (at least 3.3.27).

Plugin: Ultimate Responsive Image Slider

Vulnerability: Missing Authorization via AJAX action vulnerability
Patched Version: 3.5.12
Recommended Action: Update the WordPress Ultimate Responsive Image Slider plugin to the latest available version (at least 3.5.12).

Plugin: Conditional Fields for Contact Form 7

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: ARMember

Vulnerability: Membership Plan Bypass vulnerability
Patched Version: 4.0.11
Recommended Action: Update the WordPress ARMember plugin to the latest available version (at least 4.0.11).

Plugin: WP Meta and Date Remover

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.3.1
Recommended Action: Update the WordPress WP Meta and Date Remover plugin to the latest available version (at least 2.3.1).

Plugin: ARI Stream Quiz

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.3.0
Recommended Action: Update the WordPress ARI Stream Quiz plugin to the latest available version (at least 1.3.0).

Plugin: Quiz And Survey Master

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 8.1.14
Recommended Action: Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 8.1.14).

Plugin: Theater for WordPress

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: SearchIQ

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: DrawIt (draw.io)

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 27, 2023, and is not available for download. This closure is temporary, pending a full review.

Plugin: Live Preview for Contact Form 7

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 27, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Quick Call Button

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 27, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: wpMandrill

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of November 3, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Events Addon for Elementor

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.1.4
Recommended Action: Update the WordPress Events Addon for Elementor plugin to the latest available version (at least 2.1.4).

Plugin: Restaurant & Cafe Addon for Elementor

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.5.4
Recommended Action: Update the WordPress Restaurant & Cafe Addon for Elementor plugin to the latest available version (at least 1.5.4).

Plugin: WP EXtra

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.5
Recommended Action: Update the WordPress WP EXtra plugin to the latest available version (at least 6.5).

Plugin: Legal Pages

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Legal Pages plugin to the latest available version (at least 1.3.9).

Plugin: FormCraft

Vulnerability: Broken Access Control vulnerability
Patched Version: 1.2.8
Recommended Action: Update the WordPress FormCraft plugin to the latest available version (at least 1.2.8).

Plugin: MP3 Audio Player for Music, Radio & Podcast by Sonaar

Vulnerability: Broken Access Control vulnerability
Patched Version: 4.10.1
Recommended Action: Update the WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin to the latest available version (at least 4.10.1).

Plugin: Email Encoder Bundle

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.1.9
Recommended Action: Update the WordPress Email Encoder Bundle plugin to the latest available version (at least 2.1.9).

Plugin: WP Like Button

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of November 3, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Easy Call Now by ThikShare

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 27, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: LWS Hide Login

Vulnerability: Secret Login Page Location Disclosure on Multisites vulnerability
Patched Version: 2.1.9
Recommended Action: Update the WordPress LWS Hide Login plugin to the latest available version (at least 2.1.9).

Plugin: Daily Prayer Time

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2023.10.21
Recommended Action: Update the WordPress Daily Prayer Time plugin to the latest available version (at least 2023.10.21).

Plugin: Charitable

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.7.0.14
Recommended Action: Update the WordPress Charitable plugin to the latest available version (at least 1.7.0.14).

Plugin: BP Profile Shortcodes Extra

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: BMI Calculator Plugin

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Better RSS Widget

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Bamboo Columns

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Anywhere Flash Embed

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 20, 2023, and is not available for download. This closure is temporary, pending a full review.

Plugin: Ajax Domain Checker

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 9, 2023, and is not available for download. This closure is temporary, pending a full review.

Plugin: Accordion

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7
Recommended Action: Update the WordPress Accordion plugin to the latest available version (at least 2.7).

Plugin: Add Widgets to Page

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version available. This plugin has been closed as of October 8, 2023, and is not available for download. This closure is temporary, pending a full review.

Plugin: 10WebAnalytics

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of August 2, 2023, and is not available for download. This closure is permanent. Reason: Author Request.

Plugin: Disable User Login

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Community by PeepSo

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 6.2.0.0
Recommended Action: Update the WordPress Community by PeepSo plugin to the latest available version (at least 6.2.0.0).

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Unauthenticated Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Phlox Portfolio

Vulnerability: Unauthenticated Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Plugin: Phlox Shop

Vulnerability: Unauthenticated Local File Inclusion vulnerability
Patched Version: None
Recommended Action: No patched version is available. No reply from the vendor.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Wordpress Maintenance Checklist

WordPress Maintenance Checklist

Get your FREE checklist for everything you need to maintain your WordPress Site.

  • This field is for validation purposes and should be left unchanged.