smartrobbie
Book A Call

WP Security Roundup: November 8, 2023

This  WP Security Roundup shows the latest WordPress vulnerabilities including GiveWP, Layer Slider, Defender Security and more!

 

Plugin: WP Affiliate Disclosure

Vulnerability: Broken Access Control + CSRF vulnerability
Patched Version: 1.2.7
Recommended Action: Update the WordPress WP Affiliate Disclosure plugin to the latest available version (at least 1.2.7).

Plugin: ShortCodes UI

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of October 21, 2023 and is not available for download. This closure is temporary, pending a full review.

Plugin: Contact Forms by Cimatti

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.6.1
Recommended Action: Update the WordPress Contact Forms by Cimatti plugin to the latest available version (at least 1.6.1).

Plugin: Download Top 25 Social Icons

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Layer Slider

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available. This plugin has been closed as of July 27, 2023 and is not available for download. Reason: Security Issue.

Plugin: Social Feed | All social media in one place

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Post Sliders & Post Grids

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Comments Ratings

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Email Templates

Vulnerability: Cross Site Request Forgery (CSRF)
Patched Version: 1.4.3
Recommended Action: Update the WordPress Email Templates plugin to the latest available version (at least 1.4.3).

Plugin: Short URL

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: WP Travel

Vulnerability: Broken Access Control vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Basic Interactive World Map

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 2.7
Recommended Action: Update the WordPress Basic Interactive World Map plugin to the latest available version (at least 2.7).

Plugin: Youzify

Vulnerability: Insecure Direct Object Reference (IDOR) vulnerability
Patched Version: 1.2.3
Recommended Action: Update the WordPress Youzify plugin to the latest available version (at least 1.2.3).

Plugin: Apollo13 Framework Extensions

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.9.1
Recommended Action: Update the WordPress Apollo13 Framework Extensions plugin to the latest available version (at least 1.9.1).

Plugin: Defender Security

Vulnerability: Masked Login Area View Bypass vulnerability
Patched Version: 4.2.1
Recommended Action: Update the WordPress Defender Security plugin to the latest available version (at least 4.2.1).

Plugin: Simple Job Board

Vulnerability: Broken Access Control vulnerability
Patched Version: 2.10.6
Recommended Action: Update the WordPress Simple Job Board plugin to the latest available version (at least 2.10.6).

Plugin: Animated Rotating Words

Vulnerability: Broken Access Control vulnerability
Patched Version: 5.5
Recommended Action: Update the WordPress Animated Rotating Words plugin to the latest available version (at least 5.5).

Plugin: Kadence WooCommerce Email Designer

Vulnerability: Cross Site Request Forgery (CSRF) vulnerability
Patched Version: 1.5.12
Recommended Action: Update the WordPress Kadence WooCommerce Email Designer plugin to the latest available version (at least 1.5.12).

Plugin: Digirisk

Vulnerability: Reflected Cross-Site Scripting vulnerability
Patched Version: 6.1.0.0
Recommended Action: Update the WordPress Digirisk plugin to the latest available version (at least 6.1.0.0).

Plugin: video carousel slider with lightbox

Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 1.0.1
Recommended Action: Update the WordPress video carousel slider with lightbox plugin to the latest available version (at least 1.0.1).

Plugin: SEO Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Patched Version: 1.1.1
Recommended Action: Update the WordPress SEO Slider plugin to the latest available version (at least 1.1.1).

Plugin: Advance Menu Manager

Vulnerability: Missing Authorization vulnerability
Vulnerability: Cross-Site Request Forgery vulnerability
Patched Version: 3.0.7
Recommended Action: Update the WordPress Advance Menu Manager plugin to the latest available version (at least 3.0.7).

Plugin: ChatBot

Vulnerability: WordPress ChatBot plugin 4.8.6 – 4.9.6 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder vulnerability
Patched Version: 4.9.7
Recommended Action: Update the WordPress AI Engine: ChatGPT Chatbot plugin to the latest available version (at least 4.9.7).

Plugin: wpDiscuz

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 7.6.12
Recommended Action: Update the WordPress wpDiscuz plugin to the latest available version (at least 7.6.12).

Plugin: Funnelforms Free

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication vulnerability
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion vulnerability
Vulnerability: Multiple Missing Authorization vulnerability
Patched Version: 3.4.2
Recommended Action: Update the WordPress Funnelforms Free plugin to the latest available version (at least 3.4.2).

Plugin: Icons Font Loader

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload vulnerability
Patched Version: 1.1.3
Recommended Action: Update the WordPress Icons Font Loader plugin to the latest available version (at least 1.1.3).

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.7.3 – Unauthenticated Arbitrary File Upload vulnerability
Patched Version: 1.3.7.4
Recommended Action: Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version (at least 1.3.7.4).

Plugin: Solid Security

Vulnerability: Unauthenticated Login Page Disclosure vulnerability
Patched Version: 9.0.1
Recommended Action: Update the WordPress Better WP Security plugin to the latest available version (at least 9.0.1).

Plugin: Admin Bar & Dashboard Access Control

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 1.2.9
Recommended Action: Update the WordPress Admin Bar & Dashboard Access Control plugin to the latest available version (at least 1.2.9).

Plugin: GiveWP

Vulnerability: Cross-Site Request Forgery (CSRF) to Stripe Integration Deletion vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) to plugin installation vulnerability
Vulnerability: Cross-Site Request Forgery (CSRF) to plugin deactivation vulnerability
Vulnerability: Broken Access Control vulnerability
Patched Version: 2.33.2
Recommended Action: Update the WordPress GiveWP plugin to the latest available version (at least 2.33.2).

Plugin: EventPrime

Vulnerability: Reflected Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: EventPrime

Vulnerability: Booking Creation via CSRF vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: Popup box

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 3.7.2
Recommended Action: Update the WordPress Popup box plugin to the latest available version (at least 3.7.2).

Plugin: WP Meta and Date Remover

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 2.2.0
Recommended Action: Update the WordPress WP Meta and Date Remover plugin to the latest available version (at least 2.2.0).

Plugin: User Private Files

Vulnerability: Auth. Sensitive Data and Files Exposure via IDOR vulnerability
Patched Version: 2.0.5
Recommended Action: Update the WordPress User Private Files plugin to the latest available version (at least 2.0.5).

Plugin: e2pdf

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: 1.20.20
Recommended Action: Update the WordPress E2Pdf plugin to the latest available version (at least 1.20.20).

Plugin: Memberlite Shortcodes

Vulnerability: Auth. Stored XSS via Shortcode vulnerability
Patched Version: 1.3.9
Recommended Action: Update the WordPress Memberlite Shortcodes plugin to the latest available version (at least 1.3.9).

Plugin: EventPrime

Vulnerability: Reflected HTML Injection on keyword parameter vulnerability
Patched Version: 3.2.0
Recommended Action: Update the WordPress EventPrime plugin to the latest available version (at least 3.2.0).

Plugin: Login Screen Manager

Vulnerability: Auth. Stored Cross-Site Scripting (XSS) vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Login Screen Manager

Vulnerability: Unauth Stored Cross Site Scripting (XSS) via CSRF vulnerability
Patched Version: None
Recommended Action: No patched version is available.

Plugin: Contest Gallery

Vulnerability: Unauth. Stored XSS via HTTP Headers vulnerability
Patched Version: 21.2.8.1
Recommended Action: Update the WordPress Contest Gallery plugin to the latest available version (at least 21.2.8.1).

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure vulnerability
Patched Version: 3.6.7
Recommended Action: Update the WordPress WP Customer Reviews plugin to the latest available version (at least 3.6.7).

Plugin: IdeaPush

Vulnerability: Cross Site Scripting (XSS) vulnerability
Patched Version: 8.53
Recommended Action: Update the WordPress IdeaPush plugin to the latest available version (at least 8.53).

Leave a Comment

Your email address will not be published. Required fields are marked *

smartrobbie

WordPress Website Design Agency based in Seaforth, Northern Beaches.

WORDPRESS SERVICES

WORDPRESS RESOURCES

OUR COMPANY

Facebook Twitter Instagram Linkedin
Semrush certified agency partner badge
Google Rating
5.0
Based on 45 reviews
js_loader

Smart Robbie acknowledges all Aboriginal and Torres Strait Islander Traditional Custodians of Country and recognises their continuing connection to land, sea, culture and community. We pay our respects to Elders past and present.

© 2012 – 2024 Smart Robbie I Website Design for Small Businesses

Scroll to Top
How fast is your website?

Get your FREE Instant Speed Audit

Get Report
Wordpress Maintenance Checklist

WordPress Maintenance Checklist

Get your FREE checklist for everything you need to maintain your WordPress Site.

  • This field is for validation purposes and should be left unchanged.