End of July 2021 Plugin Vulnerabilities

Is your site up to date?

Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable!

#1 VDZ Verification

Plugin: VDZ Verification
Vulnerability: Authenticated Stored XSS
Patched in Version: 1.4

#2 VDZ CallBack

Plugin: VDZ CallBack
Vulnerability: Authenticated Stored XSS
Patched in Version: 1.1.4.6

#3 Wonder PDF Embed

Plugin: Wonder PDF Embed 
Vulnerability: Contributor+ Stored XSS
Patched in Version: 1.7

#4 Wonder Video Embed

Plugin: Wonder Video Embed 
Vulnerability: Contributor+ Stored XSS
Patched in Version: 1.8

#5 Profile Builder

Plugin: Profile Builder 
Vulnerability: Admin Access via Password Reset Bug
Patched in Version: 3.4.9

#6 VikRentCar Car Rental Management System

Plugin: VikRentCar Car Rental Management System
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.1.10

#7 YouTube Embed

Plugin: YouTube Embed
Vulnerability: Contributor+ Stored XSS
Patched in Version: 5.2.2

#8 My Site Audit

Plugin: My Site Audit
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: no known fix

#9 Social Tape

Plugin: Social Tape
Vulnerability: CSRF to Stored XSS
Patched in Version: no known fix

#10 Telugu Bible Verse Daily

Plugin: Telugu Bible Verse Daily
Vulnerability: CSRF to Stored XSS
Patched in Version: no known fix

#11 Verse-O-Matic

Plugin: Verse-O-Matic
Vulnerability: CSRF to Stored XSS
Patched in Version: no known fix

#12 Custom Login Redirect

Plugin: Custom Login Redirect
Vulnerability: CSRF to Stored XSS
Patched in Version: no known fix

#13 Light Messages

Plugin: Light Messages
Vulnerability: CSRF to Stored XSS
Patched in Version: no known fix

#14 Shantz WordPress QOTD

Plugin: Shantz WordPress QOTD
Vulnerability: Arbitrary Setting Update via CSRF
Patched in Version: no known fix

#15 WP Front Notification Bar

Plugin: WPFront Notification Bar
Vulnerability: Authenticated Stored XSS
Patched in Version: 2.0.0.07176

#16 PhoneTrack Menu Site Manager

Plugin: PhoneTrack Meu Site Manager
Vulnerability: Authenticated Stored XSS
Patched in Version: no known fix

#17 RestroPress

Plugin: RestroPress
Vulnerability: Unauthorised AJAX Calls
Patched in Version: 2.8.3.1

#18 Photo Gallery

Plugin: Photo Gallery
Vulnerability: Stored XSS via Uploaded SVG in Zip
Patched in Version: 1.5.79

#19 Mimetic Books

Plugin: Mimetic Books
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: no known fix

#20 Elementor Addon Elements

Plugin: Elementor Addon Elements
Vulnerability: CSRF Bypass
Patched in Version: 1.11.8

#22 Cooked Pro

Plugin: Cooked Pro
Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS)
Patched in Version: no known fix

 

#21 NEX Forms

Plugin: NEX Forms
Vulnerability: Authentication Bypass for Excel Reports
Patched in Version: 7.8.8

 

#22 KN Fix Your Title

Plugin: KN Fix Your Title
Vulnerability: Authenticated Stored XSS
Patched in Version: no known fix

 

#23 Cooked Pro

Plugin: Cooked Pro
Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS)
Patched in Version: no known fix

 

#24 Giveaway

Plugin: Giveaway
Vulnerability: Authenticated SQL Injection
Patched in Version: no known fix

 

#25 HM Multiple Roles

Plugin: HM Multiple Roles
Vulnerability: Arbitrary Role Change
Patched in Version: no known fix

 

#26 10Web Map Builder for Google Maps

Plugin: 10Web Map Builder for Google Maps
Vulnerability: Authenticated Stored XSS
Patched in Version: 1.0.70

 

#27 Maintenance

Plugin: Maintenance
Vulnerability: Authenticated Stored XSS
Patched in Version: 4.03

 

#28 Grid Gallery

Plugin: Grid Gallery
Vulnerability: Photo Image Grid Gallery
Patched in Version: 1.2.5

 

#29 WP Custom Fields Search

Plugin: WP Custom Fields Search
Vulnerability: Unauthenticated Reflected Cross-Site Scripting (XSS)
Patched in Version: 1.0

 

#30 Google Language Translator

Plugin: Google Language Translator
Vulnerability: Authenticated (author+) Cross-Site Scripting (XSS)
Patched in Version: 6.0.10

 

#31 Send Grid

Plugin: SendGrid
Vulnerability: Authenticated Authorization Bypass
Patched in Version: no known fix

 

 

#32 News Plugin

Plugin: NewsPlugin
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: no known fix

 

#33 Charitable - Donation Plugin

Plugin: Charitable – Donation Plugin
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.6.51

 

#34 Lifter LMS

Plugin: Charitable – Donation Plugin
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 1.6.51

 

#35 WooCommerce Currency Switcher

Plugin: WooCommerce Currency Switcher
Vulnerability: Authenticated (Low Privilege) Local File Inclusion
Patched in Version: 1.3.7

 

#36 Simple Post

Plugin: Simple Post
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: no known fix

 

#37 WP GraphQL

Plugin: WPGraphQL
Vulnerability: Denial of Service
Patched in Version: 1.3.6

 

#38 GTranslate

Plugin: GTranslate 
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version: 2.8.65

 

#39 Diary & Availability Calendar

Plugin: Diary & Availability Calendar
Vulnerability: Authenticated (subscriber+) SQL Injection
Patched in Version: no known fix

 

#40 Email Subscriber

Plugin: Email Subscriber
Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Patched in Version: no known fix

 

#41 M-vSlider

Plugin: M-vSlider
Vulnerability: Authenticated (admin+) SQL Injection
Patched in Version: no known fix

 

#42 Project Status

Plugin: Project Status
Vulnerability: Authenticated (admin+) SQL Injection
Patched in Version: no known fix

 

#43 ACE IDE

Plugin: AceIDE
Vulnerability: Authenticated (admin+) Arbitrary File Access
Patched in Version: no known fix

 

#44 Broken Link Manager

Plugin: Broken Link Manager
Vulnerability: Authenticated (admin+) SQL Injection
Patched in Version: no known fix

 

#45 Edit Comments

Plugin: Edit Comments
Vulnerability: Unauthenticated SQL Injection
Patched in Version: no known fix

 

#46 Simple Events Calendar

Plugin: Simple Events Calendar
Vulnerability: Authenticated (admin+) SQL Injection
Patched in Version: no known fix

 

#47 Timeline Calendar

Plugin: Timeline Calendar
Vulnerability: Authenticated (admin+) SQL Injection
Patched in Version: no known fix

 

#48 PayTM - Donation Plugin

Plugin: Paytm – Donation Plugin
Vulnerability: 1.3.2 – Authenticated (admin+) SQL Injection
Patched in Version: no known fix

Need Security Help? Get WooSecured

We take security seriously. While security measures are built into WordPress and WooCommerce out of the box, there are things store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. Our security services make your life easier by making your data and your customer data safe.

Share This Post

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Plugins

eboov.com

From the desk of Joel Otterstrom President of WpConcierges Since the middle of November my mind has been focused on a project. The project is

Plugins

Plugin Vulnerabilities for March 2022

Is your site up to date? Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable! MC4WP Vulnerability:

Do You Want To Boost Your Business?

drop us a line and keep in touch