More Plugin Vulnerabilities for November 2021

Is your site up to date?

Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable!

Pixel Cat Lite

Plugin: Pixel Cat Lite
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.6.3

All-In-One-Gallery

Plugin: All-In-One-Gallery
Vulnerability: Admin+ Local File Inclusion
Patched in Version: 2.5.0

StopBadBots

Plugin: StopBadBots 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.67

Temporary Login Without Password

Plugin: Temporary Login Without Password
Vulnerability: Subscriber+ Plugin’s Settings Update
Patched in Version: 1.7.1

ProfilePress

Plugin: ProfilePress
VulnerabilityReflected Cross-Site Scripting
Patched in Version: 3.2.3

Modern Events Calendar

Plugin: Modern Events Calendar
Vulnerability: Unauthenticated Blind SQL Injection
Patched in Version: 6.1.5

Auto Featured Image

Plugin: Auto Featured Image
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.9.3

Ultimate NoFollow

Plugin: Ultimate NoFollow 
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in VersionNo known fix – plugin closed

NEX-Forms

Plugin: NEX-Forms 
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in VersionNo known fix – plugin closed

SEO Booster

Plugin: SEO Booster  
Vulnerability: Admin+ SQL Injection
Patched in VersionNo known fix – plugin closed

WP System Log

Plugin: WP System Log
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 1.0.21

Inspirational Quote Rotator

Plugin: Inspirational Quote Rotator
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in VersionNo known fix – plugin closed

Single Post Exporter

Plugin: Single Post Exporter
Vulnerability: Plugin’s Settings Update via CSRF
Patched in VersionNo known fix – plugin closed

Flex Local Fonts

Plugin: Flex Local Fonts 
Vulnerability: Admin+ Stored Cross-Site-Scripting
Patched in VersionNo known fix – plugin closed

WP Admin Logo Changer

Plugin: WP Admin Logo Changer
Vulnerability: Plugin’s Settings Update via CSRF
Patched in VersionNo known fix – plugin closed

Contact Form Advanced Database

Plugin: Contact Form Advanced Database 
Vulnerability: Unauthorised AJAX Calls
Patched in VersionNo known fix

Shiny Buttons

Plugin: Shiny Buttons
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in VersionNo known fix

Filter Portfolio Gallery

Plugin: Filter Portfolio Gallery
Vulnerability: Arbitrary Gallery Deletion via CSRF
Patched in VersionNo known fix

WP Limits

Plugin: WP Limits
Vulnerability: Plugin’s Settings Update via CSRF
Patched in VersionNo known fix (Plugin Closed)

Page/Post Content Shortcode

Plugin: Page/Post Content Shortcode
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in VersionNo known fix (plugin closed)

Improved Include Page

Plugin: Improved Include Page
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in VersionNo known fix

Mediamatic

Plugin: Mediamatic
Vulnerability: Subscriber+ SQL Injection
Patched in VersionNo known fix

Display Post Metadata

Plugin: Display Post Metadata
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in VersionNo known fix

ToTop Link

lugin: ToTop Link
Vulnerability: Unauthenticated PHP Object Injection
Patched in VersionNo known fix

User Meta Shortcodes

Plugin: User Meta Shortcodes
Vulnerability: Contributor+ Unauthorized Arbitrary User Metadata Access
Patched in VersionNo known fix

Quotes Collection

Plugin: Quotes Collection
Vulnerability: Admin+ SQL Injection
Patched in VersionNo known fix

Push Notifications for WordPress (Lite)

Plugin: Push Notifications for WordPress (Lite) 
Vulnerability: Settings Update via CSRF
Patched in Version: 6.0.1

SportsPress

Plugin: SportsPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.7.9

Login/Signup Popup

Plugin: Login/Signup Popup
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.2

Preview E-mails for WooCommerce

Plugin: Preview E-mails for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.0

WP User Frontend

Plugin: WP User Frontend  
Vulnerability: Membership, Profile, Registration & Post Submission Plugin for WordPress 
Patched in Version: 3.5.25

Directorist – Business Directory Plugin

Plugin: Directorist – Business Directory Plugin
Vulnerability: CSRF to Remote File Upload
Patched in Version: 7.0.6.2

Need Security Help? Get WooSecured

We take security seriously. While security measures are built into WordPress and WooCommerce out of the box, there are things store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. Our security services make your life easier by making your data and your customer data safe.

Share This Post

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Plugins

eboov.com

From the desk of Joel Otterstrom President of WpConcierges Since the middle of November my mind has been focused on a project. The project is

Plugins

Plugin Vulnerabilities for March 2022

Is your site up to date? Outdate plugins & themes are the #1 reason sites get hacked. Don’t leave your WooCommerce store vulnerable! MC4WP Vulnerability:

Do You Want To Boost Your Business?

drop us a line and keep in touch