WordPress Vulnerability Report: July 2021, Part 1

7. ProfilePress

Plugin: ProfilePress
Vulnerability: Authenticated Stored XSS
Patched in Version: 3.1.8
Severity Score: Medium

Plugin: ProfilePress
Vulnerability: Unauthenticated Privilege Escalation
Patched in Version: 3.1.4
Severity Score: Critical

Plugin: ProfilePress
Vulnerability: Arbitrary File Upload in Image Uploader Component
Patched in Version: 3.1.4
Severity Score: Critical

The vulnerability is patched, so you should update to version 3.1.8+.

8. Tutor LMS

Plugin: Tutor LMS
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 1.9.2
Severity Score: High

The vulnerability is patched, so you should update to version 1.9.2+.

9. Youzify

Plugin: Youzify
Vulnerability: Stored Cross-Site Scripting via Biography
Patched in Version: 1.0.7
Severity Score: High

The vulnerability is patched, so you should update to version 1.0.7+.

10. Any Hostname

Plugin: Any Hostname
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

11. Event Geek

Plugin: Event Geek
Vulnerability: Stored Cross-site Scripting
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

12. DrawBlog

Plugin: DrawBlog
Vulnerability: Authenticated Stored Cross-Site Scripting 
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

13. Bookshelf

Plugin: Bookshelf
Vulnerability: Authenticated Stored Cross-Site Scripting 
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

14. Migrate Users

Plugin: Migrate Users
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

15. Steam Group Viewer

Plugin: Steam Group Viewer
Vulnerability: Authenticated Stored Cross-Site Scripting 
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

16. Awesome Weather Widget

Plugin: Awesome Weather Widget
Vulnerability: Authenticated Stored Cross-Site Scripting 
Patched in Version: No known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

17. Post Grid

Plugin: Post Grid
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.1.8
Severity Score: High

The vulnerability is patched, so you should update to version 2.1.8+.

18. Quiz Maker

Plugin: Quiz Maker
Vulnerability: Multiple Authenticated Blind SQL Injections
Patched in Version: 6.2.0.9
Severity Score: High

The vulnerability is patched, so you should update to version 6.2.0.9+.

19. Portfolio Responsive Gallery

Plugin: Portfolio Responsive Gallery
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 1.1.8
Severity Score: High

The vulnerability is patched, so you should update to version 1.1.8+.

Plugin: Portfolio Responsive Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.1.8
Severity Score: High

The vulnerability is patched, so you should update to version 1.1.8+.

20. Popup box

Plugin: Popup box
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 2.3.4
Severity Score: High

The vulnerability is patched, so you should update to version 2.3.4+.

Plugin: Popup box
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.3.4
Severity Score: High

The vulnerability is patched, so you should update to version 2.3.4+.

21. Survey Maker

Plugin: Survey Maker
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 1.5.6
Severity Score: High

The vulnerability is patched, so you should update to version 1.5.6+.

Plugin: Survey Maker
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.5.6
Severity Score: High

The vulnerability is patched, so you should update to version 1.5.6+.

22. Popup Like box – Page Plugin

Plugin: Popup Like box – Page Plugin
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 3.5.3
Severity Score: High

The vulnerability is patched, so you should update to version 3.5.3+.

Plugin: Popup Like box – Page Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.5.3
Severity Score: High

The vulnerability is patched, so you should update to version 3.5.3+.

23. FAQ Builder

Plugin: FAQ Builder
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 1.3.6
Severity Score: High

The vulnerability is patched, so you should update to version 1.3.6+.

24. Photo Gallery by Ays 

Plugin: Photo Gallery by Ays
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 4.4.4
Severity Score: High

The vulnerability is patched, so you should update to version 4.4.4+.

Plugin: Photo Gallery by Ays
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.4.4
Severity Score: High

The vulnerability is patched, so you should update to version 4.4.4+.

25. Image Slider by Ays

Plugin: Image Slider by Ays
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 2.5.0
Severity Score: High

Plugin: Image Slider by Ays
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.5.0
Severity Score: High

The vulnerability is patched, so you should update to version 2.5.0+.

26. Poll Maker

Plugin: Poll Maker
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 3.2.1
Severity Score: High

The vulnerability is patched, so you should update to version 3.2.1+.

27. Secure Copy Content Protection and Content Locking

Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Authenticated Blind SQL Injections
Patched in Version: 2.6.7
Severity Score: High

The vulnerability is patched, so you should update to version 2.6.7+.

28. RSVPMaker

Plugin: RSVPMaker
Vulnerability: Authenticated SSRF
Patched in Version: 8.7.3
Severity Score: Medium

The vulnerability is patched, so you should update to version 8.7.3+.

29. WP Offload SES Lite

Plugin: WP Offload SES Lite
Vulnerability: Stored Cross-Site Scripting
Patched in Version: 1.4.5
Severity: High

The vulnerability is patched, so you should update to version 1.4.5+.

30. WP SMS

Plugin: WP SMS
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 5.4.9.1
Severity: High

The vulnerability is patched, so you should update to version 5.4.9.1+.

31. Profile Builder

Plugin: Profile Builder
Vulnerability: Authenticated Stored XSS
Patched in Version: 3.4.8
Severity: Medium

The vulnerability is patched, so you should update to version 3.4.8+.

32. TaxoPress

Plugin: TaxoPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 3.0.7.2
Severity: Medium

The vulnerability is patched, so you should update to version 3.0.7.2+.

33. Strong Testimonials

Plugin: Strong Testimonials
Vulnerability: Unauthorized AJAX Call
Patched in Version: 2.51.3
Severity: Medium

The vulnerability is patched, so you should update to version 2.51.3+.

34. Adapta RGPD

Plugin: Adapta RGPD
Vulnerability: Unauthorized Consent via CSRF
Patched in Version: 1.3.3
Severity: Medium

The vulnerability is patched, so you should update to version 1.3.3+.

35. MailOptin

Plugin: MailOptin
Vulnerability: Unauthorized AJAX Call
Patched in Version: 1.2.35.2
Severity: Medium

The vulnerability is patched, so you should update to version 1.2.35.2+.

36. YITH Request a Quote for WooCommerce 

Plugin: YITH Request a Quote for WooCommerce 
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.6.4
Severity: Medium

The vulnerability is patched, so you should update to version 1.6.4+.

37. ReviewX

Plugin: ReviewX
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.2.9
Severity: Medium

The vulnerability is patched, so you should update to version 1.2.9+.

38. Food Store

Plugin: Food Store
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.3.7
Severity: Medium

The vulnerability is patched, so you should update to version 1.3.7+.

39. WP Prayer

Plugin: WP Prayer
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.5.5
Severity: Medium

The vulnerability is patched, so you should update to version 1.5.5+.

40. KONTXT Content Advisor

Plugin: KONTXT Content Advisor
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 2.3
Severity: Medium

The vulnerability is patched, so you should update to version 2.3+.

41. Fontsampler

Plugin: Fontsampler
Vulnerability: CSRF to Authenticated Reflected Cross-Site Scripting
Patched in Version: 0.4.13
Severity: High

The vulnerability is patched, so you should update to version 0.4.13+.

42. MZ Mindbody API

Plugin: MZ Mindbody API
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 2.8.3
Severity: High

The vulnerability is patched, so you should update to version 2.8.3+.

43. Journey Analytics

Plugin: Journey Analytics
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 1.0.13
Severity: Medium

The vulnerability is patched, so you should update to version 1.0.13+.

44. Alkubot

Plugin: Alkubot
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: 3.0.0
Severity: Medium

The vulnerability is patched, so you should update to version 3.0.0+.

45. MZ MBO Access

Plugin: MZ MBO Access
Vulnerability: Unauthorized AJAX call
Patched in Version: 2.0.9
Severity: Medium

The vulnerability is patched, so you should update to version 2.0.9+.

46. BNG Gateway For Woocommerce

Plugin: BNG Gateway For Woocommerce
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

47. BuddyPress Customer.io Analytics Integration

Plugin: BuddyPress Customer.io Analytics Integration
Vulnerability: Arbitrary Plugin Settings Update via CSRF
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

48. WooCommerce Custom Registration Form

Plugin: WooCommerce Custom Registration Form
Vulnerability: Arbitrary Field Deletion and Form Modification via CSRF
Patched in Version: No known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

49. Woocommerce Tabs Plugin, Add Custom Product Tabs

Plugin: Woocommerce Tabs Plugin, Add Custom Product Tabs
Vulnerability: Arbitrary Tab Deletion/Edition via CSRF
Patched in Version: No known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

50. Global Multisite Search

Plugin: Global Multisite Search
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

51. Intimate Payments

Plugin: Intimate Payments
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

52. KONTXT Improves WordPress Search

Plugin: KONTXT Improves WordPress Search
Vulnerability: CSRF Bypass
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

53. Instantio

Plugin: Instantio
Vulnerability: CSRF Bypass
Patched in Version: 1.2.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.6+.

54. Express Shop

Plugin: Express Shop
Vulnerability: CSRF Bypass
Patched in Version: 4.0.3
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.0.3+.

55. SEO Wizard

Plugin: SEO Wizard
Vulnerability: Unauthorized robots.txt & .htaccess Edit via CSRF
Patched in Version: No known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

56. Title Field Validation

Plugin: Title Field Validation
Vulnerability: Unauthorized AJAX call via CSRF
Patched in Version: No known fix
Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

57. Booking Calendar

Plugin: Booking Calendar
Vulnerability: Authorized AJAX calls
Patched in Version: 2.1.6
Severity: Medium

The vulnerability is patched, so you should update to version 2.1.6+.

58. Community Event

Plugin: Community Event
Vulnerability: Reflected XSS
Patched in Version: 1.4.8
Severity Score: High

The vulnerability is patched, so you should update to version 1.4.8+.

59. WP LMS

Plugin: WP LMS
Vulnerability: Stored Cross-Site Scripting
Patched in Version: No known fix
Severity: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

60. Cooked Pro

Plugin: Cooked Pro
Vulnerability: Unauthenticated Reflected Cross-Site Scripting
Patched in Version: 1.7.5.6
Severity: Medium

The vulnerability is patched, so you should update to version 1.7.5.6+.

61. PWA for WP & AMP

Plugin: PWA for WP & AMP
Vulnerability: Authenticated Arbitrary File Upload
Patched in Version: 1.7.33
Severity: Critical

The vulnerability is patched, so you should update to version 1.7.33+.