
The following content lists WordPress and plugin vulnerabilities discovered in March. Please check if you are using any of them and update to the latest version in time to avoid losses.
WordPress Plugin Vulnerabilities
So far this month, several new WordPress plugin vulnerabilities have been discovered. Ensure you follow the recommended actions below to update the plugin or uninstall it completely.
1. Pricing Table by Supsystic
Pricing Table by Supsystic version 1.8.1 and lower has multiple vulnerabilities. The vulnerability has been fixed; you should update to version 1.8.2 or higher.
2. Flexible Checkout Fields for WooCommerce
Flexible Checkout Fields for WooCommerce version 2.3.1 and lower has an „Unauthenticated Settings Update“ vulnerability. This plugin was actively exploited maliciously, injecting malicious scripts into WooCommerce checkout pages. The vulnerability has been fixed; you should update to version 2.3.2.
3. Export Users
Export Users version 1.4.2 and lower is vulnerable to CSV injection attacks. The plugin has been removed from the WordPress.org plugin repository and should be deleted immediately.
4. Hero Maps
Hero Maps version 2.2.1 and lower has an unauthenticated reflected cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.2.3.
5. CardGate Payments for WooCommerce
CardGate Payments for WooCommerce version 3.1.15 and lower has unauthorized payment hijacking and order status spoofing vulnerabilities. The vulnerability has been fixed; you should update to version 3.1.16.
6. Async JavaScript
Async JavaScript version 2.19.07.14 and lower has an unauthenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.20.03.01.
7. 10Web Map Builder for Google Maps
10Web Map Builder for Google Maps version 1.0.63 and lower has an unauthenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 1.0.64.
8. Modern Events Calendar LiteModern
Events Calendar Lite version 5.1.6 and lower has a „Stored Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 5.1.7.
9. Appointment Booking Calendar
Appointment Booking Calendar version 1.3.34 and lower has an „Authenticated Stored Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 1.3.35.
10. WPForms
WPForms version 1.5.8.2 and lower has an „Authenticated Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 1.5.9.
11. WordPress WP-Advanced-Search
WordPress WP-Advanced-Search version 3.3.3 and lower has unauthenticated database access and remote code execution vulnerabilities. The vulnerability has been fixed; you should update to version 3.3.4.
12. Registration Magic
RegistrationMagic versions 4.6.0.1 and below have multiple security vulnerabilities. The vulnerabilities have been fixed, and you should update to version 4.6.0.4.
13. Brizy – Page Builder
Brizy – Page Builder versions 1.0.113 and below have an „Unauthenticated Website Settings Update“ vulnerability. The vulnerability has been fixed, and you should update to version 1.0.114.
14. Custom Searchable Data Entry System
Custom Searchable Data Entry System versions 1.7.1 and below have unauthenticated data modification and deletion vulnerabilities. These vulnerabilities are being actively exploited. A security patch has not been released yet, and you should remove this plugin.
15. WP Security Audit Log
WP Security Audit Log versions 4.0.1 and below have a Broken Access Control vulnerability. The vulnerability has been fixed, and you should update to version 4.0.2.
16. Popup Builder
Popup Builder versions 3.63 and below have unauthenticated XSS and information disclosure vulnerabilities. The vulnerabilities may allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on thousands of websites to steal information and potentially completely take over the target site. The vulnerabilities have been fixed, and you should update to version 3.64.1.
17. WordPress File Upload
The WordPress File Upload plugin versions below 4.13.0 have a Remote Code Execution vulnerability. Please update to version 4.13.0 or above promptly.
18. LearnPress
LearnPress versions below 3.2.6.7 have a Privilege Escalation vulnerability. Please update to version 3.2.6.7 or above promptly.
19. Custom Post Type UI
Custom Post Type UI versions below 1.7.4 have Cross-Site Request Forgery and Stored Cross-Site Scripting vulnerabilities. Please update to version 1.7.4 promptly.
20. Migrate & Backup WordPress – WPvivid Backup Plugin
Migrate & Backup WordPress – WPvivid Backup Plugin versions below 0.9.36 lack authorization, leading to a Database Leak vulnerability. Please update to version 0.9.36 promptly.
21. All-in-One WP Migration
All-in-One WP Migration versions below 7.15 have an Arbitrary Backup Download vulnerability. Please update to version 7.15 or above promptly.
22. Newsletter
Newsletter versions below 6.5.4 have a CSV Injection vulnerability. Please update to version 6.5.4 or above promptly.
23. Gutenberg & Elementor Templates Importer For Responsive
Gutenberg & Elementor Templates Importer For Responsive versions below 2.2.6 have an Unprotected AJAX Endpoint vulnerability. Please update to version 2.2.6 or above promptly.
24. Advanced Ads – Ad Manager & AdSense
Advanced Ads – Ad Manager & AdSense versions below 1.17.4 have an „Authenticated Reflected Cross-Site Scripting“ vulnerability. Please update to version 1.17.4 or above promptly.
25. Cookiebot
Cookiebot versions below 3.6.1 have an Authenticated Reflected Cross-Site Scripting vulnerability. Please update to version 3.6.1 or above promptly.
26. Data Tables Generator by Supsystic
Data Tables Generator by Supsystic versions below 1.9.92 have multiple vulnerabilities. Please update to version 1.9.92 or above promptly.
27. Other Plugins
Buddypress Component Stats
abstract-submission
WP e-Commerce Shop Styling
web-portal-lite-client
post-pdf-export
blogtopdf
gboutique
The above 7 plugins contain security vulnerabilities and have been removed from the WordPress repository. Please disable and delete them as soon as possible!!
What to do when encountering WordPress vulnerabilities
Running outdated software is the number one reason WordPress sites get hacked. Having an update routine is crucial for WordPress site security. You should log into your site at least once a week to perform updates.
Automatic updates can help
For WordPress sites that don't change frequently, automatic updates are a good option. Lack of attention often leaves these sites neglected and vulnerable. Even with recommended security settings in place, running vulnerable software on your site can still allow attackers to gain access.
For more WordPress security content, please visit:WordPress Security Special
Article transferred to WP University