List of WordPress Plugin Vulnerabilities for March

The following content lists WordPress and Plugin-related vulnerabilities discovered in March. Please check if you are using any of them and update to the latest version promptly to avoid potential losses. WordPress Plugin Vulnerabilities So far this month, several new WordPress plugin vulnerabilities have been discovered. Ensure you follow the recommended actions below to update the plugin or uninstall it completely.1. Pricing Table by SupsysticPricing Table by Supsystic version 1.8.1 and lower has multiple vulnerabilities. The vulnerability has been fixed; you should update to version 1.8.2 or higher.2. Flexible Checkout Fields for WooCommerceFlexible Checkout Fields for WooCommerce version 2.3.1 and lower has an „Unauthenticated Settings Update“ vulnerability. This plugin was actively exploited maliciously, injecting malicious scripts into WooCommerce checkout pages. The vulnerability has been fixed; you should update to version 2.3.2.3. Export UsersExport Users version 1.4.2 and lower is vulnerable to CSV injection attacks. The plugin has been removed from the WordPress.org plugin repository and should be deleted immediately.4. Hero MapsHero Maps version 2.2.1 and lower has an unauthenticated reflected cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.2.3.5. CardGate Payments for WooCommerceCardGate Payments for WooCommerce version 3.1.15 and lower has unauthorized payment hijacking and order status spoofing vulnerabilities. The vulnerability has been fixed; you should update to version 3.1.16.6. Async JavaScriptAsync JavaScript version 2.19.07.14 and lower has an unauthenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.20.03.01.7. 10Web Map Builder for Google Maps10Web Map Builder for Google Maps version 1.0.63 and lower has an unauthenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 1.0.64.8. Modern Events Calendar LiteModernEvents Calendar Lite version 5.1.6 and lower has a „Stored Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 5.1.7.9. Appointment Booking CalendarAppointment Booking Calendar version 1.3.34 and lower has an „Authenticated Stored Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 1.3.35.10. WPFormsWPForms version 1.5.8.2 and lower has an „Authenticated Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 1.5.9.11. WordPress WP-Advanced-SearchWordPress WP-Advanced-Search version 3.3.3 and lower has unauthenticated database access and remote code execution vulnerabilities. The vulnerability has been fixed; you should update to version 3.3.4.12. Registration MagicRegistrationMagic versions 4.6.0.1 and below have multiple security vulnerabilities. The vulnerabilities have been fixed, and you should update to version 4.6.0.4.13. Brizy – Page BuilderBrizy – Page Builder versions 1.0.113 and below have an „Unauthenticated Website Settings Update“ vulnerability. The vulnerability has been fixed, and you should update to version 1.0.114.14. Custom Searchable Data Entry System Custom Searchable Data Entry System versions 1.7.1 and below have unauthenticated data modification and deletion vulnerabilities. These vulnerabilities are being actively exploited. A security patch has not been released yet, and you should remove this plugin. 15. WP Security Audit LogWP Security Audit Log versions 4.0.1 and below have a Broken Access Control vulnerability. The vulnerability has been fixed, and you should update to version 4.0.2.16. Popup BuilderPopup Builder versions 3.63 and below have unauthenticated XSS and information disclosure vulnerabilities. The vulnerabilities may allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on thousands of websites to steal information and potentially completely take over the target site. The vulnerabilities have been fixed, and you should update to version 3.64.1.17. WordPress File UploadThe WordPress File Upload plugin versions below 4.13.0 have a Remote Code Execution vulnerability. Please update to version 4.13.0 or above promptly.18. LearnPressLearnPress versions below 3.2.6.7 have a Privilege Escalation vulnerability. Please update to version 3.2.6.7 or above promptly.19. Custom Post Type UICustom Post Type UI versions below 1.7.4 have Cross-Site Request Forgery and Stored Cross-Site Scripting vulnerabilities. Please update to version 1.7.4 promptly.20. Migrate & Backup WordPress – WPvivid Backup PluginMigrate & Backup WordPress – WPvivid Backup Plugin versions below 0.9.36 lack authorization, leading to a Database Leak vulnerability. Please update to version 0.9.36 promptly.21. All-in-One WP MigrationAll-in-One WP Migration versions below 7.15 have an Arbitrary Backup Download vulnerability. Please update to version 7.15 or above promptly.22. NewsletterNewsletter versions below 6.5.4 have a CSV Injection vulnerability. Please update to version 6.5.4 or above promptly.23. Gutenberg & Elementor Templates Importer For ResponsiveGutenberg & Elementor Templates Importer For Responsive versions below 2.2.6 have an Unprotected AJAX Endpoint vulnerability. Please update to version 2.2.6 or above promptly.24. Advanced Ads – Ad Manager & AdSenseAdvanced Ads – Ad Manager & AdSense versions below 1.17.4 have an „Authenticated Reflected Cross-Site Scripting“ vulnerability. Please update to version 1.17.4 or above promptly.25. CookiebotCookiebot versions below 3.6.1 have an Authenticated Reflected Cross-Site Scripting vulnerability. Please update to version 3.6.1 or above promptly.26. Data Tables Generator by SupsysticData Tables Generator by Supsystic versions below 1.9.92 have multiple vulnerabilities. Please update to version 1.9.92 or above promptly.27. Other PluginsThe following 7 plugins contain security vulnerabilities and have been removed from the WordPress repository. Please disable and delete them immediately: Buddypress Component Stats, abstract-submission, WP e-Commerce Shop Styling, web-portal-lite-client, post-pdf-export, blogtopdf, gboutique!!

What to do when encountering WordPress vulnerabilities

Running outdated software is the number one reason WordPress sites get hacked. Having an update routine is crucial for WordPress site security. You should log into your site at least once a week to perform updates.Automatic updates can helpFor WordPress sites that don't change frequently, automatic updates are a good option. Lack of attention often leaves these sites neglected and vulnerable. Even with recommended security settings, running vulnerable software on your site can still allow attackers to gain access. To learn more about WordPress security, please visit:WordPress Security SpecialArticle transferred to WP University