March WordPress Plugin Vulnerability List

The following is a list of discovered vulnerabilities related to WordPress and plugins in March. Please check if you are using any of them and update to the latest versions promptly to avoid potential losses. WordPress Plugin Vulnerabilities So far this month, several new WordPress plugin vulnerabilities have been discovered. Ensure you follow the recommended actions below to update the plugin or completely uninstall it.1. Pricing Table by SupsysticPricing Table by Supsystic version 1.8.1 and lower have multiple vulnerabilities. The vulnerabilities have been fixed; you should update to version 1.8.2 or higher.2. Flexible Checkout Fields for WooCommerceFlexible Checkout Fields for WooCommerce version 2.3.1 and lower have an „unauthenticated settings update“ vulnerability. The plugin has been actively exploited maliciously, injecting malicious scripts into WooCommerce checkout pages. The vulnerability has been fixed; you should update to version 2.3.2.3. Export UsersExport Users version 1.4.2 and lower are vulnerable to CSV injection attacks. The plugin has been removed from the WordPress.org plugin repository and should be deleted immediately.4. Hero MapsHero Maps version 2.2.1 and lower have an unauthenticated reflected cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.2.3.5. CardGate Payments for WooCommerceCardGate Payments for WooCommerce version 3.1.15 and lower have unauthorized payment hijacking and order status spoofing vulnerabilities. The vulnerability has been fixed; you should update to version 3.1.16.6. Async JavaScriptAsync JavaScript version 2.19.07.14 and lower have an unauthenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.20.03.01.7. 10Web Map Builder for Google Maps10Web Map Builder for Google Maps version 1.0.63 and lower have an unauthenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 1.0.64.8. Modern Events Calendar LiteModern Events Calendar Lite version 5.1.6 and lower have a „stored cross-site scripting“ vulnerability. The vulnerability has been fixed; you should update to version 5.1.7.9. Appointment Booking CalendarAppointment Booking Calendar version 1.3.34 and lower have an „authenticated stored cross-site scripting“ vulnerability. The vulnerability has been fixed; you should update to version 1.3.35.10. WPFormsWPForms version 1.5.8.2 and lower have an „authenticated cross-site scripting“ vulnerability. The vulnerability has been fixed; you should update to version 1.5.9.11. WordPress WP-Advanced-SearchWordPress WP-Advanced-Search version 3.3.3 and lower have unauthenticated database access and remote code execution vulnerabilities. The vulnerability has been fixed; you should update to version 3.3.4.12. Registration MagicRegistrationMagic versions 4.6.0.1 and below have multiple security vulnerabilities. The vulnerabilities have been fixed, and you should update to version 4.6.0.4.13. Brizy – Page BuilderBrizy – Page Builder versions 1.0.113 and below have an „Unauthenticated Website Settings Update“ vulnerability. The vulnerability has been fixed, and you should update to version 1.0.114.14. Custom Searchable Data Entry System Custom Searchable Data Entry System versions 1.7.1 and below have unauthenticated data modification and deletion vulnerabilities. These vulnerabilities are being actively exploited. A security patch has not been released yet, and you should remove this plugin. 15. WP Security Audit LogWP Security Audit Log versions 4.0.1 and below have a broken access control vulnerability. The vulnerability has been fixed, and you should update to version 4.0.2.16. Popup BuilderPopup Builder versions 3.63 and below have unauthenticated XSS and information disclosure vulnerabilities. The vulnerabilities may allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on thousands of websites to steal information and potentially completely take over the target site. The vulnerabilities have been fixed, and you should update to version 3.64.1.17. WordPress File UploadThe WordPress File Upload plugin versions below 4.13.0 have a remote code execution vulnerability. Please update to version 4.13.0 or above promptly.18. LearnPressLearnPress versions below 3.2.6.7 have a privilege escalation vulnerability. Please update to version 3.2.6.7 or above promptly.19. Custom Post Type UICustom Post Type UI versions below 1.7.4 have Cross-Site Request Forgery and Stored Cross-Site Scripting vulnerabilities. Please update to version 1.7.4 promptly.20. Migrate & Backup WordPress – WPvivid Backup PluginMigrate & Backup WordPress – WPvivid Backup Plugin versions below 0.9.36 lack authorization, leading to a database leakage vulnerability. Please update to version 0.9.36 promptly.21. All-in-One WP MigrationAll-in-One WP Migration versions below 7.15 have an arbitrary backup download vulnerability. Please update to version 7.15 or above promptly.22. NewsletterNewsletter versions below 6.5.4 have a CSV injection vulnerability. Please update to version 6.5.4 or above promptly.23. Gutenberg & Elementor Templates Importer For ResponsiveGutenberg & Elementor Templates Importer For Responsive versions below 2.2.6 have an unprotected AJAX endpoint vulnerability. Please update to version 2.2.6 or above promptly.24. Advanced Ads – Ad Manager & AdSenseAdvanced Ads – Ad Manager & AdSense versions below 1.17.4 have an „Authenticated Reflected Cross-Site Scripting“ vulnerability. Please update to version 1.17.4 or above promptly.25. CookiebotCookiebot versions below 3.6.1 have an authenticated reflected cross-site scripting vulnerability. Please update to version 3.6.1 or above promptly.26. Data Tables Generator by SupsysticData Tables Generator by Supsystic versions below 1.9.92 have multiple vulnerabilities. Please update to version 1.9.92 or above promptly.27. Other PluginsBuddypress Component Stats abstract-submission WP e-Commerce Shop Styling web-portal-lite-client post-pdf-export blogtopdf gboutique The above 7 plugins contain security vulnerabilities and have been removed from the WordPress repository. Please disable and delete them as soon as possible!!

What to Do When You Encounter a WordPress Vulnerability

Running outdated software is the number one reason WordPress sites get hacked. Having an update routine is crucial for WordPress site security. You should log into your site at least once a week to perform updates.Automatic Updates Can HelpFor WordPress sites that don't change frequently, automatic updates are a good option. Lack of attention often leaves these sites neglected and vulnerable. Even with recommended security settings, running vulnerable software on your site can still allow attackers to gain access. To learn more about WordPress security, please visit:WordPress Security TopicArticle transferred from WP University