Home Website News Articles Standard Post

Standard Post

List of WordPress Plugin Vulnerabilities for March

The following content lists WordPress and plugin vulnerabilities discovered in March. Please check if you are using any of them and update to the latest version in time to avoid losses. WordPress Plugin Vulnerabilities So far this month, several new WordPress plugin vulnerabilities have been discovered. Make sure to follow the recommended actions to update the plugin or completely uninstall it. …

Updated on March 27, 2020 About 8 minutes read
3月份WordPress插件漏洞列表

The following content lists WordPress and plugin vulnerabilities discovered in March. Please check if you are using any of them and update to the latest version in time to avoid losses.

WordPress Plugin Vulnerabilities

So far this month, several new WordPress plugin vulnerabilities have been discovered. Ensure you follow the recommended actions below to update the plugin or uninstall it completely.

1. Pricing Table by Supsystic

Pricing Table by Supsystic version 1.8.1 and lower has multiple vulnerabilities. The vulnerability has been fixed; you should update to version 1.8.2 or higher.

2. Flexible Checkout Fields for WooCommerce

Flexible Checkout Fields for WooCommerce version 2.3.1 and lower has an „Unauthenticated Settings Update“ vulnerability. This plugin was actively exploited maliciously, injecting malicious scripts into WooCommerce checkout pages. The vulnerability has been fixed; you should update to version 2.3.2.

3. Export Users

Export Users version 1.4.2 and lower is vulnerable to CSV injection attacks. The plugin has been removed from the WordPress.org plugin repository and should be deleted immediately.

4. Hero Maps

Hero Maps version 2.2.1 and lower has an unauthenticated reflected cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.2.3.

5. CardGate Payments for WooCommerce

CardGate Payments for WooCommerce version 3.1.15 and lower has unauthorized payment hijacking and order status spoofing vulnerabilities. The vulnerability has been fixed; you should update to version 3.1.16.

6. Async JavaScript

Async JavaScript version 2.19.07.14 and lower has an unauthenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 2.20.03.01.

7. 10Web Map Builder for Google Maps

10Web Map Builder for Google Maps version 1.0.63 and lower has an unauthenticated stored cross-site scripting vulnerability. The vulnerability has been fixed; you should update to version 1.0.64.

8. Modern Events Calendar LiteModern

Events Calendar Lite version 5.1.6 and lower has a „Stored Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 5.1.7.

9. Appointment Booking Calendar

Appointment Booking Calendar version 1.3.34 and lower has an „Authenticated Stored Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 1.3.35.

10. WPForms

WPForms version 1.5.8.2 and lower has an „Authenticated Cross-Site Scripting“ vulnerability. The vulnerability has been fixed; you should update to version 1.5.9.

11. WordPress WP-Advanced-Search

WordPress WP-Advanced-Search version 3.3.3 and lower has unauthenticated database access and remote code execution vulnerabilities. The vulnerability has been fixed; you should update to version 3.3.4.

12. Registration Magic

RegistrationMagic versions 4.6.0.1 and below have multiple security vulnerabilities. The vulnerabilities have been fixed, and you should update to version 4.6.0.4.

13. Brizy – Page Builder

Brizy – Page Builder versions 1.0.113 and below have an „Unauthenticated Website Settings Update“ vulnerability. The vulnerability has been fixed, and you should update to version 1.0.114.

14. Custom Searchable Data Entry System

Custom Searchable Data Entry System versions 1.7.1 and below have unauthenticated data modification and deletion vulnerabilities. These vulnerabilities are being actively exploited. A security patch has not been released yet, and you should remove this plugin.

15. WP Security Audit Log

WP Security Audit Log versions 4.0.1 and below have a Broken Access Control vulnerability. The vulnerability has been fixed, and you should update to version 4.0.2.

16. Popup Builder

Popup Builder versions 3.63 and below have unauthenticated XSS and information disclosure vulnerabilities. The vulnerabilities may allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on thousands of websites to steal information and potentially completely take over the target site. The vulnerabilities have been fixed, and you should update to version 3.64.1.

17. WordPress File Upload

The WordPress File Upload plugin versions below 4.13.0 have a Remote Code Execution vulnerability. Please update to version 4.13.0 or above promptly.

18. LearnPress

LearnPress versions below 3.2.6.7 have a Privilege Escalation vulnerability. Please update to version 3.2.6.7 or above promptly.

19. Custom Post Type UI

Custom Post Type UI versions below 1.7.4 have Cross-Site Request Forgery and Stored Cross-Site Scripting vulnerabilities. Please update to version 1.7.4 promptly.

20. Migrate & Backup WordPress – WPvivid Backup Plugin

Migrate & Backup WordPress – WPvivid Backup Plugin versions below 0.9.36 lack authorization, leading to a Database Leak vulnerability. Please update to version 0.9.36 promptly.

21. All-in-One WP Migration

All-in-One WP Migration versions below 7.15 have an Arbitrary Backup Download vulnerability. Please update to version 7.15 or above promptly.

22. Newsletter

Newsletter versions below 6.5.4 have a CSV Injection vulnerability. Please update to version 6.5.4 or above promptly.

23. Gutenberg & Elementor Templates Importer For Responsive

Gutenberg & Elementor Templates Importer For Responsive versions below 2.2.6 have an Unprotected AJAX Endpoint vulnerability. Please update to version 2.2.6 or above promptly.

24. Advanced Ads – Ad Manager & AdSense

Advanced Ads – Ad Manager & AdSense versions below 1.17.4 have an „Authenticated Reflected Cross-Site Scripting“ vulnerability. Please update to version 1.17.4 or above promptly.

25. Cookiebot

Cookiebot versions below 3.6.1 have an Authenticated Reflected Cross-Site Scripting vulnerability. Please update to version 3.6.1 or above promptly.

26. Data Tables Generator by Supsystic

Data Tables Generator by Supsystic versions below 1.9.92 have multiple vulnerabilities. Please update to version 1.9.92 or above promptly.

27. Other Plugins

Buddypress Component Stats
abstract-submission
WP e-Commerce Shop Styling
web-portal-lite-client
post-pdf-export
blogtopdf
gboutique

The above 7 plugins contain security vulnerabilities and have been removed from the WordPress repository. Please disable and delete them as soon as possible!!

What to do when encountering WordPress vulnerabilities

Running outdated software is the number one reason WordPress sites get hacked. Having an update routine is crucial for WordPress site security. You should log into your site at least once a week to perform updates.

Automatic updates can help

For WordPress sites that don't change frequently, automatic updates are a good option. Lack of attention often leaves these sites neglected and vulnerable. Even with recommended security settings in place, running vulnerable software on your site can still allow attackers to gain access.

For more WordPress security content, please visit:WordPress Security Special

Article transferred to WP University

Rate this article post
Previous Using Alibaba Cloud servers to install websites is not recommended with WordPress image pre-installation Continue reading content around the same timeline. Next SiteGround Dedicated IP Application Tutorial with Images View the next related tutorial or experience.

AI Website Building Assistant

🤖
Hello! I am the Naibabiji AI Assistant. How can I help you?
Quick Consultation: