Plugin: WooDiscuz – WooCommerce Comments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Go Pricing – WordPress Responsive Pricing Tables
Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Missing Authorization to Admin Account and Ticket Creation
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Missing Authorization to Update License
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Waiting: One-click countdowns
Vulnerability: Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Missing Authorization to Non-Arbitrary File Upload
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: woocommerce-follow-up-emails
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version
Plugin: BP Social Connect
Vulnerability: Authentication Bypass
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Go Pricing – WordPress Responsive Pricing Tables
Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Easy Forms for Mailchimp
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Activity Log Premium
Vulnerability: Cross-Site Request Forgery via ajax_switch_db
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Easy Google Maps
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version
Plugin: Cookie Monster
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: woocommerce-follow-up-emails
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability:
Patched Version: 3.13.4
Recommended Action: Update to version 3.13.4, or a newer patched version
Plugin: WooCommerce Shipping & Tax
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Go Pricing – WordPress Responsive Pricing Tables
Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: MStore API
Vulnerability: Authentication Bypass
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: UpdraftPlus WordPress Backup Plugin
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage
Patched Version: 1.23.4
Recommended Action: Update to version 1.23.4, or a newer patched version
Plugin: WP htaccess Control
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.83
Recommended Action: Update to version 1.6.83, or a newer patched version
Plugin: WP Activity Log Premium
Vulnerability: Missing Authorization via ajax_switch_db
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Performance Lab
Vulnerability: Cross-Site Request Forgery via dismiss-wp-pointer
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Customize WordPress Emails and Alerts – Better Notifications for WP
Vulnerability: Cross-Site Request Forgery via handle_actions
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: Predictive Search for WooCommerce
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: woocommerce-follow-up-emails
Vulnerability: Authenticated Arbitrary File Upload in Template Editing
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version
Plugin: Abandoned Cart Lite for WooCommerce
Vulnerability: Cross-Site Request Forgery via delete_expired_used_coupon_code
Patched Version: 5.14.2
Recommended Action: Update to version 5.14.2, or a newer patched version
Plugin: Stop Referrer Spam
Vulnerability: Cross-Site Request Forgery via processParameters
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.1.3.2
Recommended Action: Update to version 1.1.3.2, or a newer patched version
Plugin: Scripts n Styles
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress File Upload
Vulnerability: Authenticated (Administrator+) Path Traversal
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Cross-Site Request Forgery to Disable All Plugins
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: WishSuite – Wishlist for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Jazz Popups
Vulnerability: Reflected Cross-Site Scripting via ‘wpjazzpopup_switchonoff’
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress
Vulnerability: Cross-Site Request Forgery via update_automator_connect
Patched Version: 4.15
Recommended Action: Update to version 4.15, or a newer patched version
Plugin: SEO Change Monitor – Track Website Changes
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MStore API
Vulnerability: Authentication Bypass
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version
Plugin: WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Vulnerability: CAPTCHA Bypass
Patched Version: 1.9.118
Recommended Action: Update to version 1.9.118, or a newer patched version
Plugin: Predictive Search for WooCommerce
Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version
Plugin: WP Activity Log
Vulnerability: Cross-Site Request Forgery via ajax_run_cleanup
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Baidu Tongji generator
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Dashboard – Custom WordPress Dashboard
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version
Plugin: Abandoned Cart Lite for WooCommerce
Vulnerability: Cross-Site Request Forgery via ts_reset_tracking_setting
Patched Version: 5.14.2
Recommended Action: Update to version 5.14.2, or a newer patched version
Plugin: MStore API
Vulnerability: Authentication Bypass
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version
Plugin: WP Activity Log
Vulnerability: Missing Capabilities Check to User Enumeration
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Smart App Banner
Vulnerability: Cross-Site Request Forgery via wsl_smart_app_banner_options
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Go Pricing – WordPress Responsive Pricing Tables
Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: nuajik
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.