Plugin: AFI – The Easiest Integration Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.89.6
Recommended Action: Update to version 1.89.6, or a newer patched version
Plugin: Custom Layouts – Post + Product grids made easy
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: The Ultimate Video Player For WordPress – by Presto Player
Vulnerability: Missing Authorization
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.9
Patched Version: 2.13.10
Recommended Action: Update to version 2.13.10, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts
Vulnerability: Missing Authorization
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version
Plugin: WPC Frequently Bought Together for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version
Plugin: Theme My Login
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.83
Recommended Action: Update to version 3.1.83, or a newer patched version
Plugin: tagDiv Opt-In Builder
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version
Plugin: RegistrationMagic – User Registration Plugin with Custom Registration Forms
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.0.1.1
Recommended Action: Update to version 6.0.1.1, or a newer patched version
Plugin: BP Profile Search
Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version
Plugin: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
Vulnerability: Insufficient Input Validation
Patched Version: 1.6.29
Recommended Action: Update to version 1.6.29, or a newer patched version
Plugin: WP User Manager – User Profile Builder & Membership
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JetBlocks for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.12.1
Recommended Action: Update to version 1.3.12.1, or a newer patched version
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version
Plugin: Woo Inquiry
Vulnerability: Unauthenticated SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hide My Site
Vulnerability: Unauthenticated Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPBakery Page Builder Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.9
Patched Version: 2.13.10
Recommended Action: Update to version 2.13.10, or a newer patched version
Plugin: Newsletters
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 4.9.9.1
Recommended Action: Update to version 4.9.9.1, or a newer patched version
Plugin: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews
Vulnerability: Unauthenticated Stored Cross-Site Scripting via form_data Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Missing Authorization to Player Deletion
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version
Plugin: Relevanssi – A Better Search
Vulnerability: Unauthenticated Information Exposure
Patched Version: 4.23.0
Recommended Action: Update to version 4.23.0, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.9
Patched Version: 2.13.10
Recommended Action: Update to version 2.13.10, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Video Widget
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version
Plugin: LOGIN AND REGISTRATION ATTEMPTS LIMIT
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Admission AppManager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Button contact VR
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dark Mode for WP Dashboard
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: oik
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.12.1
Recommended Action: Update to version 4.12.1, or a newer patched version
Plugin: WordSurvey
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via sounding_title Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Testimonial Widget
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Espresso – Event Registration & Ticketing Sales
Vulnerability: Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Unauthenticated Double-Extension Arbitrary File Upload
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Missing Authorization via init_endpoint
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stripe Payments For WooCommerce by Checkout Plugins
Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via TP Page Scroll Widget
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.19.1
Recommended Action: Update to version 1.19.1, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.9
Patched Version: 2.13.10
Recommended Action: Update to version 2.13.10, or a newer patched version
Plugin: Cookie Notice & Compliance for GDPR / CCPA
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: tagDiv Opt-In Builder
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Asset CleanUp: Page Speed Booster
Vulnerability: Missing Authorization
Patched Version: 1.3.9.4
Recommended Action: Update to version 1.3.9.4, or a newer patched version
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Missing Authorization to Player Update
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version
Plugin: JetElements
Vulnerability: Authenticated (Contributor+) Arbitrary Local File Inclusion
Patched Version: 2.6.20.1
Recommended Action: Update to version 2.6.20.1, or a newer patched version
Plugin: InPost PL
Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Read and Delete
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 4.0.38
Recommended Action: Update to version 4.0.38, or a newer patched version
Plugin: Order Tracking – WordPress Status Tracking Plugin
Vulnerability: Missing Authorization via send_test_email()
Patched Version: 3.3.12b
Recommended Action: Update to one of the following versions, or a newer patched version: 3.3.12b, 3.3.13
Plugin: Tutor LMS Elementor Addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Course Carousel Widget
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: PowerPack for Beaver Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.37.4
Recommended Action: Update to version 2.37.4, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited File Deletion
Patched Version: 3.14.2
Recommended Action: Update to version 3.14.2, or a newer patched version
Plugin: WP Data Access – WordPress App, Table and Form Builder plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.9
Recommended Action: Update to version 5.5.9, or a newer patched version
Plugin: Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version
Plugin: Smart Online Order for Clover
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Data Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Engine (Media Organizer & Lightroom)
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Last Modified Info
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Insert PHP Code Snippet
Vulnerability: Cross-Site Request Forgery to Code Snippet Activate/Deactivate/Deletion
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: All Bootstrap Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Void Contact Form 7 Widget For Elementor Page Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Unauthenticated PHP Object Injection to Remote Code Execution
Patched Version: 3.14.2
Recommended Action: Update to version 3.14.2, or a newer patched version
Plugin: BackWPup – WordPress Backup & Restore Plugin
Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Custom Field For WP Job Manager
Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.1
Recommended Action: Update to version 0.7.1, or a newer patched version
Plugin: Smart Online Order for Clover
Vulnerability: Missing Authorization to Plugin Deactivation and Data Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OTA Sync Booking Engine Widget
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AdRotate Banner Manager – The only ad manager you'll need
Vulnerability: Authenticated (Admin+) Double Extension Arbitrary File Upload
Patched Version: 5.13.3
Recommended Action: Update to version 5.13.3, or a newer patched version
Plugin: JetSearch
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.2.1
Recommended Action: Update to version 3.5.2.1, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Missing Authorization to Limited Information Exposure
Patched Version: 3.14.0
Recommended Action: Update to version 3.14.0, or a newer patched version
Plugin: Clever Addons for Elementor
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: JetTabs for Elementor
Vulnerability: Authenticated (Contributor+) Arbitrary Local File Inclusion
Patched Version: 2.2.3.1
Recommended Action: Update to version 2.2.3.1, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Authenticated (Contributor+) SQL Injection via model_number Parameter
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Missing Authorization
Patched Version: 1.2.16
Recommended Action: Update to version 1.2.16, or a newer patched version
Plugin: LH Add Media From Url
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clone
Vulnerability: Missing Authorization
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: App Builder – Create Native Android & iOS Apps On The Flight
Vulnerability: Unauthenticated Limited SQL Injection via app-builder-search
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Snapshot Backup
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin
Vulnerability: Missing Authorization
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Short URL
Vulnerability: Cross-Site Request Forgery via configuration_page
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: Missing Authorization
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Authenticated (Subscriber+) Limited Privilege Escalation
Patched Version: 3.3.102
Recommended Action: Update to version 3.3.102, or a newer patched version
Plugin: Stripe Payments For WooCommerce by Checkout Plugins
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 3.4.10
Recommended Action: Update to version 3.4.10, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Missing Authorization via remove_feedbacktool_notice()
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Responsive Video
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bold Timeline Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: JetElements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.20.1
Recommended Action: Update to version 2.6.20.1, or a newer patched version
Plugin: WordPress Webinar Plugin – WebinarPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.33.21
Recommended Action: Update to version 1.33.21, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 1.4.2.1
Recommended Action: Update to version 1.4.2.1, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Authentication Bypass to Account Takeover
Patched Version: 4.15.3
Recommended Action: Update to version 4.15.3, or a newer patched version
Plugin: SpeedyCache – Cache, Optimization, Performance
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version
Plugin: Slideshow, Image Slider by 2J
Vulnerability: Reflected Cross-Site Scripting via ‘post’
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Missing Authorization to Unauthenticated Event Settings Update
Patched Version: 3.14.0
Recommended Action: Update to version 3.14.0, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.4
Patched Version: 2.13.5
Recommended Action: Update to version 2.13.5, or a newer patched version
Plugin: Cryptocurrency Widgets – Price Ticker & Coins List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Flamix: Bitrix24 and Contact Form 7 integrations
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Download Plugins and Themes in ZIP from Dashboard
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Patched Version: 4.24.9
Recommended Action: Update to version 4.24.9, or a newer patched version
Plugin: Plugin Notes Plus
Vulnerability: Authenticated (Subscriber+) Arbitrary Note Deletion
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version