Plugin: Front End Users
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.29
Recommended Action: Update to version 3.2.29, or a newer patched version
Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
Vulnerability: Cross-Site Request Forgery in Multiple Functions
Patched Version: 2.11.21
Recommended Action: Update to version 2.11.21, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Sensitive Information Exposure via Imported Subscribers CSV File
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.16.0
Recommended Action: Update to version 3.16.0, or a newer patched version
Plugin: FunnelKit Funnel Builder Pro
Vulnerability:
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: The Events Calendar Pro
Vulnerability: Authenticated (Administrator+) PHP Object Injection to Remote Code Execution
Patched Version: 7.0.2.1
Recommended Action: Update to version 7.0.2.1, or a newer patched version
Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 5.7.1
Recommended Action: Update to version 5.7.1, or a newer patched version
Plugin: Premium Portfolio Features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Media Deletion
Patched Version: 3.7.4.1
Recommended Action: Update to version 3.7.4.1, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version
Plugin: Memberpress
Vulnerability: Reflected Cross-Site Scripting via mepr_screenname and mepr_key Parameters
Patched Version: 1.11.30
Recommended Action: Update to version 1.11.30, or a newer patched version
Plugin: WP Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 10.5.1
Recommended Action: Update to version 10.5.1, or a newer patched version
Plugin: Theme Editor
Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version
Plugin: Tutor LMS Pro
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget
Patched Version: 11.1.34
Recommended Action: Update to version 11.1.34, or a newer patched version
Plugin: WP To Do
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Task Comments
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clean Login
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version
Plugin: Premium SEO Pack – WP SEO Plugin
Vulnerability: Unauthenticated Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Media Library Folders
Vulnerability: Authenticated (Subscriber+) Second-Order SQL Injection
Patched Version: 8.2.3
Recommended Action: Update to version 8.2.3, or a newer patched version
Plugin: WP Accessibility Helper (WAH)
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Settings Update
Patched Version: 0.6.2.9
Recommended Action: Update to version 0.6.2.9, or a newer patched version
Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Vulnerability: Authenticated (Contributor+) Information Disclosure
Patched Version: 7.7.12
Recommended Action: Update to version 7.7.12, or a newer patched version
Plugin: Front End Users
Vulnerability: Authenticated (Contributor+) Time-Based SQL Injection
Patched Version: 3.2.29
Recommended Action: Update to version 3.2.29, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter
Patched Version: 2.8.3.6
Recommended Action: Update to version 2.8.3.6, or a newer patched version
Plugin: Media Library Folders
Vulnerability: Missing Authorization on Various Functions
Patched Version: 8.2.4
Recommended Action: Update to version 8.2.4, or a newer patched version