Plugin: WP Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GDPR-Extensions-com – Consent Manager
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order Attachments for WooCommerce
Vulnerability: 2.4.1
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: User registration & user profile – UserPlus
Vulnerability: Authenticated (Editor+) Registration Form Update to Privilege Escalation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Maximum Products per User for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version
Plugin: QA Analytics – Web Analytics Tool with Heatmaps & Session Replay Across All Pages
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via youzify_media Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Increase upload file size & Maximum Execution Time limit
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Category Icon
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Stackable – Page Builder Gutenberg Blocks
Vulnerability: Unauthenticated CSS Injection
Patched Version: 3.13.7
Recommended Action: Update to version 3.13.7, or a newer patched version
Plugin: ImagePress – Image Gallery
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: User registration & user profile – UserPlus
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Comments Import & Export
Vulnerability: Authenticated (Author+) Arbitrary File Read via Directory Traversal
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: ImagePress – Image Gallery
Vulnerability: Image Gallery <= 1.2.2
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via content_template
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version
Plugin: Embed videos and respect privacy
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: WP Users Masquerade
Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Read more By Adam
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Read More Button Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Marketing and SEO Booster
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Form Color Parameters
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress File Upload
Vulnerability: Unauthenticated Path Traversal to Arbitrary File Read and Deletion in wfu_file_downloader.php
Patched Version: 4.24.12
Recommended Action: Update to version 4.24.12, or a newer patched version
Plugin: BlockMeister – Block Pattern Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version
Plugin: Elementor Inline SVG
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Helper Premium
Vulnerability: Missing Authorization in whp_smtp_send_mail_test
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Sharing (by Danny)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: ImagePress – Image Gallery
Vulnerability: Image Gallery <= 1.2.2
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Products, Order & Customers Export for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Pedalo Connector
Vulnerability: Authentication Bypass to Administrator
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PowerPress Podcasting plugin by Blubrry
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via skipto Shortcode
Patched Version: 11.9.19
Recommended Action: Update to version 11.9.19, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via WL: FAQ Widget Elementor Template
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version
Plugin: Easy PayPal Gift Certificate
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via wpppgc_plugin_options
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via table_saved_sections
Patched Version: 1.13.9
Recommended Action: Update to version 1.13.9, or a newer patched version
Plugin: Mynx Page Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes AnyWhere
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tainacan
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.21.11
Recommended Action: Update to version 0.21.11, or a newer patched version
Plugin: Rescue Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version
Plugin: Curator.io: Show all your social media posts in a beautiful feed.
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via feed_id Attribute
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bridge Core
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Demo Import
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.15
Recommended Action: Update to version 3.5.15, or a newer patched version
Plugin: Hunk Companion
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version
Plugin: 2D Tag Cloud
Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bot for Telegram on WooCommerce
Vulnerability: Authenticated (Subscriber+) Telegram Bot Token Disclosure to Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Authenticated (Administrator+) Improper Input Validation via iconUpload Function to Arbitrary File Read
Patched Version: 2.15.3
Recommended Action: Update to version 2.15.3, or a newer patched version
Plugin: Notification for Telegram
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Send Telegram Test Message
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Linkz.ai – Automatic link previews on hover
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via AJAX
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Linkz.ai – Automatic link previews on hover
Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Social Share Buttons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Plugins and Themes in ZIP from Dashboard
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: TS Poll – Survey, Versus Poll, Image Poll, Video Poll
Vulnerability: Authenticated (Administrator+) SQL Injection via orderby Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.88
Recommended Action: Update to version 3.1.88, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Missing Authorization to Arbitrary (Subscriber+) Attachment Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: User registration & user profile – UserPlus
Vulnerability: Missing Authorization via Multiple Functions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Language Switcher
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version
Plugin: WP Ultimate Post Grid
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-grid-with-filters Shortcode
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Advanced Blocks Pro
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FULL – Cliente
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.23
Recommended Action: Update to version 3.1.23, or a newer patched version
Plugin: TablePress – Tables in WordPress made easy
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version