Plugin: Transients Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Authentication Bypass
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: WP REST API FNS Plugin
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TeploBot – Telegram Bot for WP
Vulnerability: Telegram Bot for WP <= 1.3
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Qi Addons For Elementor
Vulnerability: Sensitive Information Exposure
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Vulnerability: Missing Authorization
Patched Version: 4.23.13
Recommended Action: Update to version 4.23.13, or a newer patched version
Plugin: Simple User Registration
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Customizer Light
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Suki Sites Import
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventON Pro
Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.6.8
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: Time Clock Pro
Vulnerability: Unauthenticated (Limited) Remote Code Execution
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: WP REST API FNS Plugin
Vulnerability: Privilege Escalation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Members Membership Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.9.6
Recommended Action: Update to version 3.4.9.6, or a newer patched version
Plugin: Category and Taxonomy Meta Fields
Vulnerability: Cross-Site Request Forgery to Taxonomy Meta Add/Delete
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Share With Floating Bar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Property Lot Management System
Vulnerability: Authenticated (Salesman+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fonto – Custom Web Fonts Manager
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Edit WooCommerce Templates
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Photo Album Plus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.07.004
Recommended Action: Update to version 8.8.07.004, or a newer patched version
Plugin: Category and Taxonomy Meta Fields
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Infinite-Scroll
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Community Lite Video Chat
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elemenda
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Nice Backgrounds
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GetResponse Forms by Optin Cat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Plugin Name: Sovratec Case Management
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Category and Taxonomy Image
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Parallax Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Rover IDX
Vulnerability: Authenticated (Subscriber+) Authentication Bypass to Administrator
Patched Version: 3.0.0.2906
Recommended Action: Update to version 3.0.0.2906, or a newer patched version
Plugin: ProfilePress Pro
Vulnerability: Pro <= 4.11.1
Patched Version: 4.11.2
Recommended Action: Update to version 4.11.2, or a newer patched version
Plugin: DPD Baltic Shipping
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: photokit
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Affiliator
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Back Link Tracker
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SendPulse Free Web Push
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Draft Custom Form Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version
Plugin: Branding
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Anchor Episodes Index (Spotify for Podcasters)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via anchor_episodes Shortcode
Patched Version: 2.1.11
Recommended Action: Update to version 2.1.11, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Draft Quiz Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: Parcel Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Website Showcase
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementInvader Addons for Elementor
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Unauthenticated Arbitrary User Password Change
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Category and Taxonomy Meta Fields
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bulk images optimizer: Resize, optimize, convert to webp, rename …
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Debrandify · Remove or Replace WordPress Branding
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Giveaway Boost
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Flexmls® IDX Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.14.23
Recommended Action: Update to version 3.14.23, or a newer patched version
Plugin: Photo Gallery Builder
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Social Share Buttons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.20
Recommended Action: Update to version 1.20, or a newer patched version
Plugin: Click to Chat – WP Support All-in-One Floating Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsaio_snapchat Shortcode
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: RSS Feed Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via rfw-youtube-videos Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: SendGrid for WordPress
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ReDi Restaurant Reservation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 24.1015
Recommended Action: Update to version 24.1015, or a newer patched version
Plugin: WP Dropbox Dropins
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woostagram Connect
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Subscriber+) Private Post Disclosure
Patched Version: 1.3.987
Recommended Action: Update to version 1.3.987, or a newer patched version
Plugin: All-in-One WP Migration and Backup
Vulnerability: Unauthenticated Information Disclosure via Error Logs
Patched Version: 7.87
Recommended Action: Update to version 7.87, or a newer patched version
Plugin: WooCommerce Order Proposal
Vulnerability: Authenticated (Shop Manager+) Privilege Escalation via Order Proposal
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Rover IDX
Vulnerability: Authenticated (Subscriber+) Missing Authorization via Multiple Functions
Patched Version: 3.0.0.2905
Recommended Action: Update to version 3.0.0.2905, or a newer patched version
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Vulnerability: Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Subscriber+) Missing Authorization via Multiple Functions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: StreamWeasels Twitch Integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sw-twitch-embed Shortcode
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Gantry 4 Framework
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MAS Companies For WP Job Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Add Widget After Content
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Download Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: HTML Injection
Patched Version: 5.2.46
Recommended Action: Update to version 5.2.46, or a newer patched version
Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version
Plugin: Flat UI Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via flatbtn Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Arconix Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Privilege Escalation via Registration due to Administrator Default User Role Value
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Advanced Category and Custom Taxonomy Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ad_tax_image Shortcode
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Endless Posts Navigation
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: Easy Menu Manager | WPZest
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: APA Register Newsletter Form
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GoogleDrive folder list
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Apa Banner Slider
Vulnerability: Cross-Site Request Forgery to SLQ Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: News Kit Elementor Addons
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Canvas Menu Elementor Template
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version