Plugin: ID-SK Toolkit
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementsKit Elementor addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Kata Plus – Addons for Elementor – Widgets, Extensions and Templates
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: StreamWeasels Kick Integration
Vulnerability: Blocks and Shortcodes for Embedding Kick Streams <= 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Contact Form 7 – Repeatable Fields
Vulnerability: Repeatable Fields <= 2.0.1
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: WP Awesome Login
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘tooltip’
Patched Version: 9.7.0
Recommended Action: Update to version 9.7.0, or a newer patched version
Plugin: Extra Product Options Builder for WooCommerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.134
Recommended Action: Update to version 1.2.134, or a newer patched version
Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress
Vulnerability: Authenticated (Student+) Missing Authorization to Privilege Escalation
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version
Plugin: App Builder – Create Native Android & iOS Apps On The Flight
Vulnerability: Privilege Escalation and Account Takeover via Weak OTP
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version
Plugin: WPC Smart Messages for WooCommerce
Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: File Upload Types by WPForms
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Transaction Log
Patched Version: 4.0.4.8
Recommended Action: Update to version 4.0.4.8, or a newer patched version
Plugin: WP show more
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via show_more Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Widget or Sidebar Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.21
Recommended Action: Update to version 6.0.21, or a newer patched version
Plugin: League of Legends Shortcodes
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: T(-) Countdown
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Uix Shortcodes – Compatible with Gutenberg
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: School Management System – WPSchoolPress
Vulnerability: Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: StreamWeasels YouTube Integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sw-youtube-embed Shortcode
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Code Explorer
Vulnerability: Authenticated (Admin+) External File Reading
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BuddyPress
Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: 14.2.1
Recommended Action: Update to version 14.2.1, or a newer patched version
Plugin: League of Legends Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wux Blog Editor
Vulnerability: Authentication Bypass to Administrator
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPC Smart Messages for WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Message Activation/Deactivation
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: Beek Widget Extention
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate TinyMCE
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WatchTowerHQ
Vulnerability: Authentication Bypass to Administrator due to Missing Empty Value Check
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version
Plugin: Bamazoo – Button Generator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dgs Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress
Vulnerability: Authenticated (Student+) Stored Cross-Site Scripting via Ask a Question Functionality
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Missing Authorization to Forged Vendor Profile Deletion Email Sending
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version
Plugin: WP-Members Membership Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_loginout Shortcode
Patched Version: 3.4.9.6
Recommended Action: Update to version 3.4.9.6, or a newer patched version
Plugin: WordPress Post Grid Layouts with Pagination – Sogrid
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PriPre
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 4.0.1.7
Recommended Action: Update to version 4.0.1.7, or a newer patched version
Plugin: WooCommerce UPS Shipping – Live Rates and Access Points
Vulnerability: Missing Authorization to Plugin API key reset
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 1.0.99.2
Recommended Action: Update to version 1.0.99.2, or a newer patched version
Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.42
Recommended Action: Update to version 2.3.42, or a newer patched version
Plugin: WP Crowdfunding
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpcf_donate Shortcode
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version
Plugin: Simple News
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce
Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: Crypto Tool
Vulnerability: Authentication Bypass via register
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images
Vulnerability: Missing Authorization to Authenticated (Contributor+) Map Project Add/Update/Delete
Patched Version: 6.0.21
Recommended Action: Update to version 6.0.21, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Widget
Patched Version: 2.8.4.3
Recommended Action: Update to version 2.8.4.3, or a newer patched version
Plugin: Shoutcast Icecast HTML5 Radio Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: affiliate-toolkit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via atkp_product Shortcode
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version
Plugin: User Toolkit
Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Awesome buttons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via btn2 Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPS Telegram Chat
Vulnerability: Missing Authorization to Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Editorial Assistant by Sovrn
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Attachment Upload and Set Post Featured Image
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Authenticated (Administrator+) SQL Injection via Order_by Parameter
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version
Plugin: SEUR Oficial
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version
Plugin: Post Status Notifier
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 1.11.7
Recommended Action: Update to version 1.11.7, or a newer patched version
Plugin: Newsletters
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via newsletters_video Shortcode
Patched Version: 4.9.9.5
Recommended Action: Update to version 4.9.9.5, or a newer patched version
Plugin: Arconix Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via box Shortcode
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Poll Settings
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version
Plugin: Editor Custom Color Palette
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wp Social Login and Register Social Counter
Vulnerability: Authentication Bypass
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Subscribe to Comments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Authentication Bypass
Patched Version: 7.6.25
Recommended Action: Update to version 7.6.25, or a newer patched version
Plugin: Mapster WP Maps
Vulnerability: Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Cross-Site Request Forgery to Vendor Updates
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version
Plugin: Compact WP Audio Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode
Patched Version: 1.9.14
Recommended Action: Update to version 1.9.14, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0.4.8
Recommended Action: Update to version 4.0.4.8, or a newer patched version
Plugin: 10Web Social Post Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Missing Authorization to Authenticated (Contributor+) Form Update and Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: Order Notification for Telegram
Vulnerability: Missing Authorization to Unauthenticated Send Telegram Test Message
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wux Blog Editor
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Monkee-Boy Essentials
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Video Box Widget
Patched Version: 4.10.61
Recommended Action: Update to version 4.10.61, or a newer patched version
Plugin: WPS Telegram Chat
Vulnerability: Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SMS Alert Order Notifications – WooCommerce
Vulnerability: WooCommerce <= 3.7.5
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version
Plugin: Extensions by HocWP Team
Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Baidu Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Crypto Tool
Vulnerability: Cross-Site Request Forgery to Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All-in-One WP Migration and Backup
Vulnerability: Authenticated (Administrator+) Arbitrary PHP Code Injection
Patched Version: 7.87
Recommended Action: Update to version 7.87, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: Clever Addons for Elementor
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Crypto Tool
Vulnerability: Authentication Bypass via log_in
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FormFacade – WordPress plugin for Google Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Move Addons for Elementor
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Enable Shortcodes inside Widgets,Comments and Experts
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Monitor
Vulnerability: Missing Authorization to API Key Manipulation
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version
Plugin: Contact Form 7 + Telegram
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Subscription Approve/Pause/Refuse
Patched Version: 0.8.6
Recommended Action: Update to version 0.8.6, or a newer patched version
Plugin: FileOrganizer – Manage WordPress and Website Files
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Terms descriptions
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version