Watch Out Wednesday – November 6, 2024

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Custom Gallery Widget
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version

Plugin: SIP Reviews Shortcode for WooCommerce

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy SVG Upload

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Get Quote For Woocommerce – Request A Quote For Woocommerce

Vulnerability: Missing Authorization to Unauthenticated Quote PDF and CSV Download
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ReCaptcha Integration for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Missing Authorization
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version

Plugin: Shortcodes Blocks Creator Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: BBP Core – Expand bbPress powered forums with useful features

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Woo Manage Fraud Orders

Vulnerability: Unauthenticated Information Exposure via Log Files
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SIP Reviews Shortcode for WooCommerce

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Group Chat & Video Chat by AtomChat

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via atomchat Shortcode
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.8.90
Recommended Action: Update to version 1.8.90, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: WP Simple Anchors Links

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpanchor Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPGlobus Translate Options

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Insecure Direct Object Reference to Submission Manipulation
Patched Version: 1.36.1
Recommended Action: Update to version 1.36.1, or a newer patched version