Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Shariff Wrapper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.11
Recommended Action: Update to version 4.6.11, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget
Patched Version: 2.10.33
Recommended Action: Update to version 2.10.33, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Cross-Site Request Forgery to Plugin Deactivation and Data Erase
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Video Conferencing with Zoom
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Archive Title Widget
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version
Plugin: Themify – WooCommerce Product Filter
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: Missing Authorization via aalAddLink
Patched Version: 6.4.3.1
Recommended Action: Update to version 6.4.3.1, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Rubix Widget
Patched Version: 3.13.4
Recommended Action: Update to version 3.13.4, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Cross-Site Request Forgery via ladiflow_save_hook()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smart App Banner
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Cross-Site Request Forgery to Plugin Data Reset
Patched Version: 1.6.6.24
Recommended Action: Update to version 1.6.6.24, or a newer patched version
Plugin: HT Easy GA4 – Google Analytics WordPress Plugin
Vulnerability: Missing Authorization to Unauthenticated GA4 Email Update
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Pz-LinkCard
Vulnerability: Sever-Side Request Forgery
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Event Calendar
Patched Version: 5.9.10
Recommended Action: Update to version 5.9.10, or a newer patched version
Plugin: Colibri Page Builder
Vulnerability: Missing Authorization
Patched Version: 1.0.263
Recommended Action: Update to version 1.0.263, or a newer patched version
Plugin: Wallet for WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Email Export
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Missing Authorization
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Cross-Site Request Forgery via init_endpoint
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stock Quotes List
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.9.12
Recommended Action: Update to version 2.9.12, or a newer patched version
Plugin: CBX Map for Google Map & OpenStreetMap
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.0.33
Recommended Action: Update to version 9.0.33, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Link Wrapper
Patched Version: 4.0.18
Recommended Action: Update to version 4.0.18, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Premium Magic Scroll Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.5.5
Recommended Action: Update to version 6.5.5, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Basic Information Exposure via REST route
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version
Plugin: Themify – WooCommerce Product Filter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: WPKoi Templates for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading Widget
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Global Badge Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Arbitrary Post Overwrite
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Mollie Forms
Vulnerability: Missing Authorization
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: WooCommerce Add to Cart Custom Redirect
Vulnerability: Authenticated(Contributor+) Missing Authorization to Limited Arbitrary Options Update
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Missing Authorization to Unauthenticated Media Deletion
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.15.3
Recommended Action: Update to version 4.15.3, or a newer patched version
Plugin: Mollie Forms
Vulnerability: Missing Authorization to Arbitrary Post Duplication
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: Backup Bolt
Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Missing Authorization via ladiflow_save_hook()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Wistia Block
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via widget link
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon
Vulnerability: Missing Authorization via atkp_import_product
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version
Plugin: Mang Board WP
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version
Plugin: PDF Invoices and Packing Slips For WooCommerce
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Database for CF7
Vulnerability: Missing Authorization via wpcf7db_delete AJAX action
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Bulgarisation for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version
Plugin: WP Lightbox 2
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.0.6.6
Recommended Action: Update to version 3.0.6.6, or a newer patched version
Plugin: SMTP Mail
Vulnerability: Cross Site Request Forgery
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: Unauthenticated Stored Self-Based Cross-Site Scripting
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: WP-Members Membership Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4.9.2
Recommended Action: Update to version 3.4.9.2, or a newer patched version
Plugin: Simple Restrict
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.0.33
Recommended Action: Update to version 9.0.33, or a newer patched version
Plugin: Grid Plus – Unlimited grid layout
Vulnerability: Reflected Cross-Site Scripting via grid_id
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Missing Authorization to Unauthenticated Media Upload
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Missing Authorization on publish_lp()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Messenger Chat Widget
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: Responsive Pricing Table
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.1.11
Recommended Action: Update to version 5.1.11, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Unauthenticated Booking Payment Bypass
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Newsletter2Go
Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via style
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Vulnerability: Unauthenticated Stored Cross-Site Scripting via SVG Upload
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: f(x) Private Site
Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Password Protected Store for WooCommerce
Vulnerability: Information Exposure via REST API
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Page Builder Gutenberg Blocks – CoBlocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Mercury Widget
Patched Version: 3.13.3
Recommended Action: Update to version 3.13.3, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Data Table
Patched Version: 5.9.10
Recommended Action: Update to version 5.9.10, or a newer patched version
Plugin: Site Reviews
Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via display name
Patched Version: 6.11.7
Recommended Action: Update to version 6.11.7, or a newer patched version
Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.25
Recommended Action: Update to version 1.6.25, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Mouse Cursor Module
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Digits: WordPress Mobile Number Signup and Login
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 8.4.2
Recommended Action: Update to version 8.4.2, or a newer patched version
Plugin: Shariff Wrapper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.10
Recommended Action: Update to version 4.6.10, or a newer patched version
Plugin: WP Chat App
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Logo Widget
Patched Version: 1.3.92
Recommended Action: Update to version 1.3.92, or a newer patched version
Plugin: Easy Accordion – Responsive Accordion FAQ Builder and Product FAQ
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via titleTag
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via File Field CSS
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: SoundCloud Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Pz-LinkCard
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Carousel Widget
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Themify – WooCommerce Product Filter
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: CBX Map for Google Map & OpenStreetMap
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.5.5
Recommended Action: Update to version 6.5.5, or a newer patched version
Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons
Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.33.1
Recommended Action: Update to version 1.33.1, or a newer patched version
Plugin: News Announcement Scroll
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 9.1.0
Recommended Action: Update to version 9.1.0, or a newer patched version
Plugin: JM Twitter Cards
Vulnerability: Information Exposure via Meta Description
Patched Version: 14.1.0
Recommended Action: Update to version 14.1.0, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Author Meta Widget
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version
Plugin: Team Circle Image Slider With Lightbox
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: LogDash Activity Log
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.5.5
Recommended Action: Update to version 6.5.5, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Fiestar Widget
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.59
Recommended Action: Update to version 3.3.59, or a newer patched version
Plugin: Bulgarisation for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version
Plugin: Add to Cart Text Changer and Customize Button, Add Custom Icon
Vulnerability: Cross-Site Request Forgery via wactc_text_form
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Booster Elite for WooCommerce
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version
Plugin: Shariff Wrapper
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.10
Recommended Action: Update to version 4.6.10, or a newer patched version
Plugin: Envo's Elementor Templates & Widgets for WooCommerce
Vulnerability: Cross-Site Request Forgery via ajax_plugin_activation
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting Header Meta Content Widget
Patched Version: 5.4.1
Recommended Action: Update to version 5.4.1, or a newer patched version
Plugin: Restaurant Reservations
Vulnerability: Directory Traversal to Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vulnerability: Authenticated(Contributor+) Stored Cross-site scripting via Wrapper Link URL
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via heading tag
Patched Version: 2.7.4.5
Recommended Action: Update to version 2.7.4.5, or a newer patched version
Plugin: Anti-Malware Security and Brute-Force Firewall
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 4.23.56
Recommended Action: Update to version 4.23.56, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Missing Authorization via save_config()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CWW Companion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: MakeStories (for Google Web Stories)
Vulnerability: Cross-Site Request Forgery via ‘ms_set_options’
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Schema Pro
Vulnerability: Authenticated (Contributor+) Custom Field Access
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Cross-Site Request Forgery via publish_lp()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pz-LinkCard
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: Coming Soon Page & Maintenance Mode
Vulnerability: Maintenance Mode Bypass
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 14.5.1
Recommended Action: Update to version 14.5.1, or a newer patched version
Plugin: Mang Board WP
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups
Vulnerability: Sensitive Information Exposure via Exposed Hubspot API Keys
Patched Version: 7.8.4
Recommended Action: Update to version 7.8.4, or a newer patched version
Plugin: 1 click disable all
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon
Vulnerability: Missing Authorization via atkp_create_list
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Cross-Site Request Forgery via save_config()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Bootstrap Elements for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Premium Addons Pro for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multi Scroll Widget
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version
Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Referer
Patched Version: 1.6.22
Recommended Action: Update to version 1.6.22, or a newer patched version
Plugin: Visitor Traffic Real Time Statistics
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Information Exposure via get_posts API Endpoint
Patched Version: 2.2.69
Recommended Action: Update to version 2.2.69, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Insufficient Authorization via wpas_can_delete_attachments()
Patched Version: 6.1.7
Recommended Action: Update to version 6.1.7, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.