Watch Out Wednesday – July 17, 2024

Home » Watch Out Wednesday – July 17, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Tabs For WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Animated Text Widget
Patched Version: 4.10.37
Recommended Action: Update to version 4.10.37, or a newer patched version

Plugin: Appmaker – Convert WooCommerce to Android & iOS Native Mobile Apps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘events’ Shortcode
Patched Version: 3.1.44
Recommended Action: Update to version 3.1.44, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version

Plugin: SKT Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Bradmax Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.28
Recommended Action: Update to version 1.1.28, or a newer patched version

Plugin: WordPress Multisite Content Copier/Updater

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Search & Replace

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 30.2
Recommended Action: Update to version 30.2, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.4.19
Recommended Action: Update to version 3.4.19, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 9.7.8
Recommended Action: Update to version 9.7.8, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Unauthenticated Information Exposure
Patched Version: 3.3.100
Recommended Action: Update to version 3.3.100, or a newer patched version

Plugin: WP Cookie Law Info

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms

Vulnerability: Missing Authorization
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Goftino

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Arkhe Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.23.0
Recommended Action: Update to version 2.23.0, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.2
Recommended Action: Update to version 5.9.2, or a newer patched version

Plugin: Typebot | Create advanced chat experiences without coding

Plugin: Caxton – Create Pro page layouts in Gutenberg

Plugin: Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Vulnerability: Missing Authorization
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Elementor Addons, Widgets and Enhancements – Stax

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Missing Authorization to Authenticated (Contributor+) Event Data Import
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Event post

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.9.6
Recommended Action: Update to version 5.9.6, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authentication Bypass
Patched Version: 4.15.0
Recommended Action: Update to version 4.15.0, or a newer patched version

Plugin: Animated Typed JS Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Wp EMember

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 10.7.0
Recommended Action: Update to version 10.7.0, or a newer patched version

Plugin: ElementInvader Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction

Vulnerability: Information Exposure via Log Files
Patched Version: 2.5.14
Recommended Action: Update to version 2.5.14, or a newer patched version

Plugin: Ultimate Classified Listings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Team Manager – WordPress Showcase Team Members

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: Light Poll

Vulnerability: Cross-Site Request Forgery to Poll Answers Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UX Flat

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: codoc

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.52
Recommended Action: Update to version 0.9.52, or a newer patched version

Plugin: Create by Mediavine

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: EleForms – All In One Form Integration including DB for Elementor

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Feeds for YouTube (YouTube video, channel, and gallery plugin)

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Authenticated(Subscriber+) Missing Authorization to Plugin Settings Update
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: WPFavicon

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ExS Widgets

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 0.3.2
Recommended Action: Update to version 0.3.2, or a newer patched version

Plugin: HelloAsso

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: ShopBuilder – Elementor WooCommerce Builder Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: Seraphinite Post .DOCX Source

Vulnerability: Missing Authorization
Patched Version: 2.16.10
Recommended Action: Update to version 2.16.10, or a newer patched version

Plugin: FormDeck: Simple Form Builder with WhatsApp Floating Forms

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version

Plugin: Comment Reply Email

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Template Part Block
Patched Version: 5.9.10
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.10, 6.0.9, 6.1.7, 6.2.6, 6.3.5, 6.4.5, 6.5.5

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.45
Recommended Action: Update to version 3.1.45, or a newer patched version

Plugin: WP Links Page

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Image Update
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Plugin: Advanced Contact form 7 DB

Vulnerability: Missing Authorization to Unauthenticated Information Disclosure
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Authentication Bypass
Patched Version: 3.11.9
Recommended Action: Update to version 3.11.9, or a newer patched version

Plugin: Ultimate Classified Listings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
Patched Version: 5.9.0
Recommended Action: Update to version 5.9.0, or a newer patched version

Plugin: FULL – Cliente

Vulnerability: Unauthenticated Stored Cross-Site Scripting via License Plan Parameter
Patched Version: 3.1.13
Recommended Action: Update to version 3.1.13, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: WooCommerce Report

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.24.8
Recommended Action: Update to version 4.24.8, or a newer patched version

Plugin: WP GoToWebinar

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version

Plugin: Predictive Search for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version

Plugin: Easy!Appointments

Vulnerability: Authenticated(Subscriber+) Arbitrary File Deletion via ‘disconnect’
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Easy Table of Contents

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.0.68
Recommended Action: Update to version 2.0.68, or a newer patched version

Plugin: BSK PDF Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated (Contributor+) Directory Traversal
Patched Version: 4.24.8
Recommended Action: Update to version 4.24.8, or a newer patched version

Plugin: WP Total Branding – Complete branding solution for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via title Parameter
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: WP To Do

Plugin: Master Popups

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gravity Forms: Multiple Form Instances

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (contributor+) Local File Inclusion
Patched Version: 2.0.8.7
Recommended Action: Update to version 2.0.8.7, or a newer patched version

Plugin: ReDi Restaurant Reservation

Vulnerability: Missing Authorization
Patched Version: 24.0712
Recommended Action: Update to version 24.0712, or a newer patched version

Plugin: WP Scraper

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: Testimonials Widget

Plugin: Chatbot for WordPress by Collect.chat ⚡️

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Google Drive Client Secret Exposure
Patched Version: 0.9.92
Recommended Action: Update to version 0.9.92, or a newer patched version

Plugin: ConeBlog – Elementor Blog Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: WANotifier – Send Message Notifications Using Cloud API

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Seraphinite Post .DOCX Source

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.16.10
Recommended Action: Update to version 2.16.10, or a newer patched version

Plugin: SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.10.9
Recommended Action: Update to version 3.10.9, or a newer patched version

Plugin: Send Users Email – Email Subscribers, Email Marketing Newsletter

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: WP User Switch

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 1.1.42
Recommended Action: Update to version 1.1.42, or a newer patched version

Plugin: MakeStories (for Google Web Stories)

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download and Server-Side Request Forgery
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: Featured Image Generator

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Images Upload
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Metorik – Reports & Email Automation for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: WP Popups – WordPress Popup builder

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 2.2.0.2
Recommended Action: Update to version 2.2.0.2, or a newer patched version

Plugin: BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Glossary

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 2.2.27
Recommended Action: Update to version 2.2.27, or a newer patched version

Plugin: WP Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Simple Popup Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: Simple Responsive Slider

Plugin: HitPay Payment Gateway for WooCommerce

Vulnerability: Information Exposure via Log Files
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: Image Hover Effects – Elementor Addon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via eihe_link Parameter
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: DirectoryPress – Business Directory And Classified Ad Listing

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 3.6.11
Recommended Action: Update to version 3.6.11, or a newer patched version

Plugin: Team Members

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Tutor Instructor+) Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: REVIEWS.io for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.12.1
Recommended Action: Update to version 4.12.1, or a newer patched version

Plugin: Image Hover Effects for Elementor with Lightbox and Flipbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via _id, oxi_addons_f_title_tag, and content_description_tag Parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Swift Performance Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.6.21
Recommended Action: Update to version 2.3.6.21, or a newer patched version

Plugin: AForms — Form Builder for Price Calculator & Cost Estimation

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Product Delivery Date for WooCommerce – Lite

Vulnerability: Missing Authorization
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: MBE eShip

Vulnerability: Information Exposure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 8.8.02.003
Recommended Action: Update to version 8.8.02.003, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via media_url Parameter
Patched Version: 11.9.11
Recommended Action: Update to version 11.9.11, or a newer patched version

Plugin: Web and WooCommerce Addons for WPBakery Builder

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Uncanny Automator Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.0.1
Recommended Action: Update to version 5.3.0.1, or a newer patched version

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.42
Recommended Action: Update to version 1.1.42, or a newer patched version

Plugin: Laposta

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Amazing Hover Effects

Plugin: WP Directory Kit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version

Plugin: Olive One Click Demo Import

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Calendar.online / Kalender.digital – Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: AdPush

Plugin: Happy WooCommerce FAQs & AI FAQ Generator (Formarly XPlainer)

Vulnerability: WooCommerce Product FAQ <= 1.6.3
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: WP GoToWebinar

Vulnerability: Missing Authorization
Patched Version: 15.7
Recommended Action: Update to version 15.7, or a newer patched version

Plugin: Advanced post slider

Plugin: Import Spreadsheets from Microsoft Excel

Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: 10.1.5
Recommended Action: Update to version 10.1.5, or a newer patched version

Plugin: Make Paths Relative

Vulnerability: Cross-Site Request Forgery via ‘admin/class-make-paths-relative-admin.php’
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Magical Posts Display – Elementor Advanced Posts widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.39
Recommended Action: Update to version 1.2.39, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 5.9.0
Recommended Action: Update to version 5.9.0, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.9.12
Recommended Action: Update to version 4.9.12, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Missing Authorization
Patched Version: 4.8.3
Recommended Action: Update to version 4.8.3, or a newer patched version

Plugin: Job Board Manager

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.59
Recommended Action: Update to version 2.1.59, or a newer patched version

Plugin: Plum: Spin Wheel & Email Pop-up

Plugin: SKT Skill Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Feed State Update
Patched Version: 4.23.12
Recommended Action: Update to version 4.23.12, or a newer patched version

Plugin: CopySafe Web Protection

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.15
Recommended Action: Update to version 3.15, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Cross-Site Request Forgery to Customer Deletion via ‘Delete’
Patched Version: 30.1
Recommended Action: Update to version 30.1, or a newer patched version

Plugin: FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: GutSlider – All in One Block Slider for Gutenberg

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Ultimate Classified Listings

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Fusion Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.2.28
Recommended Action: Update to version 2.2.28, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Authentication Bypass to Admin
Patched Version: 0.1.0.45
Recommended Action: Update to version 0.1.0.45, or a newer patched version

Plugin: Event post

Plugin: Advanced Classifieds & Directory Pro

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Meks Smart Author Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Get Better Reviews for WooCommerce

Plugin: WordPress File Upload

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.24.8
Recommended Action: Update to version 4.24.8, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 4.10.37
Recommended Action: Update to version 4.10.37, or a newer patched version

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version

Plugin: Contact Form 7 To PDF Viewer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Payflex Payment Gateway

Vulnerability: Missing Authorization to Order Status Update
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: bbPress Notify (No-Spam)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.18.4
Recommended Action: Update to version 2.18.4, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) JSON File Directory Traversal
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Houzez CRM

Vulnerability: Authenticated (Seller+) SQL Injection
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Form Vibes – Database Manager for Forms

Vulnerability: Authenticated (Subscriber+) SQL Injection via fv_export_data
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: ReCaptcha Integration for WordPress

Plugin: Power BI Embedded for WordPress

Plugin: JSON API User

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 3.9.4
Recommended Action: Update to version 3.9.4, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Authenticated (Subscriber+) Privilege Escalation via User Meta Update
Patched Version: 3.3.99
Recommended Action: Update to version 3.3.99, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Event Tickets and Registration

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.11.0.5
Recommended Action: Update to version 5.11.0.5, or a newer patched version

Plugin: FileBird Document Library

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Missing Authorization via save_block_css
Patched Version: 7.7.5
Recommended Action: Update to version 7.7.5, or a newer patched version

Plugin: Shortcodes Ultimate Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: Easy Bet

Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VK All in One Expansion Unit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.99.2.0
Recommended Action: Update to version 9.99.2.0, or a newer patched version

Plugin: Easy Google Adsense and Banner Ads Manager – AdsforWP

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.29
Recommended Action: Update to version 1.9.29, or a newer patched version

Plugin: Plum: Spin Wheel & Email Pop-up

Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Featured Image (Auto Post Thumbnail)

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Exposure of Sensitive Information via the UI
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Simple Social Share

Plugin: MBE eShip

Plugin: Premium Portfolio Features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘ Grid Portfolios’
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WooCommerce – Social Login

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: GD Rating System

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Download Button for Elementor

Plugin: Logo Manager For Enamad

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.7.1
Recommended Action: Update to version 0.7.1, or a newer patched version

Plugin: Dynamic Word Spinner: CSS3 Animated Rotation

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.2.0.4
Recommended Action: Update to version 1.2.0.4, or a newer patched version

Plugin: Post Layouts for Gutenberg

Plugin: Backup and Staging by WP Time Capsule

Vulnerability: Authentication Bypass to Account Takeover
Patched Version: 1.22.21
Recommended Action: Update to version 1.22.21, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Missing Authorization to Authenticated (Contributor+) Post Modification
Patched Version: 2.4.45
Recommended Action: Update to version 2.4.45, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Missing Authorization to Unauthorized Donation
Patched Version: 1.8.1.8
Recommended Action: Update to version 1.8.1.8, or a newer patched version

Plugin: Meks Video Importer

Plugin: Events Calendar for Google

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Name Parameter
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: Seraphinite Accelerator Pro

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 2.21.13.1
Recommended Action: Update to version 2.21.13.1, or a newer patched version

Plugin: WP Fast Total Search – The Power of Indexed Search

Vulnerability: Missing Authorization
Patched Version: 1.69.234
Recommended Action: Update to version 1.69.234, or a newer patched version

Plugin: SpiderContacts

Plugin: User Activity Log Pro

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.0.6.3
Recommended Action: Update to version 2.0.6.3, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sonaar_audioplayer Shortcode
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Missing Authorization via AJAX
Patched Version: 7.7.5
Recommended Action: Update to version 7.7.5, or a newer patched version

Plugin: CodePen Embedded Pens Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: JetThemeCore for Elementor

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Bookster – WordPress Appointment Booking Plugin

Vulnerability: Unauthenticated Appointment Manipulation
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 3.8.5
Recommended Action: Update to version 3.8.5, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: WP Announcement | Dynamic Announcement, Banner, & Countdown Timer for Effective Promotions

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Advanced Contact form 7 DB

Vulnerability: Sensitive Information Exposure
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Admin Dashboard RSS Feed

Plugin: WordPress Notification Bar

Plugin: Premium Blocks – Gutenberg Blocks for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version

Plugin: Zoho CRM Lead Magnet

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.8.9
Recommended Action: Update to version 1.7.8.9, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.6.1
Recommended Action: Update to version 8.6.1, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: YITH WooCommerce Ajax Product Filter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Advanced File Manager

Vulnerability: Authenticated (Administrator+) Arbitrary File and Folder Access
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read to Arbitrary File Creation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: HTML Forms – Simple WordPress Forms Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.34
Recommended Action: Update to version 1.3.34, or a newer patched version

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Missing Authorization
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Full Path Disclosure
Patched Version: 1.5.10
Recommended Action: Update to version 1.5.10, or a newer patched version

Plugin: PDF.js Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Missing Authorization via ajax_license_check()
Patched Version: 1.8.1.8
Recommended Action: Update to version 1.8.1.8, or a newer patched version

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Unauthenticated Information Disclosure via Unprotected Directories
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: Get Use APIs – JSON Content Importer

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Cross-Site Request Forgery via action_restore_events
Patched Version: 6.5.1.5
Recommended Action: Update to version 6.5.1.5, or a newer patched version

Plugin: Floating Social Media Links

Plugin: WooCommerce Customers Manager

Vulnerability: Cross-Site Request Forgery to Customer Deletion
Patched Version: 30.1
Recommended Action: Update to version 30.1, or a newer patched version

Plugin: MBE eShip

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Accounting Manager+) SQL Injection via vendor_id
Patched Version: 1.13.1
Recommended Action: Update to version 1.13.1, or a newer patched version

Plugin: Realtyna Organic IDX plugin + WPL Real Estate

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 4.14.14
Recommended Action: Update to version 4.14.14, or a newer patched version

Plugin: MakeCommerce for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Community Events

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: CC & BCC for Woocommerce Order Emails

Plugin: Post Type Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Light Poll

Vulnerability: Cross-Site Request Forgery to Poll Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization via generate_ai_content
Patched Version: 2.13.8
Recommended Action: Update to version 2.13.8, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Products Filter Professional for WooCommerce <= 1.3.6
Patched Version: 1.3.6.1
Recommended Action: Update to version 1.3.6.1, or a newer patched version

Plugin: Titan Anti-spam & Security

Vulnerability: Missing Authorization
Patched Version: 7.3.8
Recommended Action: Update to version 7.3.8, or a newer patched version

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Missing Authorization via REST API
Patched Version: 7.7.5
Recommended Action: Update to version 7.7.5, or a newer patched version

Plugin: Packlink PRO shipping module

Vulnerability: Missing Authorization
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Internal Link Juicer: SEO Auto Linker for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.24.4
Recommended Action: Update to version 2.24.4, or a newer patched version

Plugin: Qi Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Login Logo Editor

Plugin: WP Attachments

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.12
Recommended Action: Update to version 5.0.12, or a newer patched version

Plugin: House Manager – Easy Renter Management System for WordPress

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Missing Authorization
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Zoho Campaigns

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Change From Email

Plugin: Wallet for WooCommerce

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘search[value]’
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.57
Recommended Action: Update to version 1.2.57, or a newer patched version

Plugin: SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version

Plugin: Moloni

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version

Plugin: Matomo Analytics – Ethical Stats. Powerful Insights.

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Missing Authorization
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.1.0
Recommended Action: Update to version 9.1.0, or a newer patched version

Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More

Vulnerability: Missing Authorization
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.9.4.8
Recommended Action: Update to version 2.9.9.4.8, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.