Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: WidgetShortcode
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Booklet
Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Wordfence Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: MainWP Maintenance Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: WP Super Popup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: jQuery T(-) Countdown Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 2.3.24
Recommended Action: Update to version 2.3.24, or a newer patched version
Plugin: Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages
Vulnerability: Information Disclosure
Patched Version: 1.9.4.1
Recommended Action: Update to version 1.9.4.1, or a newer patched version
Plugin: MainWP Buddy Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: YaMaps for WordPress Plugin
Vulnerability: Authenticaterd (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.6.26
Recommended Action: Update to version 0.6.26, or a newer patched version
Plugin: alfred24 Click & Collect
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Google Analytics Extension
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 115
Recommended Action: Update to version 115, or a newer patched version
Plugin: Widget Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom 404 Pro
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Rich Table of Contents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: MagicForm
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Crayon Syntax Highlighter
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dashicons + Custom Post Types
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kraken.io Image Optimizer
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
Plugin: Extra Block Design, Style, CSS for ANY Gutenberg Blocks
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.2.7
Recommended Action: Update to version 0.2.7, or a newer patched version
Plugin: Advanced Custom Fields: Image Crop Add-on
Vulnerability: Improper Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP FullCalendar
Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Security Optimizer – The All-In-One Protection Plugin
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.12.1
Recommended Action: Update to version 8.12.1, or a newer patched version
Plugin: ResponsiveVoice Text To Speech
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: Hover Image
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Post Plus Extension
Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Login with phone number
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Enable Media Replace
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Hide My WP – Amazing Security Plugin for WordPress!
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version
Plugin: MainWP File Uploader Extension
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Simple Tooltips
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: MainWP Wordfence Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: WP Show Posts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: MainWP White Label Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: MainWP Post Dripper Extension
Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: WP Blog and Widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: ipBlockList
Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP UpdraftPlus Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: MainWP Matomo Extension
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: MainWP Clone Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: WP-CommentNavi
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.12.2
Recommended Action: Update to version 1.12.2, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: SQL Injection
Patched Version: 3.1.0.4
Recommended Action: Update to version 3.1.0.4, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Map Multi Marker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Widgets on Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Annual Archive
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: MainWP Rocket Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version
Plugin: Stream
Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: teachPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.1.9
Recommended Action: Update to version 8.1.9, or a newer patched version
Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version
Plugin: Naver Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Membership WP user Import
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: OOPSpam Anti-Spam
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.36
Recommended Action: Update to version 1.1.36, or a newer patched version
Plugin: Form builder to get in touch with visitors and grow your email list — Happyforms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Blocks
Patched Version: 1.22.0
Recommended Action: Update to version 1.22.0, or a newer patched version
Plugin: GamiPress – Vimeo integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Universal Star Rating
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: TemplatesNext ToolKit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: WordPrezi
Vulnerability: Authenticated (Contributor+) Strored Cross-Site Scripting via Shortcode
Patched Version: 0.9
Recommended Action: Update to version 0.9, or a newer patched version
Plugin: MainWP Page Speed Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Judge.me Product Reviews for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version
Plugin: My YouTube Channel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.23.0
Recommended Action: Update to version 3.23.0, or a newer patched version
Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 115
Recommended Action: Update to version 115, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version
Plugin: Survey Maker
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Send PDF for Contact Form 7
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.9.9.2
Recommended Action: Update to version 0.9.9.2, or a newer patched version
Plugin: Gallery Factory Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Vimeo Video Autoplay Automute
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.11.3
Recommended Action: Update to version 1.11.3, or a newer patched version
Plugin: MainWP Google Analytics Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.12.7
Recommended Action: Update to version 3.12.7, or a newer patched version
Plugin: MainWP iThemes Security Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: MainWP Rocket Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version
Plugin: WP Customer Area
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.4
Recommended Action: Update to version 8.1.4, or a newer patched version
Plugin: Mediamatic – Media Library Folders
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cloak Front End Email
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: No API Amazon Affiliate
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: PDF Generator for WordPress – Create & Customize PDF for Posts, Pages and WooCommerce Products
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: MainWP Broken Link Checker
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Meks Flexible Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Launchpad – Coming Soon & Maintenance Mode Plugin
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Better Emails
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Private Content Plus
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: Easy Accept Payments via PayPal
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version
Plugin: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory
Vulnerability: Authenticated (Contributor+ )Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: uTubeVideo Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Quick Event Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.7.5
Recommended Action: Update to version 9.7.5, or a newer patched version
Plugin: MainWP Boilerplate Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: HTML5 Audio Player- Best WordPress Audio Player Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version
Plugin: WP-OliveCart
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Online Exam Software : eExamhall
Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Materialis Companion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.40
Recommended Action: Update to version 1.3.40, or a newer patched version
Plugin: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 7.12.1
Recommended Action: Update to version 7.12.1, or a newer patched version
Plugin: YourChannel: Everything you want in a YouTube plugin.
Vulnerability: Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: DNUI
Vulnerability: Cross-Site Request Forgery leading to Unused Image Deletion and Database Image Access
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors
Vulnerability: Authenticated (Contributor+) Stored Cross-Sites Scripting via Shortcode
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Responsive Gallery Grid
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: YourChannel: Everything you want in a YouTube plugin.
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via ‘yrc_lang[Videos]’
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: TemplatesNext ToolKit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 8.2.7
Recommended Action: Update to version 8.2.7, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version
Plugin: Breadcrumb
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.33
Recommended Action: Update to version 1.5.33, or a newer patched version
Plugin: GamiPress – Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Flexible Captcha
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 10Web Map Builder for Google Maps
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.73
Recommended Action: Update to version 1.0.73, or a newer patched version
Plugin: MainWP Code Snippets Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: MainWP WordPress SEO Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: MainWP Staging Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version
Plugin: Superior FAQ
Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
