Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Bubble Menu – Sticky Navigation with Floating Button Menu Solution
Vulnerability: Cross Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: ChatBot Conversational Forms
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: WordPress Social Comments Plugin for Vkontakte Comments and Disqus Comments
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: WP Airbnb Review Slider
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: VikRentCar Car Rental Management System
Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: MainWP Broken Link Checker
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 11.14
Recommended Action: Update to version 11.14, or a newer patched version
Plugin: Image and Video Lightbox, Image PopUp
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Lightweight Accordion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.15
Recommended Action: Update to version 1.5.15, or a newer patched version
Plugin: Location Weather – Hourly, Daily Weather Forecast Widget and Weather Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Contact Us Page – Contact People
Vulnerability: Cross Site Request Forgery
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: WP Font Awesome
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 9.0.16
Recommended Action: Update to version 9.0.16, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: MainWP Maintenance Extension
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: Material Design Icons for Page Builders
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: WPFrom Email
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Oi Yandex.Maps for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Maintenance Mode by Supsystic
Vulnerability: Cross Site Request Forgery
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version
Plugin: WP Booking Calendar
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 9.4.3.1
Recommended Action: Update to version 9.4.3.1, or a newer patched version
Plugin: MainWP Article Uploader Extension
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: My Tickets – Accessible Event Ticketing
Vulnerability: Authorization Bypass
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version
Plugin: WP Client Reports
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version
Plugin: URL Shortener by MyThemeShop
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Code Snippets Extension
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Watu Quiz
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.8.2
Recommended Action: Update to version 3.3.8.2, or a newer patched version
Plugin: WP Flipclock
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: TemplatesNext ToolKit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: YouTube Embed, Playlist and Popup by WpDevArt
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: Easy PayPal & Stripe Buy Now Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: Product Slider for WooCommerce by PickPlugins
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.42
Recommended Action: Update to version 1.13.42, or a newer patched version
Plugin: Timed Content
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.73
Recommended Action: Update to version 2.73, or a newer patched version
Plugin: Participants Database
Vulnerability: Cross Site Request Forgery
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: WP Time Slots Booking Form
Vulnerability: Improper Authorization Checks
Patched Version: 1.1.83
Recommended Action: Update to version 1.1.83, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Cross-Site Request Forgery to WPForm/Blocks Import
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: WP Helper Premium
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: Quiz Maker
Vulnerability: Content Spoofing
Patched Version: 6.3.9.5
Recommended Action: Update to version 6.3.9.5, or a newer patched version
Plugin: Quick Event Manager
Vulnerability: Missing Authorization Checks
Patched Version: 9.7.5
Recommended Action: Update to version 9.7.5, or a newer patched version
Plugin: Reviews and Rating – Google Reviews
Vulnerability: Missing Authorization
Patched Version: 4.15
Recommended Action: Update to version 4.15, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Missing Authorization to Captcha Setting Update
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: CTT Expresso para WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version
Plugin: Simple Staff List
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: M Chart
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version
Plugin: AI Power: Complete AI Pack
Vulnerability: Missing Authorization
Patched Version: 1.4.38
Recommended Action: Update to version 1.4.38, or a newer patched version
Plugin: WP TripAdvisor Review Slider
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 10.8
Recommended Action: Update to version 10.8, or a newer patched version
Plugin: Admin Log
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Addons for Beaver Builder – Lite
Vulnerability: Lite <= 1.5.5
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Mapwiz
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Favorites Extension
Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version
Plugin: Camera slideshow
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP File Uploader Extension
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: WP Time Slots Booking Form
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.1.82
Recommended Action: Update to version 1.1.82, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: HTML Injection in Emails
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: Better Font Awesome
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Spotlight Social Feeds – Block, Shortcode, and Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: WP-TopBar
Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Google Review Slider
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 11.8
Recommended Action: Update to version 11.8, or a newer patched version
Plugin: Easy Affiliate Links
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Settings
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.15.0
Recommended Action: Update to version 1.15.0, or a newer patched version
Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin
Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.2.54.1
Recommended Action: Update to version 1.2.54.1, or a newer patched version
Plugin: Ultimate Addons for Beaver Builder – Lite
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Quick Event Manager
Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: 9.7.5
Recommended Action: Update to version 9.7.5, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.24
Recommended Action: Update to version 2.24, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.24
Recommended Action: Update to version 2.24, or a newer patched version
Plugin: Live Composer – Free WordPress Website Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.23
Recommended Action: Update to version 1.5.23, or a newer patched version
Plugin: Category Specific RSS feed Subscription
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Very Simple Google Maps
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version
Plugin: Amazon JS
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Hover Effects For WPBakery Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: JetWidgets For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Intuitive Custom Post Order
Vulnerability: Missing Authorization to Authenticated Settings Change
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: MainWP UpdraftPlus Extension
Vulnerability: Missing Authorization
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: Page Loading Effects
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Watu Quiz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.8.3
Recommended Action: Update to version 3.3.8.3, or a newer patched version
Plugin: Custom 404 Pro
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: WP Maps – Display Google Maps Perfectly with Ease
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: WP Tabs Slides
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Links Manager Extension
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Code Snippets Extension
Vulnerability: Authenticated (Subscriber+) PHP Code Injection
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Twenty20 Image Before-After
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: WP Review Slider
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 12.2
Recommended Action: Update to version 12.2, or a newer patched version
Plugin: Social Like Box and Page by WpDevArt
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 0.8.40
Recommended Action: Update to version 0.8.40, or a newer patched version
Plugin: Stripe Payments For WooCommerce by Checkout Plugins
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version
Plugin: Social Like Box and Page by WpDevArt
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.8.41
Recommended Action: Update to version 0.8.41, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Missing Access Control leading to Authenticated (Subscriber+) Sensitive Information Disclosure
Patched Version: 3.4.11
Recommended Action: Update to version 3.4.11, or a newer patched version
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.9.9.2.9
Recommended Action: Update to version 2.9.9.2.9, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version
Plugin: Mercado Pago payments for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.7.0
Recommended Action: Update to version 6.7.0, or a newer patched version
Plugin: WP-TopBar
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Addons for Beaver Builder – Lite
Vulnerability: Missing Authorization
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: MainWP Comments Extension
Vulnerability: Missing Authorization
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
Vulnerability: Cross Site Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: WP Airbnb Review Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: WP eBay Product Feeds
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Extensive VC Addons for WPBakery page builder
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Shortcode for Font Awesome
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: MainWP Wordfence Extension
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: WP Popups – WordPress Popup builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.4.9
Recommended Action: Update to version 2.1.4.9, or a newer patched version
Plugin: WP Helper Premium
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: Nice PayPal Button Lite
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Meta Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quick Event Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 9.7.5
Recommended Action: Update to version 9.7.5, or a newer patched version
Plugin: Intuitive Custom Post Order
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Themify Portfolio Post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Media Library Categories
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: MainWP Article Uploader Extension
Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Modal Dialog
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.5.10
Recommended Action: Update to version 3.5.10, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 5.16.0
Recommended Action: Update to version 5.16.0, or a newer patched version
Plugin: Pods – Custom Content Types and Fields
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.11
Recommended Action: Update to version 2.9.11, or a newer patched version
Plugin: Theme Blvd Responsive Google Maps
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: amr shortcode any widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YARPP – Yet Another Related Posts Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.30.3
Recommended Action: Update to version 5.30.3, or a newer patched version
Plugin: Responsive Vertical Icon Menu
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Email Spoofing
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Autopost for X (formerly Autoshare for Twitter)
Vulnerability: Denial of Service
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: WP Smart Preloader
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.1
Recommended Action: Update to version 1.15.1, or a newer patched version
Plugin: Participants Database
Vulnerability: Cross Site Request Forgery
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: FL3R FeelBox
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Captcha Bypass
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Name Directory
Vulnerability: Cross Site Request Forgery
Patched Version: 1.27.2
Recommended Action: Update to version 1.27.2, or a newer patched version
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.36
Recommended Action: Update to version 1.6.36, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.17.0
Recommended Action: Update to version 5.17.0, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: Parsi Date
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Interactive Polish Map
Vulnerability: Authenticated (Admi+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: SRS Simple Hits Counter
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Markup (JSON-LD) structured in schema.org
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PixelYourSite – Your smart PIXEL (TAG) & API Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 9.3.1
Recommended Action: Update to version 9.3.1, or a newer patched version
Plugin: Contact Form 7 – Dynamic Text Extension
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Youtube shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: WP Yelp Review Slider
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Missing Authorization to Unauthenticated Content Injection
Patched Version: 5.1.9.3
Recommended Action: Update to version 5.1.9.3, or a newer patched version
Plugin: Responsive Vertical Icon Menu
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Improper Authorization to Price Change
Patched Version: 5.1.9.3
Recommended Action: Update to version 5.1.9.3, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
