Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.7.1.1
Recommended Action: Update to version 2.7.1.1, or a newer patched version
Plugin: EZP Coming Soon Page
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.0.74
Recommended Action: Update to version 1.0.74, or a newer patched version
Plugin: Booking Calendar Contact Form
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission
Patched Version: 1.2.35
Recommended Action: Update to version 1.2.35, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Two-factor authentication (formerly IP Vault)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_add_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Gallery – Image and Video Gallery with Thumbnails
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Booking Calendar Contact Form
Vulnerability: Cross-Site Request Forgery via cpdexbccf_feedback
Patched Version: 1.2.35
Recommended Action: Update to version 1.2.35, or a newer patched version
Plugin: Shortcodes by Angie Makes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_move_object
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Custom Add User
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Featured Image (Auto Post Thumbnail)
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 3.9.16
Recommended Action: Update to version 3.9.16, or a newer patched version
Plugin: Image Hover Effects for Elementor with Lightbox and Flipbox
Vulnerability: Caption Hover with Carousel <= 2.8
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Flexible Elementor Panel
Vulnerability: Cross Site Request Forgery
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_save_state
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_add_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs
Vulnerability: Cross Site Request Forgery
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization via ajax_unassign_folders
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Marketing Performance
Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_save_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Multi-column Tag Map
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 17.0.25
Recommended Action: Update to version 17.0.25, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization via ajax_delete_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: WP htpasswd
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_edit_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: 0mk Shortener
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_save_folder_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery on ajax_save_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Cross-Site Request Forgery via getPluginStatus
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version
Plugin: A2 Optimized WP – Turbocharge and secure your WordPress site
Vulnerability: Cross Site Request Forgery
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Album and Image Gallery plus Lightbox
Vulnerability: Missing Authorization
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.14.3
Recommended Action: Update to version 2.14.3, or a newer patched version
Plugin: WordPress Comments Import & Export
Vulnerability: CSV Injection
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_edit_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Redirection for Contact Form 7
Vulnerability: Authenticated(Editor+) Privilege Escalation
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version
Plugin: WP Booking System – Booking Calendar
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 2.0.18.1
Recommended Action: Update to version 2.0.18.1, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.5.31.7212
Recommended Action: Update to version 7.5.31.7212, or a newer patched version
Plugin: Gutenberg Forms – WordPress Form Builder Plugin
Vulnerability: Authenticated(Subscriber+) Sensitive Information Disclosure
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: User Activity
Vulnerability: IP Address Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ajax Search Lite – Live Search & Filter
Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Sensitive Information Disclosure
Patched Version: 4.11
Recommended Action: Update to version 4.11, or a newer patched version
Plugin: Ocean Extra
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_delete_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: 1003 Mortgage Application
Vulnerability: Unauthenticated CSV Injection
Patched Version: 1.80
Recommended Action: Update to version 1.80, or a newer patched version
Plugin: Side Cart Woocommerce | Woocommerce Cart
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.2.6
Recommended Action: Update to version 1.3.2.6, or a newer patched version
Plugin: avalex – Automatisch sichere Rechtstexte
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: Slider by Supsystic
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Posts and Users Stats
Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Wufoo Shortcode
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcodes
Patched Version: 1.52
Recommended Action: Update to version 1.52, or a newer patched version
Plugin: GS Insever Portfolio
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Print Invoice & Delivery Notes for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.1.1
Recommended Action: Update to version 2.7.1.1, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: Authenticated (Subscriber+) Plugin Settings Change
Patched Version: 6.2.1.6
Recommended Action: Update to version 6.2.1.6, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_clone_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Watu Quiz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.8.1
Recommended Action: Update to version 3.3.8.1, or a newer patched version
Plugin: We’re Open!
Vulnerability: Missing Authorization
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version
Plugin: Yellow Yard Searchbar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.12
Recommended Action: Update to version 2.8.12, or a newer patched version
Plugin: Responsive Pricing Table
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Open Redirect
Patched Version: 3.8.2.3
Recommended Action: Update to version 3.8.2.3, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_save_folder_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Simple History – Track, Log, and Audit WordPress Changes
Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Quick Contact Form
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.0.4
Recommended Action: Update to version 8.0.4, or a newer patched version
Plugin: Icegram Collect – Easy Form, Lead Collection and Subscription plugin
Vulnerability: Authenticated(Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Real Media Library: Media Library Folder & File Manager
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.18.29
Recommended Action: Update to version 4.18.29, or a newer patched version
Plugin: MapGeo – Interactive Geo Maps
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version
Plugin: Cost of Goods: Product Cost & Profit Calculator for WooCommerce
Vulnerability: Missing Authorization in save_costs
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Qubely – Advanced Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘className’ Block Option
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version
Plugin: Usersnap
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 4.17
Recommended Action: Update to version 4.17, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_save_sort_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Google Maps CP
Vulnerability: Cross-Site Request Forgery via feedback_action
Patched Version: 1.0.44
Recommended Action: Update to version 1.0.44, or a newer patched version
Plugin: PHP Execution
Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Unauthenticated CSV Injection
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version
Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version
Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_save_sort_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.1.1
Recommended Action: Update to version 2.7.1.1, or a newer patched version
Plugin: PayPal Brasil para WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version
Plugin: Quick Contact Form
Vulnerability: Cross-Site Request Forgery to Sensitive Information Disclosure
Patched Version: 8.0.4
Recommended Action: Update to version 8.0.4, or a newer patched version
Plugin: Google Maps CP
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission
Patched Version: 1.0.44
Recommended Action: Update to version 1.0.44, or a newer patched version
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.9.2.9
Recommended Action: Update to version 2.9.9.2.9, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.86.0.0
Recommended Action: Update to version 9.86.0.0, or a newer patched version
Plugin: We’re Open!
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.46
Recommended Action: Update to version 1.46, or a newer patched version
Plugin: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_clone_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x
Vulnerability: Missing Authorization to Currency Exchange Retrieval
Patched Version: 2.1.26
Recommended Action: Update to version 2.1.26, or a newer patched version
Plugin: GigPress
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version
Plugin: Mercado Pago payments for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version
Plugin: Opening Hours
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multi Rating
Vulnerability: Cross Site Request Forgery
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization via ajax_save_state
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Visualizer: Tables and Charts Manager for WordPress
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: 1003 Mortgage Application
Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 1.80
Recommended Action: Update to version 1.80, or a newer patched version
Plugin: Donation Block For PayPal
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Cross-Site Request Forgery to Post Updates
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery on ajax_move_object
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: 0mk Shortener
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Album and Image Gallery plus Lightbox
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_unassign_folders
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Jobs for WordPress
Vulnerability: Authenticated (Author+) Cross Site Scripting
Patched Version: 2.5.11
Recommended Action: Update to version 2.5.11, or a newer patched version
Plugin: Cost of Goods: Product Cost & Profit Calculator for WooCommerce
Vulnerability: Cross-Site Request Forgery in save_costs
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: Cross-Site Request Forgery via aalDeleteLink function
Patched Version: 6.3.0.1
Recommended Action: Update to version 6.3.0.1, or a newer patched version
Plugin: Kraken.io Image Optimizer
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CC Custom Taxonomy
Vulnerability: Authenticated (Administrator+) Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Commenter Emails
Vulnerability: Unauthenticated CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Similar Posts – Best Related Posts Plugin for WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto YouTube Importer
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
