Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Updraft
Vulnerability: Reflected Cross-Site Scripting via ‘backup_timestamp’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Live Chat by Formilla – Real-time Chat & Chatbots Plugin
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaID’
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Dave's WordPress Live Search
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP BrowserUpdate
Vulnerability: Cross-Site Request Forgery via wpbu_administration
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: GDPR Compliance & Cookie Consent
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version
Plugin: Yatra – Tour and Travel Booking Solution
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version
Plugin: CRM Memberships
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ebook Store
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.78
Recommended Action: Update to version 5.78, or a newer patched version
Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin
Vulnerability: Directory Traversal to Information Exposure
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version
Plugin: Motors – Car Dealer, Classifieds & Listing
Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Album Gallery – WordPress Gallery
Vulnerability: Cross-Site Request Forgery via album-gallery-column-settings.php
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: The School Management – Education & Learning Management
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: vSlider Multi Image Slider for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Slider
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via esrcpt_slider_allow_iframes_filter
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 17.0.18
Recommended Action: Update to version 17.0.18, or a newer patched version
Plugin: XML for Google Merchant Center
Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: CMS Tree Page View
Vulnerability: Reflected Cross-Site Scripting via ‘post_type’
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: Layer Slider
Vulnerability: Cross-Site Request Forgery via save_slide_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.7.26
Recommended Action: Update to version 2.7.26, or a newer patched version
Plugin: Uji Popup
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LIQUID SPEECH BALLOON
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Unauthenticated Information Disclosure
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Update Image Tag Alt Attribute
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: WP Original Media Path
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: WPJAM Basic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.2.1.1
Recommended Action: Update to version 6.2.1.1, or a newer patched version
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0.11
Recommended Action: Update to version 1.7.0.11, or a newer patched version
Plugin: Inactive User Deleter
Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.60
Recommended Action: Update to version 1.60, or a newer patched version
Plugin: Verified Reviews (Avis Vérifiés)
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.15
Recommended Action: Update to version 2.3.15, or a newer patched version
Plugin: Ninja Tables – Easy Data Table Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version
Plugin: Thumbnail Slider With Lightbox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version
Plugin: WCP Contact Form
Vulnerability: Reflected Cross-Site Scripting via tab parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcode IMDB
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tiempo.com
Vulnerability: Cross-Site Request Forgery to Shortcode Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Page Numbers
Vulnerability: Cross-Site Request Forgery via wp_page_numbers_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google Analytics Top Content Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: BSK Forms Blacklist
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘order’ and ‘orderby’
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: WP Docs
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: ActiveCampaign – Forms, Site Tracking, Live Chat
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version
Plugin: Custom Login Page Styler
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.2.5
Recommended Action: Update to version 6.2.5, or a newer patched version
Plugin: Dynamically Register Sidebars
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email posts to subscribers
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RapidExpCart
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rating-Widget: Star Review System
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Forms Ada – Form Builder
Vulnerability: Reflected Cross-Site Scripting via ‘p’ parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mail Subscribe List
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via smlsubform shortcode
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Cross-Site Request Forgery
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version
Plugin: Chronosly Events Calendar
Vulnerability: Cross-Site Request Forgery via plugin_settings_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Formilla Edge Targeted Messaging Platform for Sales and Marketing
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaPluginID’
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Advanced Youtube Channel Pagination
Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Authenticated (Subscriber+) SQL Injection via id
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version
Plugin: Kiwiz – Certification de facturation – Woocommerce
Vulnerability: Certification de facturation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Header Builder Plugin – Pearl
Vulnerability: Cross-Site Request Forgery via stm_save_hb_settings
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Tiempo.com
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Order Status Change Notifier
Vulnerability: Authenticated (Subscriber+) Arbitrary Order Status Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Subscribers – Free Web Push Notifications
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Vulnerability: Missing Authorization
Patched Version: 17.0.18
Recommended Action: Update to version 17.0.18, or a newer patched version
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 9.2
Recommended Action: Update to version 9.2, or a newer patched version
Plugin: Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NS Coupon To Become Customer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accessibility Suite by Ability, Inc
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.12
Recommended Action: Update to version 4.12, or a newer patched version
Plugin: Google Authenticator – WordPress 2FA, OTP SMS and Email
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version
Plugin: Flyzoo Chat
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Arconix Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Robokassa payment gateway for Woocommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Kodex Posts likes
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Reservation.Studio widget
Vulnerability: Cross-Site Request Forgery via plugin settings
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: Progress Bar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wppb shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Tiempo.com
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.46.1
Recommended Action: Update to version 2.46.1, or a newer patched version
Plugin: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: White Label Branding for Elementor Page Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Extensions for Leaflet Map
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: HTTP Headers
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.18.9
Recommended Action: Update to version 1.18.9, or a newer patched version
Plugin: Help Desk WP
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Youtube Channel Pagination
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Share Boost
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ssboost shortcode
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: REST API TO MiniProgram
Vulnerability: Authenticated (Subscriber+) Media Attachment Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution
Vulnerability: Cross-Site Request Forgery via get_product
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: URL Params
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Modal Dialog
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.15
Recommended Action: Update to version 3.5.15, or a newer patched version
Plugin: Category Specific RSS feed Subscription
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Booking calendar, Appointment Booking System
Vulnerability: Authenticated (Administrator+) SQL Injection via *_selected
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version
Plugin: Video XML Sitemap Generator
Vulnerability: Cross-Site Request Forgery via video_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woocommerce Tip/Donation
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Links Page
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.9.2
Recommended Action: Update to version 4.9.2, or a newer patched version
Plugin: Gallery Metabox
Vulnerability: Cross-Site Request Forgery via gallery_remove
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Customer Support Software, Live Chat, & Marketing Automation
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaToolsID’
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated(Administrator+) SQL Injection via ‘replace_urls’
Patched Version: 3.12.2
Recommended Action: Update to version 3.12.2, or a newer patched version
Plugin: Ko-fi Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: SparkPost
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: Woocommerce Email Report
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EZP Maintenance Mode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redirect After Login
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stock Sync for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Stock Exporter for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: YARPP – Yet Another Related Posts Plugin
Vulnerability: Yet Another Related Posts Plugin <= 5.30.2
Patched Version: 5.30.3
Recommended Action: Update to version 5.30.3, or a newer patched version
Plugin: File Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via file_gallery_shortcode
Patched Version: 1.8.5.4
Recommended Action: Update to version 1.8.5.4, or a newer patched version
Plugin: SiteAlert – Uptime, Speed, and Security Monitoring for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Query Wrangler
Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 1.5.52
Recommended Action: Update to version 1.5.52, or a newer patched version
Plugin: wordpress vertical image slider plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version
Plugin: Gps Plotter
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Form Block
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: RapidExpCart
Vulnerability: Authenticated (Level 8/Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: I Recommend This
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version
Plugin: WP-dTree
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Display custom fields in the frontend – Post and User Profile Fields
Vulnerability: Missing Authorization via vg_display_data shortcode
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: FormCraft – Form Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fcb shortcode
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Reflected Cross-Site Scripting via ‘title’
Patched Version: 3.6.22
Recommended Action: Update to version 3.6.22, or a newer patched version
Plugin: Autoptimize
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version
Plugin: Custom 404 Pro
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version
Plugin: Decon WP SMS
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ebook Store
Vulnerability: Missing Authorization via ebook_store_export_orders
Patched Version: 5.78
Recommended Action: Update to version 5.78, or a newer patched version
Plugin: Stream
Vulnerability: Missing Authorization via load_alerts_settings
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version
Plugin: Continuous announcement scroller
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Tooltips
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Customizer Export/Import
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 0.9.6
Recommended Action: Update to version 0.9.6, or a newer patched version
Plugin: Recipe Cards For Your Food Blog from Zip Recipes
Vulnerability: Reflected Cross-Site Scripting via ‘s’ parameter
Patched Version: 8.0.7
Recommended Action: Update to version 8.0.7, or a newer patched version
Plugin: Cab Grid
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Advanced Category Template
Vulnerability: Stored Cross-Site Scripting via Cross-Site Request Forgery in _form.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Share Buttons Adder
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.4.7
Recommended Action: Update to version 8.4.7, or a newer patched version
Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version
Plugin: Tippy
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via tippy shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Property Hive
Vulnerability: Reflected Cross-Site Scripting via date_post_id
Patched Version: 1.5.49
Recommended Action: Update to version 1.5.49, or a newer patched version
Plugin: Custom 404 Pro
Vulnerability: Unauthenticated SQL Injection via ‘s’
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version
Plugin: BizLibrary
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Push Notifications for WordPress by PushAssist
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Ad Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Unauthenticated Arbitrary File Upload to Remote Code Execution
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: eRocket
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Ninja Tables – Easy Data Table Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
