Watch Out Wednesday – December 18, 2024

Home » Watch Out Wednesday – December 18, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Comfino Payment Gateway

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.18
Recommended Action: Update to version 3.8.18, or a newer patched version

Plugin: WooCommerce – PDF Vouchers

Vulnerability: Authentication Bypass
Patched Version: 4.9.9
Recommended Action: Update to version 4.9.9, or a newer patched version

Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Unlimited Elements For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.127
Recommended Action: Update to version 1.5.127, or a newer patched version

Plugin: Posti Shipping

Vulnerability: Full Path Disclosure
Patched Version: 3.10.3
Recommended Action: Update to version 3.10.3, or a newer patched version

Plugin: Go Animate

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SIP Calculator

Plugin: WP Email Log – PostBox

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Export
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: EELV Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Metrika

Plugin: WPC Shop as a Customer for WooCommerce

Vulnerability: Authentication Bypass Due to Insufficiently Unique Key
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Pie Register Premium

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.8.3.3
Recommended Action: Update to version 3.8.3.3, or a newer patched version

Plugin: Horizontal scroll image slideshow

Plugin: Collapsing Categories

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: WPC Order Notes for WooCommerce

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 9.9.9.4
Recommended Action: Update to version 9.9.9.4, or a newer patched version

Plugin: Blizzard Quotes

Plugin: kvCORE IDX

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple File List

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.13
Recommended Action: Update to version 6.1.13, or a newer patched version

Plugin: bodi0`s Easy cache

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.9
Recommended Action: Update to version 0.9, or a newer patched version

Plugin: Nias course | دوره ساز نیاس

Plugin: FloristPress – Customize your Woo store for your Florist

Vulnerability: Missing Authorization to Sensitive Data Exposure
Patched Version: 7.4.0
Recommended Action: Update to version 7.4.0, or a newer patched version

Plugin: Order Delivery & Pickup Location Date Time ( Free Version )

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Library Management System – Manage e-Digital Books Library

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 3DPrint Lite

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WPCargo Track & Trace

Vulnerability: Missing authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ECT Social Share

Plugin: Philantro – Donations and Donor Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Sticky Social Icons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: glomex oEmbed

Plugin: ARforms

Vulnerability: Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Members – Membership & User Role Editor Plugin

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: FAQ And Answers – Create Frequently Asked Questions Area on WP Sites

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 6.14.1
Recommended Action: Update to version 6.14.1, or a newer patched version

Plugin: WP GeoNames

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: ForumWP – Forum & Discussion Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.12.4
Recommended Action: Update to version 4.12.4, or a newer patched version

Plugin: Perfect Font Awesome Integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Increase Sociability

Plugin: Tour Master – Tour Booking, Travel, Hotel

Vulnerability: Tour Booking, Travel, Hotel < 5.3.4
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version

Plugin: 360 Javascript Viewer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.30
Recommended Action: Update to version 1.7.30, or a newer patched version

Plugin: Namaste! LMS

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Biagiotti Membership

Vulnerability: Authentication Bypass via biagiotti_membership_check_facebook_user
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: All in One Slider

Plugin: GeoFlickr

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Prodigy Commerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Posti Shipping

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version

Plugin: Quran Phrases About Most People Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Posts Date Ranges

Plugin: FloristPress – Customize your Woo store for your Florist

Vulnerability: Missing Authorization to Arbitrary Content Deletion
Patched Version: 7.4.0
Recommended Action: Update to version 7.4.0, or a newer patched version

Plugin: Advanced Custom Fields Pro

Vulnerability: Missing Authorization
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: My IDX Home Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Notibar – Notification Bar for WordPress

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution via njt_nofi_text
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Dr Affiliate

Plugin: Quietly Insights

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.5.3
Recommended Action: Update to version 2.8.5.3, or a newer patched version

Plugin: Portfolio – Filterable Masonry Portfolio Gallery for Professionals

Plugin: Memberful – Membership Plugin

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 1.74.0
Recommended Action: Update to version 1.74.0, or a newer patched version

Plugin: SeedProd Pro

Vulnerability: Authenticated (Editor+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Animation Addons for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Content Slider and Tabs Widget Elementor Template
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Smart Agenda – Prise de rendez-vous en ligne

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Gutensee

Plugin: All Bootstrap Blocks

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.20
Recommended Action: Update to version 1.3.20, or a newer patched version

Plugin: Jet Footer Code

Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion via ‘theme’
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: Custom Skins Contact Form 7

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update and Skin Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flaming Forms

Plugin: TagGator

Plugin: Wp NssUser Register

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Primary Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Denial of Service
Patched Version: 5.2.64
Recommended Action: Update to version 5.2.64, or a newer patched version

Plugin: System Dashboard

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.8.15
Recommended Action: Update to version 2.8.15, or a newer patched version

Plugin: CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Events Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: SQL Chart Builder

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: adBuddy+ (AdBlocker Detection) by NetfunkDesign

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wot Elementor Widgets

Plugin: Paloma Widget

Plugin: jQuery Manager for WordPress

Vulnerability: Running Vulnerable Dependency
Patched Version: 1.10.5
Recommended Action: Update to version 1.10.5, or a newer patched version

Plugin: Companion Portfolio – Responsive Portfolio Plugin

Plugin: Minimum and Maximum Quantity for WooCommerce

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NewsmanApp

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate

Vulnerability: Missing Authorization
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Youtube Video Grid | Youmax

Plugin: Utech World Time

Plugin: Service

Plugin: HostFact bestelformulier integratie

Plugin: Library Bookshelves

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Block Controller

Plugin: ONLYOFFICE DocSpace

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Grid Plus – Unlimited grid layout

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via grid_plus_load_by_category
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

Plugin: Simple Payment

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Post to Pdf

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: ScanCircle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: Product Designer

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.37
Recommended Action: Update to version 1.0.37, or a newer patched version

Plugin: Tabs Maker

Plugin: Themify Store Locator

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WPBookit

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot

Vulnerability: Cross-Site Request Forgery via update_integration_option
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Tutor LMS Elementor Addons

Vulnerability: Missing Authorization
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Alphabetical List

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ListApp Mobile Manager

Plugin: CM Table Of Contents – WordPress TOC Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Arabic Webfonts

Plugin: CRUDLab Google Plus Button

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: LeaderBoard Plugin

Plugin: Stop Registration Spam

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Unauthenticated Customer Data Exposure
Patched Version: 3.5.4.9
Recommended Action: Update to version 3.5.4.9, or a newer patched version

Plugin: IMS Countdown

Plugin: HQ Rental Software

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add infos to The Events Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Uix Shortcodes

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Tabs Shortcode

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Insertify – Ad,HTML,CSS,JS,PHP,PDF,Header & Footer

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mollie for Contact Form 7

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress

Vulnerability: Insecure Direct Object Reference
Patched Version: 20.8.1
Recommended Action: Update to version 20.8.1, or a newer patched version

Plugin: Gutenium Blocks

Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: jLayer Parallax Slider

Plugin: Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: SMS for WooCommerce

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 2.8.1.1
Recommended Action: Update to version 2.8.1.1, or a newer patched version

Plugin: Nabz Image Gallery

Plugin: Ni WooCommerce Order Export

Plugin: Responsive Google Maps | by imbaa

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: WP Cookies Enabler

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Product Design

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-HideThat

Plugin: Simple Locator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP Datepicker

Vulnerability: Missing Authorization
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Products Stock Manager with Excel for WooCommerce Inventory

Vulnerability: XXE Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Bet sport Free

Plugin: Add image to Post

Plugin: Stripe Donation

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Cross-Site Request Forgery via pagelayer_load_plugin
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: WP Pipes

Vulnerability: Reflected Cross-Site Scripting via x1 Parameter
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 11.53
Recommended Action: Update to version 11.53, or a newer patched version

Plugin: TCBD Popover

Plugin: SVG Shortcode

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jobs for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Ultimate Coming Soon & Maintenance

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Template Name Update
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: jwp-a11y

Plugin: Geoportail Shortcode

Plugin: TS Poll – Survey, Versus Poll, Image Poll, Video Poll

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: AIO Contact

Plugin: Bukza

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site

Plugin: Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate

Vulnerability: Missing Authorization to Arbitrary Content Deletion
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Futurio Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via header_size tag
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.54
Recommended Action: Update to version 3.2.54, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Missing Authorization to Limited Privilege Escalation
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 241216
Recommended Action: Update to version 241216, or a newer patched version

Plugin: Featured Posts Scroll

Plugin: Share Buttons – Social Media

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Form Subject
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version

Plugin: Hack-Info

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.18
Recommended Action: Update to version 3.18, or a newer patched version

Plugin: Newsletter, Email Marketing, Email Subscriber – Mail Picker

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version

Plugin: SOPA Blackout

Plugin: Zita Site Builder – Elementor, WordPress & Gutenberg Website Builder

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mark New Posts

Vulnerability: Missing Authorization via save_options
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Disable Admin Notices individually

Plugin: WP Fiddle

Plugin: UNIVERSAM

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.59
Recommended Action: Update to version 8.59, or a newer patched version

Plugin: Simple Side Tab

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: PowerFormBuilder – Contact Form Database Manager for WordPress

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: AR for WooCommerce

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: Schema App Structured Data

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Comments On Feed

Plugin: Visualmodo Elements

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Catch Popup

Plugin: Wp Login with Ajax

Plugin: Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Post Carousel & Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Admin+) SQL Injection via wpjobportal_deactivate()
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Snippet Shortcodes

Vulnerability: Authenticated (Subscriber+) Shortcode Deletion
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: WP Admin UI Customize

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.14
Recommended Action: Update to version 1.5.14, or a newer patched version

Plugin: Currency Converter Widget ⚡ PRO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Advanced Element Bucket Addons for Elementor

Plugin: Country Blocker

Plugin: Revy

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Admin+) SQL Injection via getFieldsForVisibleCombobox()
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: PowerPack Lite for Beaver Builder

Vulnerability: Reflected Cross-Site Scripting via Navigate Parameter
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: 活动链接推广插件

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: TSB Occasion Editor

Plugin: vBSSO-lite

Plugin: Woocommerce Blocks – Woolook

Plugin: Smaily for WP

Plugin: Filestack Official

Plugin: Asset CleanUp: Page Speed Booster

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 1.3.9.9
Recommended Action: Update to version 1.3.9.9, or a newer patched version

Plugin: LionScripts: Site Maintenance & Noindex Nofollow Plugin

Plugin: Tithe.ly Giving Button

Plugin: DX Dark Site

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: XPD Reduce Image Filesize

Plugin: ECT Product Carousel

Plugin: Maspik – Advanced Spam Protection

Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine

Vulnerability: Missing Authorization
Patched Version: 9.7.0
Recommended Action: Update to version 9.7.0, or a newer patched version

Plugin: Audio Record

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.20.3
Recommended Action: Update to version 1.20.3, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.10.3
Recommended Action: Update to version 5.10.3, or a newer patched version

Plugin: Opt-In Downloads

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gutenberg Blocks and Page Layouts – Attire Blocks

Plugin: WP微信机器人

Plugin: WPCasa

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Feedpress Generator – External RSS Frontend Customizer

Plugin: Shortcodes for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: WordPress Filter

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 8.7.9
Recommended Action: Update to version 8.7.9, or a newer patched version

Plugin: WP Mailster

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.18.0
Recommended Action: Update to version 1.8.18.0, or a newer patched version

Plugin: DS.DownloadList

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smart Marketing SMS and Newsletters Forms

Vulnerability: Missing Authorization
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Surbma | SalesAutopilot Shortcode

Plugin: Kundgenerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Invoice Payment for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!

Vulnerability: Missing Authorization
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Plugin: WP-Revive Adserver

Plugin: Advanced Blog Post Block

Plugin: Top and footer bars for announcements, notifications, advertisements, promotions – YooBar

Plugin: Advance Menu Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Taeggie Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.1.10
Recommended Action: Update to version 0.1.10, or a newer patched version

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting
Patched Version: 5.16.7.2
Recommended Action: Update to version 5.16.7.2, or a newer patched version

Plugin: Leader

Plugin: Job Board Manager

Plugin: Plezi

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Revy

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ABCBiz Addons for Elementor

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.7.2
Recommended Action: Update to version 4.2.7.2, or a newer patched version

Plugin: WP Mailster

Vulnerability: Missing Authorization
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version

Plugin: Connexion Logs

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Frontend Admin by DynamiApps

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.25.1
Recommended Action: Update to version 3.25.1, or a newer patched version

Plugin: System Dashboard

Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 2.8.15
Recommended Action: Update to version 2.8.15, or a newer patched version

Plugin: eTemplates

Plugin: Arena.IM – Live Blogging for real-time events

Plugin: New User Approve

Vulnerability: Missing Authorization
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WordPress Auction Plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Data Table For Elementor

Plugin: WP Mega Menu

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Analytics Cat – Google Analytics Made Easy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: ArCa Payment Gateway

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: User Role Editor

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 4.64.4
Recommended Action: Update to version 4.64.4, or a newer patched version

Plugin: Gaxx Keywords

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Cookie Consent’
Patched Version: 5.10.3
Recommended Action: Update to version 5.10.3, or a newer patched version

Plugin: Arena.IM – Live Blogging for real-time events

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via arena_embed_amp Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bold Page Builder

Vulnerability: Authenticated (Editor+) Path Traversal
Patched Version: 5.1.6
Recommended Action: Update to version 5.1.6, or a newer patched version

Plugin: Gou Manage My Account Menu – User Roles

Vulnerability: Missing Authorization
Patched Version: 1.0.1.9
Recommended Action: Update to version 1.0.1.9, or a newer patched version

Plugin: Post Hits Counter

Plugin: Restaurant & Cafe Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Beautiful taxonomy filters

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version

Plugin: Hurrakify

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 8.0.1
Recommended Action: Update to version 8.0.1, or a newer patched version

Plugin: Slope Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.13
Recommended Action: Update to version 4.2.13, or a newer patched version

Plugin: Bootstrap Buttons

Plugin: Admin Customization

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.4.4
Recommended Action: Update to version 2.8.4.4, or a newer patched version

Plugin: Radius Blocks – WordPress Gutenberg Blocks

Plugin: Multiple Admin Emails

Plugin: Super Backup & Clone – Migrate for WordPress

Vulnerability: Migrate for WordPress <= 2.3.3
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: FormFacade – WordPress plugin for Google Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: This is a Subversion repository; use the 'svnadmin' tool to examine

Plugin: Appsplate

Plugin: CK and SyntaxHighlighter

Plugin: Message Filter for Contact Form 7

Vulnerability: Missing Authorization to Authenticated (Subscriber+) New Filter Creation
Patched Version: 1.6.3.1
Recommended Action: Update to version 1.6.3.1, or a newer patched version

Plugin: Woocommerce Product Design

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.4.2
Recommended Action: Update to version 3.0.4.2, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: HTML Injection
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Print Science Designer

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.3.153
Recommended Action: Update to version 1.3.153, or a newer patched version

Plugin: Minify HTML

Vulnerability: – Regular Expressions Denial of Service
Patched Version: 2.1.11
Recommended Action: Update to version 2.1.11, or a newer patched version

Plugin: User Toolkit

Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: CRM WordPress Plugin – RepairBuddy

Vulnerability: Missing Authorization to Account Takeover/Privilege Escalation
Patched Version: 3.8122
Recommended Action: Update to version 3.8122, or a newer patched version

Plugin: Cognito Forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Smoove connector for Elementor forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Display Future Posts

Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version

Plugin: WooCommerce Cart Count Shortcode

Plugin: News Ticker for Elementor

Plugin: ForumWP – Forum & Discussion Board

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: LaunchPage.app Importer

Plugin: Booking System Trafft

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Hello In All Languages

Plugin: Notibar – Notification Bar for WordPress

Vulnerability: Missing Authorization via ajax_install_plugin
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: phZoom Plugin for WordPress

Plugin: Firebase OTP Authentication

Plugin: AutoWP – AI Content Writer & Rewriter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: FloristPress – Customize your Woo store for your Florist

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: WordPress Page Builder – Zion Builder

Plugin: Like in Vk.com

Plugin: Better WP Login Page

Plugin: Connatix Video Embed

Plugin: Vimeography: Vimeo Video Gallery WordPress Plugin

Vulnerability: Sensitive Information Exposure
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: WP Flipkart Importer

Plugin: Accept Stripe Payments Using Contact Form 7

Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Authors List

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via update_authors_list_ajax
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: AR for WordPress

Vulnerability: Missing Authorization to Unauthenticated Limited File Upload
Patched Version: 7.4
Recommended Action: Update to version 7.4, or a newer patched version

Plugin: Staggs – Product Configurator Toolkit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Wr Age Verification

Plugin: GEO my WP

Vulnerability: Missing Authorization via get_field_options_ajax
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: WP Mailster

Vulnerability: Missing Authorization
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version

Plugin: Planaday API

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.5
Recommended Action: Update to version 11.5, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via “Labels”
Patched Version: 4.15.15
Recommended Action: Update to version 4.15.15, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: Missing Authorization to Unauthenticated Privilege Escalation
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: LDD Directory Lite

Plugin: Simple Booking – Widget

Plugin: Church Admin

Vulnerability: Missing Authorization
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: WP GeoNames

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.18
Recommended Action: Update to version 3.8.18, or a newer patched version

Plugin: Media Downloader

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.4.7.5
Recommended Action: Update to version 0.4.7.5, or a newer patched version

Plugin: Social Media Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Missing Authorization to Authenticated (Subscriber+) WooCommerce Installation
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: Responsive Filterable Portfolio

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Integrate Firebase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.10.0
Recommended Action: Update to version 0.10.0, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.1.16
Recommended Action: Update to version 4.1.16, or a newer patched version

Plugin: XML Multilanguage Sitemap Generator

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: J&T Express Malaysia

Vulnerability: Reflected Cross-Site Scripting via [placeholder]
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Plugin: Password for WP

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Missing Authorization
Patched Version: 6.3.4
Recommended Action: Update to version 6.3.4, or a newer patched version

Plugin: Navayan CSV Export

Plugin: WP Mailster

Vulnerability: Authenticated (Contributor+) SQL Injection via orderby
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version

Plugin: Video & Photo Gallery for Ultimate Member

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: WordPress Auction Plugin

Plugin: Taskbuilder – WordPress Project & Task Management plugin

Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Lifetime free Drag & Drop Contact Form Builder for WordPress VForm

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Login Widget With Shortcode

Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Country Blocker

Plugin: Real WP Shop Lite Ajax eCommerce Shopping Cart

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Ticket Category and Ticket Type Name
Patched Version: 4.0.6.0
Recommended Action: Update to version 4.0.6.0, or a newer patched version

Plugin: Agency Toolkit

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Options Update
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: I Plant A Tree

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Mandrill WP – Email Form Under Post

Plugin: ElementsReady Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version

Plugin: Termin-Kalender

Vulnerability: Missing Authorization to Authenticated (Subscriber+)
Patched Version: 1.00.04
Recommended Action: Update to version 1.00.04, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Ultimate Coming Soon & Maintenance

Vulnerability: Missing Authorization to Unauthenticated Template Activation
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via “Product Files”
Patched Version: 4.15.15
Recommended Action: Update to version 4.15.15, or a newer patched version

Plugin: Amazon Product Price

Plugin: Posts and Products Views for WooCommerce

Plugin: de:branding

Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More

Plugin: Simple Presenter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Z-Downloads

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version

Plugin: WordPress Post Grid Layouts with Pagination – Sogrid

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: MDC Comment Toolbar

Plugin: Primer MyData for Woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Banner System

Plugin: Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart

Plugin: WP Currency Exchange Rates

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Poll, Poll Forms – WordPress Poll plugin by Poll Builder

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authenticated (Subscriber+) HTML File Upload (Stored Cross-Site Scripting)
Patched Version: 4.16.5
Recommended Action: Update to version 4.16.5, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.16
Recommended Action: Update to version 4.1.16, or a newer patched version

Plugin: Animated Counters

Plugin: Smart PopUp Blaster

Plugin: Sign In With Google

Vulnerability: Authentication Bypass in authenticate_user
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FAT Services Booking

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Ban-User

Plugin: SeedProd Pro

Plugin: WooCommerce Additional Fees On Checkout (Free)

Vulnerability: Reflected Cross-Site Scripting via ‘number’
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: ElementsReady Addons for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 6.4.9
Recommended Action: Update to version 6.4.9, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: WP Controller

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.31
Recommended Action: Update to version 1.8.31, or a newer patched version

Plugin: Falcon – WordPress Optimizations & Tweaks

Vulnerability: Missing Authorization
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Awesome Shortcodes

Plugin: WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Advanced Fancybox

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Wp-ImageZoom

Plugin: WordPress HelpDesk & Support Ticket System Plugin – Octrace Support

Plugin: Charity Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Video & Photo Gallery for Ultimate Member

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Simple Link Directory

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 8.4.1
Recommended Action: Update to version 8.4.1, or a newer patched version

Plugin: Video Share VOD – Turnkey Video Site Builder Script

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.31
Recommended Action: Update to version 2.6.31, or a newer patched version

Plugin: FAT Services Booking

Plugin: Fancy Roller Scroller

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Wovax IDX

Plugin: Floating Video Player

Plugin: Payment Gateway Per Product for WooCommerce

Plugin: Ui Slider Filter By Price

Plugin: Hash Form – Drag & Drop Form Builder

Vulnerability: Missing Authorization to Authenticated (Contributor+) Form Style Creation
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Planning Center Online Giving

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mimoos

Plugin: Seraphinite Bulk Discounts for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: PixProof – Easy Photo Proofing for Photographers

Plugin: States Map US

Plugin: Full Screen (Page) Background Image Slideshow

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: dejure.org Vernetzungsfunktion

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.98.0
Recommended Action: Update to version 1.98.0, or a newer patched version

Plugin: Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS

Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched Version: 0.0.22
Recommended Action: Update to version 0.0.22, or a newer patched version

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Authenticated (Project Manager+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Countdown and CountUp, WooCommerce Sales Timer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Minterpress

Plugin: TPG Get Posts

Plugin: SV100 Companion

Vulnerability: Missing Authorization to Unuathenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Revi.io – Customer & Products Reviews

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Get Post Content Shortcode

Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_content Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LabelGrid Tools

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.59
Recommended Action: Update to version 1.3.59, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Form Calculations
Patched Version: 3.8.20
Recommended Action: Update to version 3.8.20, or a newer patched version

Plugin: Web3 Crypto Payments by DePay for WooCommerce

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 2.12.18
Recommended Action: Update to version 2.12.18, or a newer patched version

Plugin: Axeptio – Cookie Banner – GDPR Consent & Compliance with a friendly touch

Plugin: WordPress Post Grid Layouts with Pagination – Sogrid

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Hello Event Widgets For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: PowerBI Embed Reports

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Out of the Block: OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ootb_query Shortcode
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Category of Posts

Plugin: Contests by Rewards Fuel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.66
Recommended Action: Update to version 2.0.66, or a newer patched version

Plugin: addWeather

Plugin: GeoDataSource Country Region DropDown

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Marketing Automation by AZEXO

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: Unauthenticated Voting On Scheduled Posts
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: Onlywire Multi Autosubmitter

Plugin: AppMaps

Plugin: Koalendar – Events & Appointments Booking Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via height Parameter
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: RSS Feed Widget

Vulnerability: Reflected Cross-Site Scripting via $_SERVER[‘REQUEST_URI’]
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: ForumWP – Forum & Discussion Board

Vulnerability: Reflected Cross-Site Scripting via url Parameter
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: FULL – Cliente

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.1.26
Recommended Action: Update to version 3.1.26, or a newer patched version

Plugin: RRAddons for Elementor

Plugin: ElementInvader Addons for Elementor

Vulnerability: Missing Authorization to Arbitrary Options Read
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: KH Easy User Settings

Plugin: The Permalinker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: My IDX Home Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Saksh Escrow System

Plugin: SeedProd Pro

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: 3.3.4
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: AI Content Writer, RSS Feed to Post, Autoblogging SEO Help

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.4
Recommended Action: Update to version 6.1.4, or a newer patched version

Plugin: ARforms

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flash News / Post (Responsive)

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI-powered Booking System for Event Scheduling & Appointment Booking – WP Timetics

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion
Patched Version: 1.0.28
Recommended Action: Update to version 1.0.28, or a newer patched version

Plugin: MyParcel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.24.2
Recommended Action: Update to version 4.24.2, or a newer patched version

Plugin: Logo Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: jCarousel for WordPress

Plugin: Wr Age Verification

Plugin: Evernote Sync

Plugin: Caldera SMTP Mailer

Plugin: Advanced Custom Fields Pro

Vulnerability: Missing Authorization
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: Projectopia – WordPress Project Management

Vulnerability: Missing Authorization to Privilege Escalation via pto_reset_password()
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: PPWP – Password Protect Pages

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: Cricket Live Score

Plugin: WP-NERD Toolkit

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RSS Feed Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: BP Email Assign Templates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Easy Site Importer

Plugin: SMSify

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version

Plugin: Last Viewed Posts by WPBeginner

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: GitSync

Plugin: Themify Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.6.6
Recommended Action: Update to version 7.6.6, or a newer patched version

Plugin: Buk for WordPress

Plugin: CE21 Suite

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Child Theme Creator by Orbisius

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Cloud Snippet Update/Delete
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: AIcomments – комментарии и отзывы ChatGPT

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Cryptocurrency Price Widget

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Social Media Sharing

Plugin: Car Dealer (Dealership) and Vehicle sales

Vulnerability: Missing Authorization
Patched Version: 4.48
Recommended Action: Update to version 4.48, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IDer Login for WordPress

Plugin: Restrict – membership, site, content and user access restrictions for WordPress

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.00
Recommended Action: Update to version 3.3.00, or a newer patched version

Plugin: News Kit Elementor Addons

Plugin: CarDealerPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.7.2411.00
Recommended Action: Update to version 6.7.2411.00, or a newer patched version

Plugin: Captivate Sync

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.0.26
Recommended Action: Update to version 2.0.26, or a newer patched version

Plugin: Web Stories

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.38.0
Recommended Action: Update to version 1.38.0, or a newer patched version

Plugin: Simple User Registration

Vulnerability: Missing Authorization to User Deletion
Patched Version: 6.0
Recommended Action: Update to version 6.0, or a newer patched version

Plugin: YDS Support Ticket System

Plugin: 畅言评论系统

Plugin: Code Generator Pro

Plugin: CSV to html

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 2.13.5
Recommended Action: Update to version 2.13.5, or a newer patched version

Plugin: Eveeno

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: WP Mailster

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version

Plugin: Movie Database

Plugin: Crafthemes Demo Import

Vulnerability: Authenticated (Admin+) Arbitrary File Upload in process_uploaded_files
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Mailster

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version

Plugin: AIO Contact

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Waymark

Vulnerability: Reflected Cross-Site Scripting via ‘content’
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Bulk Change Role

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CleverNode Related Content

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Ksher

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: GEO my WP

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: WP Simple Pay Lite Manager

Plugin: Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Whitelist Script
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version

Plugin: Frontend Admin by DynamiApps

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 3.25.1
Recommended Action: Update to version 3.25.1, or a newer patched version

Plugin: WP All Import Pro

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery via File Import
Patched Version: 4.9.4
Recommended Action: Update to version 4.9.4, or a newer patched version

Plugin: Website Toolbox Community

Vulnerability: Reflected Cross-Site Scripting via websitetoolbox_username
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: ImmoToolBox Connect

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Pie Register Premium

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.8.3.3
Recommended Action: Update to version 3.8.3.3, or a newer patched version

Plugin: WP BASE Booking of Appointments, Services and Events

Vulnerability: Reflected Cross-Site Scripting via status Parameter
Patched Version: 4.9.2
Recommended Action: Update to version 4.9.2, or a newer patched version

Plugin: ICDSoft Reseller Store

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Resume Download
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: WP Quick Shop

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Simple Page Access Restriction

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 1.0.30
Recommended Action: Update to version 1.0.30, or a newer patched version

Plugin: WooCommerce Basic Ordernumbers

Plugin: Connexion Logs

Vulnerability: Cross-Site Request Forgery to Log Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced What should we write next about

Plugin: Ganohrs Toggle Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.2.5
Recommended Action: Update to version 0.2.5, or a newer patched version

Plugin: AI Post Generator | AutoWriter

Vulnerability: Missing Authorization to Authenticated (Contributor+) Post/Page Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Registrations for the Events Calendar – Event Registration Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.12.4
Recommended Action: Update to version 2.12.4, or a newer patched version

Plugin: EduAdmin Booking

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Aphorismus

Plugin: Ultimate Endpoints With Rest Api

Plugin: Cryptocurrency Widgets For Elementor

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: WP Service Payment Form With Authorize.net

Plugin: 3D Avatar User Profile

Plugin: Property Hive Stamp Duty Calculator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: Device Detector

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Events Addon for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Safe SVG

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.9.9.5.2
Recommended Action: Update to version 2.9.9.5.2, or a newer patched version

Plugin: Newspack

Vulnerability: Missing Authorization
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 10.6.5
Recommended Action: Update to version 10.6.5, or a newer patched version

Plugin: Import Eventbrite Events

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Arena.IM – Live Blogging for real-time events

Plugin: Wp photo text slider 50

Plugin: Logo Slider

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Missing Authorization to Authenticated (Contributor+) Information Exposure
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: Arkhe Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block attributes
Patched Version: 2.27.1
Recommended Action: Update to version 2.27.1, or a newer patched version

Plugin: DTC Documents

Plugin: Check Pincode For Woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Newsletter Subscriptions

Plugin: Product Labels For Woocommerce (Sale Badges)

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Role Includer

Plugin: NiceJob

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Instant Appointment

Plugin: WP donimedia carousel

Plugin: Visual Recent Posts

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.