Watch Out Wednesday – January 22, 2025

Home » Watch Out Wednesday – January 22, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Ni CRM Lead

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LH Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chess Tempo Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Widgetize Pages Light

Plugin: Top Flash Embed

Plugin: Gravity Forms

Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘alt’ parameter
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Team 118GROUP Agent

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: QuoteMedia Tools

Plugin: WordPress Google Map Professional (Map In Your Language)

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Enquiry for WooCommerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: XML for Google Merchant Center

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.12
Recommended Action: Update to version 3.0.12, or a newer patched version

Plugin: WP-BibTeX

Vulnerability: Cross-Site Request Forgery to Stored and Reflected Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: root Cookie

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy EU Cookie law

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Survey Maker

Vulnerability: Missing Authorization
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Vulnerability: Missing Authorization
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Philantro – Donations and Donor Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Standard Box Sizes – for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.6.14
Recommended Action: Update to version 1.6.14, or a newer patched version

Plugin: glomex oEmbed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: Better Protected Pages

Plugin: Google Org Chart

Plugin: Metaphor Widgets

Plugin: Picture Gallery – Frontend Image Uploads, AJAX Photo List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.20
Recommended Action: Update to version 1.5.20, or a newer patched version

Plugin: WPBot Pro WordPress Chatbot

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 13.5.6
Recommended Action: Update to version 13.5.6, or a newer patched version

Plugin: Rio Photo Gallery

Plugin: GravatarLocalCache

Plugin: FAT Event Lite

Plugin: AI Power: Complete AI Pack

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 1.8.97
Recommended Action: Update to version 1.8.97, or a newer patched version

Plugin: String locator

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: MeinTurnierplan.de Widget Viewer

Plugin: Rezgo Online Booking

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Realty Workstation

Plugin: Unique UX

Plugin: Smart Custom Fields

Plugin: PDF.js Shortcode

Plugin: user files

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import Users to MailChimp

Plugin: Gallery: Hybrid – Advanced Visual Gallery

Plugin: Marmoset Viewer

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.19.0
Recommended Action: Update to version 3.19.0, or a newer patched version

Plugin: Hack me if you can

Plugin: Advanced Custom Fields Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: iSpring Embedder

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin Menu Organizer

Plugin: MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.9.30
Recommended Action: Update to version 2.9.30, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: 2.3.3
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin

Vulnerability: 5.2.13
Patched Version: 5.2.14
Recommended Action: Update to version 5.2.14, or a newer patched version

Plugin: WooCommerce Order Search

Plugin: Property Hive

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: UpDownUpDown

Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Patched Version: 1.17.6
Recommended Action: Update to version 1.17.6, or a newer patched version

Plugin: Secure CAPTCHA

Plugin: Add RSS

Plugin: CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GTPayment Donations

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Form Settings
Patched Version: 5.7.45
Recommended Action: Update to version 5.7.45, or a newer patched version

Plugin: pootle button

Plugin: Mark Posts

Plugin: Payment Button for PayPal

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3.36
Recommended Action: Update to version 1.2.3.36, or a newer patched version

Plugin: Bit.ly linker

Plugin: jQuery Manager for WordPress

Vulnerability: No subtitle
Patched Version: 1.10.5
Recommended Action: Update to version 1.10.5, or a newer patched version

Plugin: Altima Lookbook Free for WooCommerce

Vulnerability: Refletced Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPBITS Addons For Elementor Page Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Category D3 Tree

Plugin: Hash Elements

Plugin: Giveaways and Contests by PromoSimple

Plugin: Debt Calculator

Plugin: MHR-Custom-Anti-Copy

Plugin: Shortcode in Comment

Plugin: Easy Tynt

Plugin: WP Photo Sphere

Plugin: Distance Based Shipping Calculator

Plugin: Auphonic Importer

Plugin: Tock Widget

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: My auctions allegro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.19
Recommended Action: Update to version 3.6.19, or a newer patched version

Plugin: Rename Author Slug

Plugin: Cf7Save Extension

Plugin: Nite Shortcodes

Plugin: SMSA Shipping (official)

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solidres – Hotel booking plugin for WordPress

Plugin: Booking for Appointments and Events Calendar – Amelia Premium

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Eyewear prescription form

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Options Update
Patched Version: 4.0.19
Recommended Action: Update to version 4.0.19, or a newer patched version

Plugin: GMAPS for WPBakery Page Builder Free

Plugin: Stop Registration Spam

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Unauthenticated Customer Data Exposure
Patched Version: 3.5.4.9
Recommended Action: Update to version 3.5.4.9, or a newer patched version

Plugin: EmailShroud

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Missing Authorization
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: LocalGrid

Plugin: LH Login Page

Plugin: FP RSS Category Excluder

Plugin: AI for SEO – Bulk Generate Metadata, Alt Text, Image Titles, Captions, Descriptions

Vulnerability: Missing Authorization
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: Slides & Presentations

Vulnerability: Missing Authorization to Content Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Opencart Product in WP

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Missing Authorization
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version

Plugin: Quick Count

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bible Embed

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Unauthenticated File Export Download
Patched Version: 1.1.23
Recommended Action: Update to version 1.1.23, or a newer patched version

Plugin: TS Comfort DB

Plugin: Easy Portfolio

Plugin: Mindmeister Shortcode

Plugin: Course Migration for LearnDash

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chatter

Plugin: Products Stock Manager with Excel for WooCommerce Inventory

Vulnerability: XXE Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WP-Player

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Feed Name
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: WP Responsive Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: WPSyncSheets Lite For Elementor – Elementor Pro Form Google Spreadsheet Addon

Vulnerability: Running Vulnerable Dependencies
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: DF Draggable

Plugin: Email on Publish

Plugin: WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Torod – The smart shipping and delivery portal for e-shops and retailers

Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Menu Image

Vulnerability: Missing Authorization to Unauthenticated Menu Image Deletion
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Webcamconsult

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Real Seguro Viagem

Plugin: AI Responsive Gallery Album

Plugin: Send to Twitter

Plugin: Glofox Shortcodes

Plugin: Incredible Font Awesome

Plugin: SendGrid for WordPress

Plugin: Sandbox

Plugin: MyBookTable Bookstore by Stormhill Media

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: LeadBoxer

Plugin: WordPress Auction Plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wp_amaps

Plugin: Related Post Shortcode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Preloader Quotes

Plugin: Multi Uploader for Gravity Forms

Plugin: Annie

Plugin: WP FullCalendar

Plugin: Ni WooCommerce Bulk Product Editor

Plugin: Hotspots Analytics

Plugin: Annie

Plugin: Image Gallery Box by CRUDLab

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Horizontal Line Shortcode

Plugin: Taskbuilder – WordPress Project & Task Management plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Distance Based Shipping Calculator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.22
Recommended Action: Update to version 2.0.22, or a newer patched version

Plugin: Customizable Captcha and Contact us

Plugin: Free MailClient FMC

Plugin: Auto FTP

Plugin: quote-posttype-plugin

Plugin: Shiptimize for WooCommerce

Plugin: GMap Shortcode

Plugin: Coming Soon Landing Page and Maintenance Mode WordPress Plugin

Plugin: SSL Wireless SMS Notification

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Post & Page Notes

Plugin: Content Security Policy Pro

Plugin: CNZZ&51LA for WordPress

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Unauthenticated Limited SQL Injection via ‘SuperSocializerKey’
Patched Version: 7.14.1
Recommended Action: Update to version 7.14.1, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Workflow Settings
Patched Version: 5.7.45
Recommended Action: Update to version 5.7.45, or a newer patched version

Plugin: Media Category Library

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Information Exposure
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Menus Plus+

Plugin: Elementor Button Plus

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Modal Popup
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: My Tickets – Accessible Event Ticketing

Vulnerability: Missing Authorization
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: ShipWorks Connector for Woocommerce

Vulnerability: Cross-Site Request Forgery to Service Password/Username Update
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Smallerik File Browser

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Wand – AI Writer, AI Content Generator & AI Assistant by ChatGPT, OpenAI | Generate SEO Friendly AI Blog Post & Article with 20X Speed

Vulnerability: Missing Authorization
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: TemplatesNext ToolKit

Plugin: OrangeBox

Plugin: Chamber Dashboard Business Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.10
Recommended Action: Update to version 3.3.10, or a newer patched version

Plugin: Easy Shortcode Buttons

Plugin: Custom Post

Plugin: Daily Proverb

Plugin: CJ Custom Content

Plugin: Loginplus

Plugin: Links/Problem Reporter

Plugin: Sandbox

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sandbox Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Instant Appointment

Plugin: FireCask Like & Share Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: HTTP to HTTPS link changer by Eyga.net

Plugin: AI Power: Complete AI Pack

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 1.8.97
Recommended Action: Update to version 1.8.97, or a newer patched version

Plugin: Food Store – Online Food Delivery & Pickup

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 5.4.10.2
Recommended Action: Update to version 5.4.10.2, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Missing Authorization
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: WP Lyrics

Plugin: Image Switcher

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 2.4.33
Recommended Action: Update to version 2.4.33, or a newer patched version

Plugin: DD Roles

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Post Type Lockdown WordPress

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Limit Login Attempts (Spam Protection)

Vulnerability: Unauthenticated SQL Injeciton
Patched Version: 5.6
Recommended Action: Update to version 5.6, or a newer patched version

Plugin: MG Parallax Slider

Plugin: Greek Namedays Widget From Eortologio.Net

Plugin: Kopa Nictitate Toolkit

Plugin: VikAppointments Services Booking Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Authenticated (Admin+) PHP Object Injection via wpaicg_export_prompts
Patched Version: 1.8.97
Recommended Action: Update to version 1.8.97, or a newer patched version

Plugin: Contact Form, Survey & Form Builder – MightyForms

Vulnerability: Missing Authorization
Patched Version: 1.3.10
Recommended Action: Update to version 1.3.10, or a newer patched version

Plugin: Post-to-Post Links

Plugin: LSD Google Maps Embedder

Vulnerability: Cross-Site Request Forgery Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy FAQs

Plugin: Ni WooCommerce Cost Of Goods

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JB Horizontal Scroller News Ticker

Plugin: Themify Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.6
Recommended Action: Update to version 7.6.6, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 5.7.44
Recommended Action: Update to version 5.7.44, or a newer patched version

Plugin: Mass Custom Fields Manager

Plugin: Email Capture & Lead Generation

Plugin: Page and Post Restriction

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Car Demon

Plugin: Ajax WP Query Search Filter

Plugin: NebulaX Theme

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Hunk Companion

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: WP VTiger Synchronization

Plugin: WP Custom Google Search

Plugin: Compare Ninja: Create Professional Comparison Tables and Easily Add Them to Your Website

Plugin: Copy Move Posts

Plugin: WP Meetup

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Auction Plugin

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Verge3D Publishing and E-Commerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version

Plugin: Backlink Monitoring Manager

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Plugin: CubeWP Forms – All-in-One Form Builder

Plugin: Jet Skinner for BuddyPress

Plugin: Magic Google Maps

Plugin: Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Category Custom Fields

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.32
Recommended Action: Update to version 3.1.32, or a newer patched version

Plugin: WP Abstracts

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: WP Load Gallery

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Powie's pLinks PagePeeker

Plugin: Radius Blocks – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Apply with LinkedIn buttons

Plugin: Stars SMTP Mailer

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Kapost

Plugin: PDF for WPForms + Drag and Drop Template Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via yeepdf_dotab Shortcode
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version

Plugin: MyAnime Widget

Plugin: WP-tagMaker

Plugin: Easy Code Snippets

Plugin: MemeOne

Plugin: Serious Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: LuckyWP Table of Contents

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Moving Users

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Admin Cleanup

Plugin: Twigify

Vulnerability: Running Vulnerable Twig Package
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin and Customer Messages After Order for WooCommerce: OrderConvo

Vulnerability: Authenticated (Subscriber+) Limited File Upload to Cross-Site Scripting
Patched Version: 13.3
Recommended Action: Update to version 13.3, or a newer patched version

Plugin: WordPress File Search

Plugin: PayPal Marketing Solutions

Plugin: CSV to HTML

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 3.27
Recommended Action: Update to version 3.27, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.7.45
Recommended Action: Update to version 5.7.45, or a newer patched version

Plugin: Cookie Consent & Autoblock for GDPR/CCPA

Plugin: FontAwesome.io ShortCodes

Plugin: Woo Tuner

Plugin: Yet Another Countdown Plugin

Plugin: Easy Tweet Embed

Plugin: DirectoryPress – Business Directory And Classified Ad Listing

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 3.6.20
Recommended Action: Update to version 3.6.20, or a newer patched version

Plugin: Web Testimonials

Plugin: WordPress Gallery Plugin

Plugin: SEO Bulk Editor

Plugin: MD Custom content after or before of post

Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update
Patched Version: 1.17.6
Recommended Action: Update to version 1.17.6, or a newer patched version

Plugin: Captchelfie – Captcha by Selfie

Plugin: Passwords Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Add Password + Update Encryption Key
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: WordPress Data Guard [Website Security]

Plugin: Enhanced YouTube Shortcode

Plugin: Build App Online

Plugin: Thim Elementor Kit

Plugin: Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com

Plugin: Product Table for WooCommerce by CodeAstrology (wooproducttable.com)

Plugin: QR Code Generator

Plugin: imaGenius

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Title
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Shockingly Big IE6 Warning

Plugin: Floatbox Plus

Plugin: Broken Link Checker

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: JSM Screenshot Machine Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: WPBot Pro WordPress Chatbot

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Simple Text Response Creation
Patched Version: 13.5.6
Recommended Action: Update to version 13.5.6, or a newer patched version

Plugin: WP Mailster

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.8.18.0
Recommended Action: Update to version 1.8.18.0, or a newer patched version

Plugin: LDD Directory Lite

Plugin: 301 SEO REDIRECTION | COUNTRY BASED REDIRECTION [ REDIRECTION PLUS ]

Plugin: The Events Calendar

Vulnerability: Missing Authorization to Unauthenticated Password Protected Event Disclosure
Patched Version: 6.8.2.1
Recommended Action: Update to version 6.8.2.1, or a newer patched version

Plugin: User Sync ActiveCampaign

Plugin: More Link Modifier

Plugin: My WP Customize Admin/Frontend

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.24.1
Recommended Action: Update to version 1.24.1, or a newer patched version

Plugin: Progress Tracker

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Rollover Tab

Plugin: WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 8.53.0
Recommended Action: Update to version 8.53.0, or a newer patched version

Plugin: EZPlayer

Plugin: Strx Magic Floating Sidebar Maker

Plugin: Scroll Top Advanced – Scroll to ID or Class

Plugin: bonjour-bar

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.54
Recommended Action: Update to version 3.2.54, or a newer patched version

Plugin: Social Analytics

Plugin: Unlimited Elements For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.5.136
Recommended Action: Update to version 1.5.136, or a newer patched version

Plugin: PixelYourSite – Your smart PIXEL (TAG) & API Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version

Plugin: FAT Event Lite

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Aklamator INfeed

Plugin: Book a Place

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Text Block
Patched Version: 5.7.45
Recommended Action: Update to version 5.7.45, or a newer patched version

Plugin: Password for WP

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: WCS QR Code Generator

Plugin: RSV GMaps

Plugin: Stripe and PayPal Payment Forms for WordPress – PayForm

Plugin: BizLibrary

Plugin: Contact Form 7 Redirect & Thank You Page

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Translation.Pro

Plugin: Twitter Shortcode

Plugin: Contact Form 7 Anti Spambot

Plugin: Explara Membership

Plugin: Picture Gallery – Frontend Image Uploads, AJAX Photo List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via videowhisper_picture_upload_guest Shortcode
Patched Version: 1.5.23
Recommended Action: Update to version 1.5.23, or a newer patched version

Plugin: EditionGuard for WooCommerce – eBook Sales with DRM

Plugin: NV Slider

Plugin: Custom Widget Classes

Plugin: Comment-Emailer

Plugin: Find Your Reps

Plugin: Ni CRM Lead

Plugin: Pastebin

Plugin: WP-Revive Adserver

Plugin: aDirectory – WordPress Directory Listing Plugin

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Universal Analytics Injector

Plugin: OZ Canonical

Plugin: Dominion – Domain Checker for WPBakery

Plugin: Genki Announcement

Plugin: Debug Tool

Plugin: Posts and Products Views for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Flexible PDF Coupons – Gift Cards & Vouchers for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.10.3
Recommended Action: Update to version 1.10.3, or a newer patched version

Plugin: Web Push

Plugin: Blogger Image Import

Plugin: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Mass Messaging in BuddyPress

Plugin: Board Election

Plugin: Elite Notification – Sales Popup, Social Proof, FOMO & WooCommerce Notification

Plugin: Simple Custom post type custom field

Plugin: WordPress Logging Service

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 8.7.16
Recommended Action: Update to version 8.7.16, or a newer patched version

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Unauthenticated SQL Injection via Login Attempts Module
Patched Version: 3.0.13
Recommended Action: Update to version 3.0.13, or a newer patched version

Plugin: WP-Announcements

Plugin: Bookalet

Plugin: Winning Portfolio

Plugin: Asgard Security Scanner

Plugin: Link Whisper Free

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FAQs

Plugin: Word Freshener

Plugin: Gallery Images Ape

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.7.2
Recommended Action: Update to version 4.2.7.2, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: Marquee Style RSS News Ticker

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: 14.0
Patched Version: 14.1
Recommended Action: Update to version 14.1, or a newer patched version

Plugin: dForms

Plugin: WordPress Call me Now

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Backup/Restore <= 1.24.12
Patched Version: 1.25.1
Recommended Action: Update to version 1.25.1, or a newer patched version

Plugin: eewee admin custom

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.15.31
Recommended Action: Update to version 1.15.31, or a newer patched version

Plugin: WP User Profile Avatar

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: PostLists

Plugin: Error Notification

Plugin: Smoothness Slider Shortcode

Plugin: Opentracker Analytics

Plugin: MyBookProgress by Stormhill Media

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via book Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form 7 Round Robin Lead Distribution

Plugin: ViewMedica 9

Plugin: WP-BlackCheck

Plugin: Proofreading

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Typing Text

Plugin: Simple Vertical Timeline

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.32
Recommended Action: Update to version 2.4.32, or a newer patched version

Plugin: Cache Sniper for Nginx

Plugin: WP Multi Store Locator

Plugin: Extra Options – Favicons

Plugin: SOCIAL.NINJA

Plugin: Weaver Themes Shortcode Compatibility

Plugin: Free Google Maps

Plugin: GDReseller

Plugin: Geotagged Media

Plugin: AI Power: Complete AI Pack

Vulnerability: Authenticated (Admin+) PHP Object Injection via wpaicg_export_ai_forms
Patched Version: 1.8.97
Recommended Action: Update to version 1.8.97, or a newer patched version

Plugin: Perfect Portal Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: Order Audit Log for WooCommerce

Plugin: Stackable – Page Builder Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.13.12
Recommended Action: Update to version 3.13.12, or a newer patched version

Plugin: Goldstar

Plugin: BU Section Editing

Plugin: UserHeat Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: Post Carousel Slider for Elementor

Plugin: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.0.7
Recommended Action: Update to version 8.0.7, or a newer patched version

Plugin: Easy Blocks pro

Plugin: mybb Last Topics

Plugin: Checkout for PayPal

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.33
Recommended Action: Update to version 1.0.33, or a newer patched version

Plugin: Image Source Control Lite – Show Image Credits and Captions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.28.1
Recommended Action: Update to version 2.28.1, or a newer patched version

Plugin: Advanced Options Editor

Plugin: “Visit Site” Link enhanced – WordPress PlugIn

Plugin: Image Source Control Lite – Show Image Credits and Captions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.29.1
Recommended Action: Update to version 2.29.1, or a newer patched version

Plugin: WP Visitor Statistics (Real Time Traffic)

Plugin: Awesome Responsive Photo Gallery – Image & Video Lightbox Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: XLSXviewer

Plugin: Stop Comment Spam

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.5.4
Recommended Action: Update to version 0.5.4, or a newer patched version

Plugin: Style Admin

Plugin: add custom google tag manager

Plugin: Passwords Manager

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Reflected Cross-Site Scripting via msearch
Patched Version: 6.10.11
Recommended Action: Update to version 6.10.11, or a newer patched version

Plugin: Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: 1003 Mortgage Application

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom CSS Addons

Plugin: AI Engine

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Kubio AI Page Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Charity-thermometer

Plugin: WP krpano

Plugin: WP Enabled SVG

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Board Document Manager from CHUHPL

Plugin: RSS News Scroller

Plugin: Image Switcher

Plugin: Slider for Writers

Plugin: Sidebar-Content from Shortcode

Plugin: amr personalise

Plugin: WordPress Custom Sidebar

Plugin: Background animation blocks

Plugin: Len Slider

Plugin: MFPlugin

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.8.1
Recommended Action: Update to version 3.2.8.1, or a newer patched version

Plugin: WordPress Graphs & Charts – Easy Interactive HTML5 Charts Plugin

Plugin: Exhibit to WP Gallery

Plugin: AlT Report

Plugin: wp-greet

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: MACME

Plugin: MDC YouTube Downloader

Plugin: Chamber Dashboard Business Directory

Vulnerability: Missing Authorization
Patched Version: 3.3.11
Recommended Action: Update to version 3.3.11, or a newer patched version

Plugin: Animator – Scroll Triggered Animations

Plugin: Twitter Post

Plugin: Ad Blocking Detector

Plugin: Theme My Ontraport Smartform

Plugin: ResAds

Plugin: WP Service Payment Form With Authorize.net

Plugin: Shabbos and Yom Tov

Plugin: Passwords Manager

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: JetElements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: WP Table Manager

Vulnerability: Missing Authorization
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Sur.ly

Plugin: WP Cookies Alert

Plugin: Advanced Control Manager for WordPress by ItalyStrap

Plugin: Event Countdown Timer Plugin by TechMix

Plugin: Widget Options – The #1 WordPress Widget & Block Control Plugin

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Contact Form 7 – CCAvenue Add-on

Plugin: Anonymize Links

Plugin: WP Smart TV

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: CSV to HTML

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.15
Recommended Action: Update to version 3.15, or a newer patched version

Plugin: ApplyOnline – Application Form Builder and Manager

Vulnerability: Missing Authorization
Patched Version: 2.6.7.2
Recommended Action: Update to version 2.6.7.2, or a newer patched version

Plugin: SEOReseller Partner Plugin

Plugin: Countdown Timer for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: DELUCKS SEO

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Field For WP Job Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Password Protect Plugin for WordPress

Plugin: WpF Ultimate Carousel

Plugin: Copyright Safeguard Footer Notice

Plugin: Wp-Scribd-List

Plugin: PayGreen Payment Gateway

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version

Plugin: FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Shortcode Export
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: WM Options Import Export

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WH Cache & Security

Plugin: CC Circle Progress Bar

Plugin: WPDB to Sql

Plugin: Event Registration Calendar By vcita

Plugin: Online Payments – Get Paid with PayPal, Square & Stripe

Plugin: ECT Add to Cart Button

Plugin: Simple Project Manager

Plugin: Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Spiderpowa Embed PDF

Plugin: W3SPEEDSTER

Plugin: Flying Twitter Birds

Plugin: SpeakOut! Email Petitions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: 3DVieweronline

Plugin: WP Options Editor

Plugin: WP Background Tile

Plugin: Popup Surveys & Polls for WordPress (Mare.io)

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.7.3
Recommended Action: Update to version 7.7.3, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Missing Authorization to Unauthenticated Limited File Upload
Patched Version: 1.7.24
Recommended Action: Update to version 1.7.24, or a newer patched version

Plugin: Aklamator INfeed

Plugin: JetEngine

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via list_tag Parameter
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Salvador – AI Image Generator

Plugin: Xola

Plugin: my-related-posts

Plugin: Custom List Table Example

Plugin: MercadoLibre Integration

Plugin: wp-publications

Plugin: Feedburner Optin Form

Plugin: go Social

Plugin: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin

Plugin: SRS Simple Hits Counter

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Blog Summary

Plugin: Gravity Forms

Vulnerability: 2.9.1.3
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Video Share VOD – Turnkey Video Site Builder Script

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.32
Recommended Action: Update to version 2.6.32, or a newer patched version

Plugin: Backup and Restore WordPress – Backup Plugin

Vulnerability: Cross-Site Request Forgery to Backup Trigger
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GDPR Personal Data Reports

Plugin: Connect Contact Form 7 to Constant Contact V3

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: RSS Icon Widget

Plugin: Adifier System

Vulnerability: Unauthenticated Arbitrary Password Reset
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Auto iFrame

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution via Custom Title
Patched Version: 1.4.44
Recommended Action: Update to version 1.4.44, or a newer patched version

Plugin: Role Includer

Vulnerability: Reflected Cross-Site Scripting via user_id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Apply with LinkedIn buttons

Plugin: WP PT-Viewer

Plugin: Utilities for MTG

Plugin: AI WP Writer – automatic content creator, ChatGPT, GPT-4, Dalle 3, FLUX

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4.5
Recommended Action: Update to version 3.8.4.5, or a newer patched version

Plugin: Social proof testimonials and reviews by Repuso

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.21
Recommended Action: Update to version 5.21, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.