Watch Out Wednesday – February 19, 2025

Home » Watch Out Wednesday – February 19, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: EELV Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WizShop

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ready to use Gutenberg and Elementor Templates – Munk Sites

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Timeline Block – Timeline block plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Vehicle Manager

Plugin: Improved Sale Badges – Free Version

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: magayo Lottery Results

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Related Posts

Plugin: FLX Dashboard Groups

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: Information Disclosure Through Unprotected Directory
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: Paytm Payment Donation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Status Updater

Plugin: Zigaform – Price Calculator & Cost Estimation Form Builder Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pop Up

Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 250214
Recommended Action: Update to version 250214, or a newer patched version

Plugin: Rezdy Reloaded

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All push notification for WP

Plugin: Customer Email Verification for WooCommerce

Vulnerability: Authentication Bypass via Shortcode
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version

Plugin: Smart DoFollow

Plugin: Quote Comments

Plugin: WP SPID Italia

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version

Plugin: Custom Comment Notifications

Plugin: CalendApp

Plugin: Embed RSS

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Charts

Plugin: WP Pricing Table

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Woocommerce osCommerce Sync

Plugin: My Favorite Car

Plugin: WP Table Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Directory Traversal to Folder/File Name Disclosure
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Missing Authorization to Unauthenticated Post Order Manipulation
Patched Version: 3.0.14
Recommended Action: Update to version 3.0.14, or a newer patched version

Plugin: InLocation

Plugin: SpeedSize Image & Video AI-Optimizer

Vulnerability: Cross-Site Request Forgery to Clear Cache
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Embed Google Map

Plugin: Notification Bar – Top Bar – Easy Sticky Notification Bar | FM Notification Bar

Plugin: Plestar Directory Listing

Plugin: BigBuy Dropshipping Connector for WooCommerce

Vulnerability: Unauthenticated Full Path Disclosute
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Auto Tag

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Import Data From File
Patched Version: 3.11.9
Recommended Action: Update to version 3.11.9, or a newer patched version

Plugin: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist

Vulnerability: Path Traversal to Authenticated (Administrator+) Arbitrary File Read via downloadResponseFile Function
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: LTL Freight Quotes – Unishippers Edition

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form 7 Round Robin Lead Distribution

Plugin: Mortgage Calculator / Loan Calculator

Plugin: Waymark

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Missing Authorization to Unauthenticated Event Ticket Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EU DSGVO Helper

Plugin: DethemeKit for Elementor

Vulnerability: Authenticated (Contributor+) Protected Post Disclosure
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Simple shortcode buttons

Plugin: Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later

Vulnerability: Cross-Site Request Forgery to Wishlist Creation/Modification
Patched Version: 1.2.27
Recommended Action: Update to version 1.2.27, or a newer patched version

Plugin: LTL Freight Quotes – Worldwide Express Edition

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.22
Recommended Action: Update to version 5.0.22, or a newer patched version

Plugin: WP-BibTeX

Plugin: Related Posts Line-up-Exactly by Milliard

Plugin: Super Testimonials

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: ContentOptin Lite – WP Content Upgrade Plugin

Plugin: WPMovieLibrary

Plugin: Reset

Vulnerability: Cross-Site Request Forgery to Database Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP SimpleWeather

Plugin: LTL Freight Quotes – TForce Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: WP Html Page Sitemap

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Rank Math API
Patched Version: 1.0.236
Recommended Action: Update to version 1.0.236, or a newer patched version

Plugin: WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Awesome Event Booking

Vulnerability: Missing Authorization
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Naver Syndication V2

Plugin: WP-FormAssembly

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Signup Form

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spiritual Gifts Survey (and optional S.H.A.P.E survey)

Plugin: Distance Based Shipping Calculator

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TinyMCE Advanced qTranslate fix editor problems

Plugin: Affiliate Links: WordPress Plugin for Link Cloaking and Link Management

Vulnerability: Missing Authorization to Unauthenticated Import/Export and PHP Object Injection
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Fami Sales Popup

Plugin: Ultimate Subscribe

Plugin: WP-Asambleas

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Plugin: AIO Performance Profiler, Monitor, Optimize, Compress & Debug

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Child Themes Helper

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pollin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Us By Lord Linus

Plugin: Call To Action Popup

Plugin: History timeline

Plugin: Rise Blocks – A Complete Gutenberg Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via TitleTag Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Brizy – Page Builder

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload via storeUploads
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Events Planner

Plugin: WP Frontend Submit

Plugin: Ovic Importer

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Mortgage Lead Capture System

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Documentation

Plugin: GeoDigs

Plugin: Post Sync

Plugin: Multiple Carousel

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DethemeKit for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: DirectoryPress Frontend

Vulnerability: Cross-Site Request Forgery to Listing Status Update
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: WOOEXIM – WooCommerce Export Import Plugin

Plugin: YouTube Gallery – YouTube Channel

Plugin: Brizy – Page Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: On Page SEO + Social Live Chat (Formerly OPS)

Plugin: External “Video for Everybody”

Plugin: LTL Freight Quotes – Old Dominion Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.2.11
Recommended Action: Update to version 4.2.11, or a newer patched version

Plugin: Events, Calendars & Tickets – Event Kikfyre

Plugin: WpDevTool

Plugin: Blog, Posts and Category Filter for Elementor

Plugin: Payment Forms for Paystack

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Open Hours – Easy Opening Hours

Plugin: Nature FlipBook WordPress Plugin

Plugin: WP Airbnb Review Slider

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: WooODT Lite – Delivery & pickup date time location for WooCommerce

Vulnerability: Unauthenticated Full Path Dsiclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: All-Images.ai – IA Image Bank and Custom Image creation

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Plugin: Easy Chart Builder for WordPress

Plugin: Download, Downloads – WordPress Download plugin By Edmon

Plugin: Discover the Best Woocommerce Product Brands Plugin for WordPress – Woocommerce Brands Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Social Pug: Author Box

Plugin: WP Find Your Nearest

Plugin: Team – Team Members Showcase Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Bookings Export
Patched Version: 3.9.9.1
Recommended Action: Update to version 3.9.9.1, or a newer patched version

Plugin: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory

Vulnerability: Missing Authorization
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version

Plugin: Font Awesome WP

Plugin: Global Gallery – WordPress Responsive Gallery

Vulnerability: WordPress Responsive Gallery <= 9.1.5
Patched Version: 9.1.6
Recommended Action: Update to version 9.1.6, or a newer patched version

Plugin: Tagesteller / Mittagsmenü Plugin

Plugin: Simple Responsive Menu

Plugin: CATS Job Listings

Plugin: Prezi Embedder

Plugin: Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets

Vulnerability: Missing Authorization
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: pushBIZ – Push Notification

Plugin: LTL Freight Quotes – Worldwide Express Edition

Vulnerability: Worldwide Express Edition <= 5.0.20
Patched Version: 5.0.21
Recommended Action: Update to version 5.0.21, or a newer patched version

Plugin: LikeBot – Decentralized like-system

Plugin: Indeed API

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.4.5
Recommended Action: Update to version 1.1.4.5, or a newer patched version

Plugin: Formatted post

Plugin: Social2Blog

Plugin: Option Editor

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: aThemes Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Ebook Downloader

Plugin: ReverbNation Widgets

Plugin: Front End Users

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via forgot-password Shortcode
Patched Version: 3.2.31
Recommended Action: Update to version 3.2.31, or a newer patched version

Plugin: Safe Ai Malware Protection for WP

Vulnerability: Missing Authorization to Unauthenticated Database Export
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version

Plugin: Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce

Plugin: AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.45
Recommended Action: Update to version 2.10.45, or a newer patched version

Plugin: WordPress Activity-o-meter

Plugin: My Login Logout Plugin

Plugin: Block Collection for You – WP Block Pack

Plugin: WooCommerce Cart Count Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Music Sheet Viewer

Vulnerability: Unauthenticated Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DethemeKit for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via De Gallery Widget
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: WordPress Local SEO

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Links/Problem Reporter

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Schema Deletion
Patched Version: 1.0.236
Recommended Action: Update to version 1.0.236, or a newer patched version

Plugin: Mapbox for WP Advanced

Plugin: ConvertPlus

Vulnerability: ConvertPlus <= 3.5.30
Patched Version: 3.5.31
Recommended Action: Update to version 3.5.31, or a newer patched version

Plugin: Qubely – Advanced Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘align’ and ‘UniqueID’
Patched Version: 1.8.13
Recommended Action: Update to version 1.8.13, or a newer patched version

Plugin: Blrt WP Embed

Plugin: Simplebooklet PDF Viewer and Embedder

Plugin: ECPay Ecommerce for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Deletion
Patched Version: 1.1.2502030
Recommended Action: Update to version 1.1.2502030, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Tag Groups is the Advanced Way to Display Your Taxonomy Terms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Private Messages for UserPro

Plugin: Vignette Ads

Plugin: Zarinpal Paid Download

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin and Site Enhancements (ASE)

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version

Plugin: TTT Crop

Plugin: AForms Eats

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Lime Developer Login

Plugin: Link to URL / Post

Plugin: Awesome Event Booking

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: ZMSEO

Plugin: Social Links

Plugin: Flexible Blogtitle

Plugin: WP PHPList

Plugin: Google Drive WP Media

Plugin: Easy MLS Listings Import

Plugin: WP Query Creator

Plugin: s2Member Pro

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 250214
Recommended Action: Update to version 250214, or a newer patched version

Plugin: Read More & Accordion

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary ‘Read More’ Post Deletion
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Dynamic URL SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WPOptin – AI-Powered Top Bars, PopUps & Lead Generation

Plugin: Keap Official Opt-in Forms

Vulnerability: Unauthenticated Limited Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Google Earth Embed

Plugin: Listings for Appfolio

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: University quizzes online

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gumlet Video

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 1.7.1008
Recommended Action: Update to version 1.7.1008, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting via name Parameter
Patched Version: 2.11.10
Recommended Action: Update to version 2.11.10, or a newer patched version

Plugin: DX-auto-publish

Plugin: LTL Freight Quotes – FreightQuote Edition

Plugin: Actionwear products sync

Vulnerability: Unauthenticated Full Patch Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AZ Content Finder

Plugin: RapidLoad AI – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Media Library Folders

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version

Plugin: Houzez Property Feed

Vulnerability: Cross-Site Request Forgery to Property Feed Export Deletion
Patched Version: 2.4.22
Recommended Action: Update to version 2.4.22, or a newer patched version

Plugin: OneStore Sites

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Authenticated (Subscriber+) SQL Injection via orderby Parameter
Patched Version: 2.6.18
Recommended Action: Update to version 2.6.18, or a newer patched version

Plugin: Simple Certain Time to Show Content

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Leyka

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.31.9
Recommended Action: Update to version 3.31.9, or a newer patched version

Plugin: R3W InstaFeed

Plugin: Rapid Cache

Vulnerability: Unauthenticated Cache Poisoning
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Table For WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: RSS Filter

Plugin: Smart Countdown FX

Plugin: Zigaform – Form Builder Lite

Plugin: Easy Quiz Maker

Plugin: FlexIDX Home Search

Plugin: FormCraft

Vulnerability: Premium WordPress Form Builder <= 3.9.11
Patched Version: 3.9.12
Recommended Action: Update to version 3.9.12, or a newer patched version

Plugin: Team Builder – Meet the Team

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CtyGrid Hyp3rL0cal Search WordPress Plugin

Plugin: StatPressCN

Plugin: WP Job Board Pro

Vulnerability: Unauthenticated Privilege Escalation via process_register
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NextGen Cooliris Gallery

Plugin: Tour Master – Tour Booking, Travel, Hotel

Vulnerability: Tour Booking, Travel, Hotel <= 5.3.7
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version

Plugin: LTL Freight Quotes – Unishippers Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: CMC MIGRATE

Plugin: Easy WP Tiles

Plugin: Slide Banners

Plugin: Photo Contest | Competition | Video Contest

Plugin: Linear

Vulnerability: Cross-Site Request Forgery to Cache Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Reset
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Theme Options Z

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pallet Packaging for WooCommerce

Plugin: a Gateway for Pasargad Bank on WooCommerce

Plugin: Stream

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: XTRA Settings

Plugin: WP Booking Calendar

Vulnerability: Unauthenticated Post-Confirmation Booking Manipulation
Patched Version: 10.10.1
Recommended Action: Update to version 10.10.1, or a newer patched version

Plugin: Easy Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: LTL Freight Quotes – XPO Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3.8
Recommended Action: Update to version 4.3.8, or a newer patched version

Plugin: Simple Select All Text Box

Plugin: LTL Freight Quotes – Worldwide Express Edition

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Deletion
Patched Version: 5.0.21
Recommended Action: Update to version 5.0.21, or a newer patched version

Plugin: Bootstrap collapse

Plugin: Good Old Gallery

Plugin: Glance That

Plugin: Links in Captions

Plugin: BookPress – For Book Authors

Plugin: Image Rotator

Plugin: WP Extra Fields

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.10.14
Recommended Action: Update to version 1.10.14, or a newer patched version

Plugin: Print PDF Generator and Publisher

Plugin: WP Activity Log

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: User Roles

Plugin: WP Spell Check

Plugin: Avada (Fusion) Builder

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 3.11.14
Recommended Action: Update to version 3.11.14, or a newer patched version

Plugin: Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more

Vulnerability: Missing Authorization to Unauthenticated Coupon Creation
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: WP doodlez

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Limited Server-Side Request Forgery
Patched Version: 5.9.4.3
Recommended Action: Update to version 5.9.4.3, or a newer patched version

Plugin: Show notice or message on admin area

Plugin: MemorialDay

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Gallerio

Plugin: WP Social Broadcast

Plugin: Read More Copy Link

Plugin: Aparat Responsive

Plugin: Easy Filtering

Plugin: Easy Amazon Product Information

Plugin: WP Ghost (Hide My WP Ghost) – Security & Firewall

Vulnerability: Unauthenticated Login Page Disclosure
Patched Version: 5.4.01
Recommended Action: Update to version 5.4.01, or a newer patched version

Plugin: WP Front-end login and register

Plugin: Reaction Buttons

Plugin: File Uploads Addon for WooCommerce

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Security & Malware scan by CleanTalk

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.150
Recommended Action: Update to version 2.150, or a newer patched version

Plugin: LTL Freight Quotes – ABF Freight Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Legal +

Plugin: Visitor Details

Plugin: IE CSS3 Support

Plugin: SexBundle

Plugin: Calendi

Plugin: HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Name
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: Include Mastodon Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.10
Recommended Action: Update to version 1.9.10, or a newer patched version

Plugin: Customer Email Verification for WooCommerce

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: FuseDesk

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.7
Recommended Action: Update to version 6.7, or a newer patched version

Plugin: Delete Comments By Status

Plugin: Social Links

Plugin: LTL Freight Quotes – For Customers of FedEx Freight

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Job Board Manager

Plugin: Online Payments – Get Paid with PayPal, Square & Stripe

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.30.0
Recommended Action: Update to version 3.30.0, or a newer patched version

Plugin: Theasys

Plugin: Implied Cookie Consent

Plugin: aBlocks – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Custom Links On Admin Dashboard Toolbar

Plugin: Survey Maker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.1.3.6
Recommended Action: Update to version 5.1.3.6, or a newer patched version

Plugin: 1 Click WordPress Migration Plugin – 100% FREE for a limited time

Vulnerability: Cross-Site Request Forgery to Backup Process Cancellation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LTL Freight Quotes – R+L Carriers Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: Shopwarden – Automated WooCommerce monitoring & testing

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.

Vulnerability: Authenticated (Contributor+) Blind Server-Side Request Forgery via remote_request
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: RSS in Page

Plugin: Album Reviewer

Plugin: Cyber Slider

Plugin: Content Mirror

Plugin: BookPress – For Book Authors

Plugin: Simple catalogue

Plugin: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist

Vulnerability: Authenticated (Subscriber+) SQL Injection via id Parameter
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: GetBookingsWP – Appointments Booking Calendar Plugin For WordPress

Vulnerability: Appointments & Bookings Plugin Basic Version <= 1.1.27
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CWD – Stealth Links

Plugin: LTL Freight Quotes – Estes Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: ReadMe Creator

Plugin: Mind3doM RyeBread Widgets

Plugin: StaffList

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Fast Tube

Plugin: Youtube Video Grid | Youmax

Plugin: WP Multistore Locator — WP Store Locator Plugin: Effortless Integration With Snazzy Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Small Package Quotes – For Customers of FedEx

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: GlobalQuran

Plugin: Blue Wrench Video Widget

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 2.6.18
Recommended Action: Update to version 2.6.18, or a newer patched version

Plugin: Admire Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Oliver POS – A WooCommerce Point of Sale (POS)

Vulnerability: Sensitive Information Exposure to Privilege Escalation
Patched Version: 2.4.2.4
Recommended Action: Update to version 2.4.2.4, or a newer patched version

Plugin: Book a Room

Plugin: Uncode Core

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias
Patched Version: 2.9.1.7
Recommended Action: Update to version 2.9.1.7, or a newer patched version

Plugin: yCyclista

Plugin: Graceful Email Obfuscation

Plugin: Breaking News Ticker

Plugin: CAMOO SMS

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure
Patched Version: 5.9.4.3
Recommended Action: Update to version 5.9.4.3, or a newer patched version

Plugin: WP Keyword Monitor

Plugin: Like dislike plus counter | Like Dislike Buttons

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: URL-Preview-Box

Plugin: Kona Gallery Block

Plugin: Appointment Buddy Widget By Accrete

Plugin: Simple Map No Api

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Liveticker (by stklcode)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Small Package Quotes – UPS Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.5.17
Recommended Action: Update to version 4.5.17, or a newer patched version

Plugin: Ultimate Events

Plugin: Library Bookshelves

Plugin: LTL Freight Quotes – FreightQuote Edition

Plugin: HyperComments

Plugin: Style Tweaker

Plugin: GatorMail SmartForms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: aDirectory – WordPress Directory Listing Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Uix Shortcodes

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Spotlight Social Feeds – Block, Shortcode, and Widget

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Super Store Finder

Vulnerability: Unauthenticated SQL Injection to Stored Cross-Site Scripting
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version

Plugin: Infusionsoft Analytics for WordPress

Plugin: what3words Address Field

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.0.16
Recommended Action: Update to version 4.0.16, or a newer patched version

Plugin: Wibiya Toolbar

Plugin: 1 Click WordPress Migration Plugin – 100% FREE for a limited time

Vulnerability: Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: seekXL Snapr

Plugin: Disable Elementor Editor Translation

Vulnerability: Missing Authorization
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Auto SEO

Plugin: Plugin A/B Image Optimizer

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LTL Freight Quotes – SAIA Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: Group category creator

Plugin: Fyrebox Quizzes

Plugin: Login-box

Plugin: NGG Smart Image Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Simple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer)

Plugin: Video & Photo Gallery for Ultimate Member

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: Alert Box Block – Display notice/alerts in the front end.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Tab My Content

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Missing Authorization
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Apus Framework

Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update in import_page_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Thumbs

Plugin: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist

Vulnerability: Path Traversal to Authenticated (Subscriber+) Arbitrary File Read via fileID Parameter
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Rocket Media Library Mime Type

Plugin: Responsivity

Plugin: Starter Templates by FancyWP

Plugin: Content Planner

Plugin: Small Package Quotes – USPS Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: SendPulse Email Marketing Newsletter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Vertex Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: WP2APP

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Unauthenticated HTML Injection
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version

Plugin: Page/Post Specific Social Share Buttons

Plugin: Simple User Profile

Plugin: LTL Freight Quotes – Unishippers Edition

Vulnerability: Missing Authorization
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: Threepress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Podčlánková inzerce

Plugin: Accessibility Task Manager

Plugin: WP Directorybox Manager

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Content Snippet Manager

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Custom Block Builder – Lazy Blocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: WP Admin Custom Page

Plugin: Product Blocks for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Keep Backup Daily

Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Songkick Concerts and Festivals

Plugin: Database Sync

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Abstracts

Vulnerability: Cross-Site Request Forgery to Arbitrary Account Deletion
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Dynamic Conditions

Plugin: ARPrice – WordPress Pricing Table Plugin

Vulnerability: WordPress Pricing Table Plugin <= 4.0.3
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Cross-Site Request Forgery to Send Deactivation Message
Patched Version: 6.12.28
Recommended Action: Update to version 6.12.28, or a newer patched version

Plugin: FWD Slider

Plugin: Stylish Google Sheet Reader 4.0 – Seamlessly Embed Google Sheets as Responsive Data Tables

Plugin: SC Simple Zazzle

Plugin: DL Leadback

Plugin: REAL WordPress Sidebar

Plugin: VR-Frases (collect & share quotes)

Plugin: Automate Hub Free by Sperse.IO

Vulnerability: Cross-Site Request Forgery to Activation Status Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kumihimo

Plugin: FormCraft

Vulnerability: Missing Authorization to Plugin Data Export in formcraft-main.php
Patched Version: 3.9.12
Recommended Action: Update to version 3.9.12, or a newer patched version

Plugin: Staging CDN

Plugin: Music Press Pro

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6.7
Recommended Action: Update to version 1.0.6.7, or a newer patched version

Plugin: Toocheke Companion

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.167
Recommended Action: Update to version 1.167, or a newer patched version

Plugin: InFunding – Plugin for Charity & Crowdfunding Website

Plugin: WP IMAP Auth

Plugin: gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: WP Custom Post RSS Feed

Plugin: WP Social Stream

Plugin: Spiritual Gifts Survey (and optional S.H.A.P.E survey)

Plugin: Sports Rankings and Lists

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Global Meta Keyword & Description

Plugin: Distance Based Shipping Calculator

Vulnerability: Missing Authorization
Patched Version: 2.0.23
Recommended Action: Update to version 2.0.23, or a newer patched version

Plugin: Snippy

Plugin: Facilita Form Tracker

Plugin: sidebarTabs

Plugin: Web Stories Enhancer – Level Up Your Web Stories

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Optimate Ads – Advance Ad Inserter AdSense & Ad Manager

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Download Codes

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.