Watch Out Wednesday – March 5, 2025

Home » Watch Out Wednesday – March 5, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: My Quota

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Theme File Duplicator

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Om Stripe

Plugin: ViperBar

Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 250214
Recommended Action: Update to version 250214, or a newer patched version

Plugin: Local Search SEO Contact Page

Plugin: WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: NoFollow Free

Plugin: Restrict Taxonomies

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Unauthenticated User Information Exposure
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: System Dashboard

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 2.8.19
Recommended Action: Update to version 2.8.19, or a newer patched version

Plugin: URL Shortener | Conversion Tracking | AB Testing | WooCommerce

Plugin: Internal Links Generator

Plugin: WPPizza – A Restaurant Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.19.5
Recommended Action: Update to version 3.19.5, or a newer patched version

Plugin: Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin

Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Post Disclosure
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Autoship Cloud for WooCommerce Subscription Products

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by FunnelKit

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Variable Inspector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Assistant – Every Day Productivity Apps

Vulnerability: Authenticated (Editor+) PHP Object Injection
Patched Version: 1.5.1.1
Recommended Action: Update to version 1.5.1.1, or a newer patched version

Plugin: Icon List Block

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Auto Tag Links

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Google Maps for WordPress

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.39.3
Recommended Action: Update to version 1.39.3, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Missing Authorization
Patched Version: 6.6.4.2
Recommended Action: Update to version 6.6.4.2, or a newer patched version

Plugin: Blighty Explorer

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NHR Options Table Manager

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zigaform – Price Calculator & Cost Estimation Form Builder Lite

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.4.3
Recommended Action: Update to version 7.4.3, or a newer patched version

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: .htaccess Login block

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 5.9.4.4
Recommended Action: Update to version 5.9.4.4, or a newer patched version

Plugin: Fluent Support – Helpdesk & Customer Support Ticket System

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: Affiliate Coupons – The #1 Coupon Display Plugin for Affiliate Marketers

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Missing Authorization to Unauthenticated Price, Date, and Note Updates
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: Önceki Yazı Link

Plugin: Download HTML TinyMCE Button

Plugin: WooCommerce Pricing – Product Pricing

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Residential Address Detection

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: Erima Zarinpal Donate

Plugin: Rebuild Permalinks

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 26.0.1
Recommended Action: Update to version 26.0.1, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.15.33
Recommended Action: Update to version 1.15.33, or a newer patched version

Plugin: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Missing Authorization to Unauthenticated Event Ticket Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clicface Trombi

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via nom Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Protected wp-login

Plugin: WP Video Posts

Plugin: Intro Tour Tutorial DeepPresentation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version

Plugin: Simple Email Subscriber

Plugin: Podamibe Twilio Private Call

Plugin: Ad Inserter Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Library Instruction Recorder

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Countdown and Off-Canvas
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version

Plugin: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 1.16.9
Recommended Action: Update to version 1.16.9, or a newer patched version

Plugin: K Elements

Vulnerability: Authentication Bypass
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version

Plugin: Reset

Vulnerability: Cross-Site Request Forgery to Database Reset
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: F12-Profiler

Plugin: MK Google Directions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Hash Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Countdown Timer

Plugin: Custom Widget Creator

Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site

Vulnerability: Authenticated (Administrator+) DOM-Based Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Private Content

Vulnerability: Unauthenticated Privilege Escalation via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Theme File Duplicator

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Video Posts

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP24 Domain Check

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.15
Recommended Action: Update to version 1.10.15, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subscriptions & Memberships for PayPal

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: MemberSpace – Membership Plugin and Paid Subscriptions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version

Plugin: Tribulant Gallery Voting

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: WPYog Documents

Plugin: The Ark | WordPress Theme made for Freelancers

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: bbPress

Vulnerability: Cross-Site Request Forgery to Limited Privilege Escalation
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version

Plugin: Rise Blocks – A Complete Gutenberg Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via TitleTag Parameter
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Settings Update
Patched Version: 3.4.25
Recommended Action: Update to version 3.4.25, or a newer patched version

Plugin: Business Card Block – Show your business card on the web.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Frontend Admin by DynamiApps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.25.18
Recommended Action: Update to version 3.25.18, or a newer patched version

Plugin: Currency Switcher for WooCommerce

Plugin: DefendWP Firewall

Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: NewsTicker

Plugin: WooCommerce Recargo de Equivalencia

Plugin: Sticky Header On Scroll

Plugin: Doctor Appointment Booking

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bulk Menu Edit

Vulnerability: Missing Authorization
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WordPress Portfolio Builder – Portfolio Gallery

Plugin: URL Shortener | Conversion Tracking | AB Testing | WooCommerce

Plugin: Doctor Appointment Booking

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 10.9
Recommended Action: Update to version 10.9, or a newer patched version

Plugin: File Icons

Plugin: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Counters Block – Display Number as an animated counter.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP BASE Booking of Appointments, Services and Events

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Easy Filter

Plugin: wp-flickr-press

Plugin: WooCommerce HTML5 Video

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.59.9
Recommended Action: Update to version 3.59.9, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Plugin: Phee's LinkPreview

Plugin: Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin

Vulnerability: Authenticated (Contributor+) Arbitrary File Read and PHAR Deserialization
Patched Version: 7.19.3
Recommended Action: Update to version 7.19.3, or a newer patched version

Plugin: Booking Calendar and Notification

Vulnerability: Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WOW Entrance Effects (WEE!)

Plugin: Buddyboss Platform

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via ‘link_title’
Patched Version: 2.8.00
Recommended Action: Update to version 2.8.00, or a newer patched version

Plugin: Multilevel Referral Affiliate Plugin for WooCommerce

Plugin: Flexmls® IDX Plugin

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.14.28
Recommended Action: Update to version 3.14.28, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Cross-Site Request Forgery to Unauthorized Post Editing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Sensei LMS – Online Courses, Quizzes, & Learning

Vulnerability: Unauthenticated Information Exposure
Patched Version: 4.24.4
Recommended Action: Update to version 4.24.4, or a newer patched version

Plugin: Archive Page

Plugin: Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue

Vulnerability: Missing Authorization to Authenticated (Editor+) Settings Update
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Ultra Addons Lite for Elementor

Vulnerability: Authenticated (Contributor+) Restricted Post Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post/Page Copying Tool to Export and Import post/page for Cross site Migration

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Small Package Quotes – Unishippers Edition

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: Forex Calculators

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: ImageMeta

Plugin: Elementor Website Builder – More Than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.25.11
Recommended Action: Update to version 3.25.11, or a newer patched version

Plugin: Limit Bio

Plugin: Wishlist

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.0.42
Recommended Action: Update to version 1.0.42, or a newer patched version

Plugin: A1POST.BG Shipping for WooCommerce

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Adsmonetizer

Plugin: QMean – WordPress Did You Mean and Search Suggestion Like Google

Plugin: GenerateBlocks

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via ‘get_image_description’
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: PiwigoPress

Plugin: WP Multistore Locator — WP Store Locator Plugin: Effortless Integration With Snazzy Maps

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: All-In-One Cufon

Plugin: Pricing Table by PickPlugins

Plugin: Ninja Pages

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Terms Dictionary

Plugin: Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: Simple Video Management System

Plugin: 无觅相关文章插件

Plugin: Reactive Mortgage Calculator

Plugin: WordPress Local SEO

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SecuPress Free — WordPress Security

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via secupress_check_ban_ips_form Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Direct Checkout Button for WooCommerce

Plugin: WP About Author

Plugin: Simple Google Sitemap

Plugin: Info Cards – Gutenberg block for creating Beautiful Cards

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Plugin: Web Accessibility By accessiBe

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Plugin: Splash Sync

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 6.3.6
Recommended Action: Update to version 6.3.6, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: NextMove Lite – Thank You Page for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Deactivation Reason Submission
Patched Version: 2.20.0
Recommended Action: Update to version 2.20.0, or a newer patched version

Plugin: Flashfader

Plugin: Themes Coder – Create Android & iOS Apps For Your Woocommerce Site

Plugin: WHMpress – WHMCS WordPress Integration Plugin

Vulnerability: Unauthenticated Local File Inclusion to Arbitrary Options Update
Patched Version: 6.3-revision-1
Recommended Action: Update to version 6.3-revision-1, or a newer patched version

Plugin: Easy Quotes

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Paid Videochat Turnkey Site – HTML5 PPV Live Webcams

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: Alloggio Membership

Vulnerability: Authentication Bypass via Social Login Account Takeover
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Booknetic

Plugin: WOO Codice Fiscale

Plugin: DB Tables Import/Export

Plugin: Affiliate Links Manager

Plugin: WP e-Customers Beta

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version

Plugin: ThemeMakers PayPal Express Checkout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Chaty Pro

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: Hover Image Button

Plugin: Quiz Organizer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Table of Contents Block

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.12.5
Recommended Action: Update to version 4.12.5, or a newer patched version

Plugin: Wp Social Login and Register Social Counter

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Countdown Timer block – Display the event's date into a timer.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: WP Yelp Review Slider

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: School Management System – SakolaWP

Vulnerability: Cross-Site Request Forgery to Exam Setting Manipulation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Analytics Cat – Google Analytics Made Easy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: REST API TO MiniProgram

Plugin: WooCommerce Ultimate Gift Card

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0.21
Recommended Action: Update to version 4.0.21, or a newer patched version

Plugin: Card Elements for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Profile Card Widget
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Stray Random Quotes

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Missing Authorization to Unauthenticated User Email Retrieval via ays_sccp_reports_user_search Function
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version

Plugin: Bravo Search & Replace

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Calculator Builder – Create an Online Calculator

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: EZ SQL Reports Shortcode Widget and DB Backup

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.25.08
Recommended Action: Update to version 5.25.08, or a newer patched version

Plugin: URL Shortener | Conversion Tracking | AB Testing | WooCommerce

Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Charts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: SS Quiz

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Login Attempt Log

Plugin: TemplatesNext ToolKit

Plugin: Wallet System for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: PlayerJS

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.24
Recommended Action: Update to version 2.24, or a newer patched version

Plugin: Tabs for WooCommerce

Vulnerability: Authentiated (Shop Manager+) PHP Object Injection in product_has_custom_tabs
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-PManager

Plugin: Find Content IDs

Plugin: Contact Form 7 Star Rating

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shipmozo Courier Tracking

Plugin: WoWPth

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Order Attachments for WooCommerce

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Place Order Without Payment for WooCommerce

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: WP Responsive Auto Fit Text

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: WP Posts Carousel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Table of Contents Plus

Vulnerability: Cross-Site Request Forgery
Patched Version: 2411
Recommended Action: Update to version 2411, or a newer patched version

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map

Vulnerability: Maps Plugin using Google Maps for WordPress – WP Google Map <= 1.9.3
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: Fast Flow

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.18
Recommended Action: Update to version 1.2.18, or a newer patched version

Plugin: Responsive Flickr Slideshow

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Woo Store Mode

Plugin: Minimum Password Strength

Plugin: Edd Google Sheet Connector Pro

Vulnerability: Cross-Site Request Forgery to Access Code Update
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: All In Menu – Header menu creator

Plugin: Pallet Packaging for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: Smart Maintenance & Countdown

Plugin: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings

Vulnerability: Privilege Escalation and Account Takeover via Weak OTP
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: MyTicket Events

Vulnerability: Unauthenticated Limited File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pathomation

Plugin: Just Variables

Plugin: Market Exporter

Vulnerability: Missing Authorization
Patched Version: 2.0.22
Recommended Action: Update to version 2.0.22, or a newer patched version

Plugin: Search with Typesense

Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Woocommerce – Loi Hamon

Plugin: Singsys -Awesome Gallery

Plugin: Exertio Framework

Vulnerability: Unauthenticated Arbitrary User Password Update
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Front End Users

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.31
Recommended Action: Update to version 3.2.31, or a newer patched version

Plugin: WooCommerce Display Products by Tags

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.20.0
Recommended Action: Update to version 3.20.0, or a newer patched version

Plugin: Structured Content (JSON-LD) #wpsc

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sc_fs_local_business Shortcode
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: WP Social SEO Booster – Knowledge Graph Social Signals SEO

Plugin: Photo Gallery ( Responsive )

Plugin: Templines Elementor Helper Core

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: URL Shortener | Conversion Tracking | AB Testing | WooCommerce

Plugin: wpForo Forum

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read in update
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Image Photo Gallery Final Tiles Grid

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Admin Menu Manager

Plugin: Academist Membership

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Order Limit for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Authenticated (Editor+) PHP Object Injection
Patched Version: 3.95.0
Recommended Action: Update to version 3.95.0, or a newer patched version

Plugin: Ibtana – WordPress Website Builder

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization
Patched Version: 4.8.4
Recommended Action: Update to version 4.8.4, or a newer patched version

Plugin: Advanced AJAX Product Filters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8.2
Recommended Action: Update to version 1.6.8.2, or a newer patched version

Plugin: Page and Post Lister

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Namaste! LMS

Plugin: Services Section block – Showcase services in a professional way.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: WP-PostRatings Cheater

Plugin: Team Section block – Showcase team members in various layouts and designs.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Pie Register Premium

Vulnerability: Missing Authorization
Patched Version: 3.8.3.3
Recommended Action: Update to version 3.8.3.3, or a newer patched version

Plugin: Estatik Mortgage Calculator

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Google Maps GPX Viewer

Plugin: Live Streaming Video Player – by SRS Player

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘icon’
Patched Version: 3.4.10
Recommended Action: Update to version 3.4.10, or a newer patched version

Plugin: Table of Contents Plus

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2411.1
Recommended Action: Update to version 2411.1, or a newer patched version

Plugin: 17TRACK for WooCommerce

Plugin: WP Ghost (Hide My WP Ghost) – Security & Firewall

Vulnerability: Unauthenticated Login Page Disclosure
Patched Version: 5.4.01
Recommended Action: Update to version 5.4.01, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: WP Templata – WordPress Template Library for Elementor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: mEintopf

Plugin: Easy Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: AcuGIS Leaflet Maps

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Asambleas

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AdsMiddle

Plugin: WP Sitemap

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hero Slider – WordPress Slider Plugin

Vulnerability: WordPress Slider Plugin <= 1.3.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Alphabetic Pagination

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version

Plugin: Wired Impact Volunteer Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Marketing Automation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6.9
Recommended Action: Update to version 1.2.6.9, or a newer patched version

Plugin: URL Media Uploader

Vulnerability: Authenticated (Author+) Server-Side Request Forgery via DNS Rebinding
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Ultimate WordPress Auction Plugin

Vulnerability: Missing Authorization to Arbitrary Post Deletion
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: User List

Plugin: SeedProd Pro

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 6.18.13
Recommended Action: Update to version 6.18.13, or a newer patched version

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference
Patched Version: 6.4.6
Recommended Action: Update to version 6.4.6, or a newer patched version

Plugin: RateMyAgent Official

Vulnerability: Cross-Site Request Forgery to API Key Update
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Unauthenticated Limited Server-Side Request Forgery in nice_links
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Flagged Content

Plugin: SMS Alert Order Notifications – WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.9
Recommended Action: Update to version 3.7.9, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.0.7.3
Recommended Action: Update to version 2.0.7.3, or a newer patched version

Plugin: ADFO – Custom data in admin dashboard

Plugin: Limit Bio

Plugin: EZ InLinkz linkup

Plugin: Add Linked Images To Gallery

Plugin: GPX Viewer

Vulnerability: Authenticated (Editor+) Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IP2Location Redirection

Vulnerability: Missing Authorization to Unauthenticated Settings Export
Patched Version: 1.33.4
Recommended Action: Update to version 1.33.4, or a newer patched version

Plugin: Form To Online Booking

Plugin: Wallet System for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Post Timeline

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: flickr-slideshow-wrapper

Plugin: ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Zigaform – Form Builder Lite

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.4.3
Recommended Action: Update to version 7.4.3, or a newer patched version

Plugin: Events Calendar for GeoDirectory

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 2.3.15
Recommended Action: Update to version 2.3.15, or a newer patched version

Plugin: Sticky Content – Stick any content on pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Contact Form 7 Star Rating with font Awesome

Plugin: SetSail Membership

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: SpotBot

Plugin: Product Catalog Simple

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via show_products Shortcode
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Video.js HLS Player

Plugin: Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP

Vulnerability: Unauthenticated Arbitrary File Read
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: Database Backup and check Tables Automated With Scheduler 2024

Vulnerability: Authenticated (Administrator+) Sensitive Information Exposure
Patched Version: 2.36
Recommended Action: Update to version 2.36, or a newer patched version

Plugin: Fresh Framework

Plugin: List Related Attachments

Plugin: Store Locator Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2025r2
Recommended Action: Update to version 2025r2, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 2.0.7.2
Recommended Action: Update to version 2.0.7.2, or a newer patched version

Plugin: Profile Widget Ninja

Plugin: WHMCS Client Area for WordPress by WHMpress

Vulnerability: WHMCS Client Area <= 4.3-revision-3- Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Database Backup and check Tables Automated With Scheduler 2024

Vulnerability: Authenticated (Administrator+) Arbitrary File Deletion
Patched Version: 2.37
Recommended Action: Update to version 2.37, or a newer patched version

Plugin: Site Mailer – SMTP Replacement, Email API Deliverability & Email Log

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: teachPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 9.0.8
Recommended Action: Update to version 9.0.8, or a newer patched version

Plugin: Contact Form Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.27
Recommended Action: Update to version 1.1.27, or a newer patched version

Plugin: Album Gallery – WordPress Gallery

Vulnerability: Authenticated (Editor+) PHP Object Injection via Gallery Meta
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: CHATLIVE – Support online chat

Plugin: FULL – Cliente

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.1.26
Recommended Action: Update to version 3.1.26, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version

Plugin: Email to Download

Plugin: HSS Embed Streaming Video

Plugin: Kush Micro News

Plugin: Monetag Official Plugin

Plugin: Simple:Press Forum

Vulnerability: Reflected Cross-Site Scripting via msearch
Patched Version: 6.10.11
Recommended Action: Update to version 6.10.11, or a newer patched version

Plugin: WP Click Info

Plugin: Better Customer List for WooCommerce

Plugin: QR Code for WooCommerce

Plugin: Simple Download Counter

Vulnerability: Authenticated (Author+) Arbitrary File Read
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Simplified Plugin

Plugin: SeedProd Pro

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 6.18.13
Recommended Action: Update to version 6.18.13, or a newer patched version

Plugin: Live css

Plugin: Get Posts

Plugin: Popup Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.35
Recommended Action: Update to version 1.1.35, or a newer patched version

Plugin: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: WP Foodbakery

Vulnerability: Unauthenticated Privilege Escalation in foodbakery_registration_validation
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: WP Foodbakery

Vulnerability: Authentication Bypass in foodbakery_parse_request
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WoWPth

Plugin: Quotes llama

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: WordPress Photo Gallery – Image Gallery

Plugin: Fontsampler

Plugin: Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.9.7
Recommended Action: Update to version 4.9.9.7, or a newer patched version

Plugin: Authors List

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version

Plugin: Modal Portfolio

Plugin: Passbeemedia Web Push Notification

Plugin: BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages

Vulnerability: Cross-Site Request Forgery to Limited Settings Update
Patched Version: 3.4.26
Recommended Action: Update to version 3.4.26, or a newer patched version

Plugin: ThemeMakers Stripe Checkout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Image Comparison Widgets
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Envato Affiliater

Plugin: News Kit Elementor Addons

Plugin: Easy Form by AYS – Form Builder Plugin for WordPress

Plugin: Oshine Modules

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Pure Chat – Live Chat & More!

Vulnerability: Reflected Cross-Site Scripting via purechatWidgetName Parameter
Patched Version: 2.41
Recommended Action: Update to version 2.41, or a newer patched version

Plugin: Page Builder by SiteOrigin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.31.5
Recommended Action: Update to version 2.31.5, or a newer patched version

Plugin: VG PostCarousel

Plugin: Responsive Modal Builder for High Conversion – Easy Popups

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Countdown Timer for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: WP-Clap

Plugin: Cookie Monster

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: List Urls

Plugin: DHVC Form

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text, Countdown Widget, and Login Form Shortcodes
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Estatik Real Estate Plugin

Plugin: WooMail – WooCommerce Email Customizer

Vulnerability: WooCommerce Email Customizer <= 3.0.34
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Link My Posts

Plugin: SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion via SurveyJS_DeleteFile
Patched Version: 1.12.18
Recommended Action: Update to version 1.12.18, or a newer patched version

Plugin: Magic the Gathering Card Tooltips

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Authenticated (Doctor+) SQL Injection via ‘u_id’ Parameter
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Small Package Quotes – Unishippers Edition

Vulnerability: Missing Authorization
Patched Version: 2.4.10
Recommended Action: Update to version 2.4.10, or a newer patched version

Plugin: BuddyHolis TableSearch

Plugin: Bulk Content Creator

Plugin: PixelYourSite – Your smart PIXEL (TAG) & API Manager

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 10.1.1.2
Recommended Action: Update to version 10.1.1.2, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Small Package Quotes – Worldwide Express Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.2.19
Recommended Action: Update to version 5.2.19, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via src Parameter
Patched Version: 7.3.4
Recommended Action: Update to version 7.3.4, or a newer patched version

Plugin: OneStore Sites

Vulnerability: Unauthenticated Blind Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SureMembers

Vulnerability: Sensitive Information Exposure
Patched Version: 1.10.7
Recommended Action: Update to version 1.10.7, or a newer patched version

Plugin: SKU Generator for WooCommerce

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: AR for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version

Plugin: Distance Rate Shipping For WooCommerce

Plugin: JPG, PNG Compression and Optimization

Plugin: Social Share And Social Locker – ARSocial

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Animated Text Block

Vulnerability: Missing Authorization
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: Saoshyant Slider

Plugin: RAYS Grid

Plugin: Animation Addons for Elementor Pro

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: 1 click passwordless login, temporary login, social login & user switching – Login Me Now

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.