Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Podlove Podcast Publisher
Vulnerability: Cross-Site Request Forgery via ajax_transcript_delete Function
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version
Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Publish
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: WPCOM Member
Vulnerability: Authentication Bypass via ‘user_phone’
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Authenticated (Administrator+) SQL Injection via columns Parameter
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: WooCommerce Recover Abandoned Cart
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Google Calendar Outlook Events Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: cformsII
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RS Survey
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: Random Image Selector
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Print Invoice & Delivery Notes for WooCommerce
Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version
Plugin: Ni WooCommerce Sales Report Email
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Shortcode Cleaner Lite
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DesignThemes Core Features
Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Read via dt_process_imported_file
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: School Management System for WordPress
Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘mj_smgt_show_event_task’
Patched Version: 93.0.0
Recommended Action: Update to version 93.0.0, or a newer patched version
Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin
Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin
Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Authenticated (Subscriber+) SQL Injection via search Parameter
Patched Version: 12.4.06
Recommended Action: Update to version 12.4.06, or a newer patched version
Plugin: Wishlist
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.44
Recommended Action: Update to version 1.0.44, or a newer patched version
Plugin: Flexmls® IDX Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.14.29
Recommended Action: Update to version 3.14.29, or a newer patched version
Plugin: Photo Video Store
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist
Vulnerability: WordPress Wave Audio Player with Playlist <= 6.91
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Authenticated (Custom+) Stored Cross-Site Scripting via Album Title Size
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version
Plugin: RomethemeKit For Elementor
Vulnerability: Missing Authorization in save_options and reset_widgets
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Multiple Shipping And Billing Address For Woocommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Master Slider – Responsive Touch Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Traveler Code
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.0.60
Recommended Action: Update to version 2.0.60, or a newer patched version
Plugin: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery via Webhook
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version
Plugin: Attach Gallery Posts
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Event Attendees Export
Patched Version: 4.0.7.4
Recommended Action: Update to version 4.0.7.4, or a newer patched version
Plugin: bbPress
Vulnerability: Cross-Site Request Forgery to Limited Privilege Escalation
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version
Plugin: All-in-One Addons for Elementor – WidgetKit
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Years Since – Timeless Texts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CS Framework
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version
Plugin: Twitter News Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Browser-Update-Notify
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Currency Switcher for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.16.3
Recommended Action: Update to version 2.16.3, or a newer patched version
Plugin: melascrivi-plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Greek Multi Tool – Ultimate Greek Language Toolkit for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: I Am Gloria
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Unauthenticated SQL Injection via search Parameter
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version
Plugin: NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
Vulnerability: SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version
Plugin: Essay Wizard (wpCRES)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Debug-Bar-Extender
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Recall – Registration, Profile, Commerce & More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 16.26.12
Recommended Action: Update to version 16.26.12, or a newer patched version
Plugin: salavat counter Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version
Plugin: Allow PHP Execute
Vulnerability: Authenticated (Editor+) PHP Code Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooODT Lite – Delivery & pickup date time location for WooCommerce
Vulnerability: Unauthenticated Full Path Dsiclosure
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Quizzin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.6.8
Recommended Action: Update to version 1.4.6.8, or a newer patched version
Plugin: Google Map on Post/Page
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Lockdown
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Post Disclosure
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Responsive Lightbox & Gallery
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version
Plugin: School Management System for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP SpaceContent
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Killer Theme Options
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VikRentCar Car Rental Management System
Vulnerability: Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: IP Based Login
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Lightbox slider – Responsive Lightbox Gallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Keep
Vulnerability: Cross-Site Request Forgery to Email Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP AntiDDOS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Marekkis Watermark-Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Video Player WordPress & WooCommerce Plugin
Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Cross-Site Request Forgery (CSRF) To Post Contents Modification
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: Post Meta Data Manager
Vulnerability: Authentciated (Admin+) Multisite Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SecuPress Free — WordPress Security
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via secupress_check_ban_ips_form Shortcode
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin
Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CS Framework
Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version
Plugin: Code Snippets CPT
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UiPress lite | Effortless custom dashboards, admin themes and pages
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.5.05
Recommended Action: Update to version 3.5.05, or a newer patched version
Plugin: Homey Login Register
Vulnerability: Unauthenticated Privilege Escalation in homey_register
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Flexo Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit
Vulnerability: AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.3.6
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CURCY – WooCommerce Multi Currency – Currency Switcher
Vulnerability: WooCommerce Multi Currency
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: Curated Search
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AW WooCommerce Kode Pembayaran
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RSVP ME
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ProductDyno
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.25
Recommended Action: Update to version 1.0.25, or a newer patched version
Plugin: WP Online Contract
Vulnerability: Missing Authorization to Unauthenticated Settings Import
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit
Vulnerability: AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.3.8
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: Qubely – Advanced Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via qubely_get_content
Patched Version: 1.8.14
Recommended Action: Update to version 1.8.14, or a newer patched version
Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version
Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version
Plugin: Workreap
Vulnerability: Unauthenticated Privilege Escalation via Account Takeover
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: WordPress abandoned cart recovery and email marketing for WooCommerce by Recapture
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.44
Recommended Action: Update to version 1.0.44, or a newer patched version
Plugin: radSLIDE
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Discord Post
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Javo Core
Vulnerability: Unauthenticated Privilege Escalation in ajax_signup
Patched Version: 3.0.0.266
Recommended Action: Update to version 3.0.0.266, or a newer patched version
Plugin: Pre Order Addon for WooCommerce – Advance Order/Backorder Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Staff Directory Plugin: Company Directory
Vulnerability: Reflected Cross-Site Scripting via add_query_arg Function
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Moving Media Library
Vulnerability: Authenticated (Administrator+) Directory Traversal to Arbitrary File Deletion
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version
Plugin: Pit Login Welcome
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TinyMCE Extended Config
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Real Estate Manager
Vulnerability: Authentication Bypass via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: G Web Pro Store Locator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smooth Dynamic Slider
Vulnerability: Reflected Cross-Site Scriptign
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Solace Extra
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Missing Authorization
Patched Version: 2.17.5
Recommended Action: Update to version 2.17.5, or a newer patched version
Plugin: Download Manager
Vulnerability: Unauthenticated Information Disclosure via Unprotected Directory
Patched Version: 3.3.07
Recommended Action: Update to version 3.3.07, or a newer patched version
Plugin: Heartland Management Terminal
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Hero Maps Premium
Vulnerability: Customizable Google Maps Plugin <= 2.3.9
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DeBounce Email Validator
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wp Svg Upload
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SMS Alert Order Notifications – WooCommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.7.9
Recommended Action: Update to version 3.7.9, or a newer patched version
Plugin: Starter Templates by FancyWP
Vulnerability: Unauthenticated Blind Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Platform.ly for WooCommerce
Vulnerability: Unauthenticated Blind Server-Side Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: GoogleMapper
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Awesome Twitter Feeds
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Notibar – Notification Bar for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.3.6.6
Recommended Action: Update to version 1.3.6.6, or a newer patched version
Plugin: Review Schema – Review & Structure Data Schema Plugin
Vulnerability: Authenticated (Contributor+) Local File Inclusion via Post Meta
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: School Management System for WordPress
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Ticket Category and Ticket Type Name
Patched Version: 4.0.7.4
Recommended Action: Update to version 4.0.7.4, or a newer patched version
Plugin: SMTP by BestWebSoft
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Accessibility Suite by Ability, Inc
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SearchIQ – The Search Solution
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: Vampire Character Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sale with Razorpay
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hero Slider – WordPress Slider Plugin
Vulnerability: WordPress Slider Plugin <= 1.3.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: School Management System for WordPress
Vulnerability: Authenticated (Student+) SQL Injection via ‘view-attendance’
Patched Version: 93.0.0
Recommended Action: Update to version 93.0.0, or a newer patched version
Plugin: Razorpay Subscription Button Elementor Plugin
Vulnerability: Reflected Cross-Site Scripting via add_query_arg and remove_query_arg Functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Course Booking System
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.0.7
Recommended Action: Update to version 6.0.7, or a newer patched version
Plugin: Product Input Fields for WooCommerce
Vulnerability: Unauthenticated Limited File Upload
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version
Plugin: Google Transliteration
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Recall – Registration, Profile, Commerce & More
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction
Patched Version: 16.26.12
Recommended Action: Update to version 16.26.12, or a newer patched version
Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Countdown Timer
Patched Version: 2.20.0
Recommended Action: Update to version 2.20.0, or a newer patched version
Plugin: WP-Recall – Registration, Profile, Commerce & More
Vulnerability: Unauthenticated SQL Injection
Patched Version: 16.26.12
Recommended Action: Update to version 16.26.12, or a newer patched version
Plugin: Goodlayers Blocks
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Awesome Shortcodes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: vcOS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: School Management System for WordPress
Vulnerability: Authenticated (Student+) Account Takeover and Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Traveler Layout Essential For Elementor
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Bandsintown Events
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.2.0.5
Recommended Action: Update to version 1.2.0.5, or a newer patched version
Plugin: GPX Viewer
Vulnerability: Authenticated (Editor+) Path Traversal
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version
Plugin: Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More
Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Eventer – WordPress Event & Booking Manager Plugin
Vulnerability: WordPress Event & Booking Manager Plugin <= 3.9.9.2
Patched Version: 3.9.9.3
Recommended Action: Update to version 3.9.9.3, or a newer patched version
Plugin: Appsero Helper
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Wishlist for WooCommerce: Multi Wishlists Per Customer
Vulnerability: Cross-Site Request Forgery to Cross-Site Scriping via Wishlist Name
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Plugin: ts-tree
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ClickBank Storefront WordPress Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: rng-refresh
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Point Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Recall – Registration, Profile, Commerce & More
Vulnerability: Authenticated (Contributor+) Protected Post Disclosure
Patched Version: 16.26.12
Recommended Action: Update to version 16.26.12, or a newer patched version
Plugin: Library Bookshelves
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version
Plugin: Traveler Code
Vulnerability: Unauthenticated Arbitrary SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Gallery Styles
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Recently Purchased Products For Woo
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via view Parameter
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: VK Blocks
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.95.0.3
Recommended Action: Update to version 1.95.0.3, or a newer patched version
Plugin: WPGet API – Connect to any external REST API
Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 2.25.1
Recommended Action: Update to version 2.25.1, or a newer patched version
Plugin: WP Activity Log
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version
Plugin: Email Keep
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Survey Submission
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: WP FPO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: InWave Jobs
Vulnerability: Unauthenticated Privilege Escalation via Password Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Countdown Widget
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: WooMail – WooCommerce Email Customizer
Vulnerability: WooCommerce Email Customizer <= 3.0.34
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Notification
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin
Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version
Plugin: azurecurve Floating Featured Image
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Us By Lord Linus
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Subscriber+) PHP Object Injection via auxin_template_control_importer
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 8.8.2
Recommended Action: Update to version 8.8.2, or a newer patched version
Plugin: Master Slider – Responsive Touch Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ms_slider Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Awesome Import & Export Plugin – Import & Export WordPress Data
Vulnerability: Import & Export WordPress Data <= 4.1.1
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: ntp-header-images
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version
Plugin: SKU Generator for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: IP Based Login
Vulnerability: Cross-Site Request forgery to Log Deletion
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Predict When
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon
Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8.5
Recommended Action: Update to version 1.6.8.5, or a newer patched version
Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 6.2.3
Recommended Action: Update to version 6.2.3, or a newer patched version
Plugin: ProductDyno
Vulnerability: Reflected Cross-Site Scripting via ‘res’ Parameter
Patched Version: 1.0.25
Recommended Action: Update to version 1.0.25, or a newer patched version
Plugin: m1.DownloadList
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.20
Recommended Action: Update to version 0.20, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.