Watch Out Wednesday – March 12, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Podlove Podcast Publisher

Vulnerability: Cross-Site Request Forgery via ajax_transcript_delete Function
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Publish
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: WPCOM Member

Vulnerability: Authentication Bypass via ‘user_phone’
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Administrator+) SQL Injection via columns Parameter
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: WooCommerce Recover Abandoned Cart

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Google Calendar Outlook Events Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: cformsII

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RS Survey

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Random Image Selector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Print Invoice & Delivery Notes for WooCommerce

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Ni WooCommerce Sales Report Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Shortcode Cleaner Lite

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DesignThemes Core Features

Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Read via dt_process_imported_file
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: School Management System for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘mj_smgt_show_event_task’
Patched Version: 93.0.0
Recommended Action: Update to version 93.0.0, or a newer patched version

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Authenticated (Subscriber+) SQL Injection via search Parameter
Patched Version: 12.4.06
Recommended Action: Update to version 12.4.06, or a newer patched version

Plugin: Wishlist

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.44
Recommended Action: Update to version 1.0.44, or a newer patched version

Plugin: Flexmls® IDX Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.14.29
Recommended Action: Update to version 3.14.29, or a newer patched version

Plugin: Photo Video Store

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist

Vulnerability: WordPress Wave Audio Player with Playlist <= 6.91
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Authenticated (Custom+) Stored Cross-Site Scripting via Album Title Size
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version

Plugin: RomethemeKit For Elementor

Vulnerability: Missing Authorization in save_options and reset_widgets
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Multiple Shipping And Billing Address For Woocommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Traveler Code

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.0.60
Recommended Action: Update to version 2.0.60, or a newer patched version

Plugin: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery via Webhook
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Attach Gallery Posts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Event Attendees Export
Patched Version: 4.0.7.4
Recommended Action: Update to version 4.0.7.4, or a newer patched version

Plugin: bbPress

Vulnerability: Cross-Site Request Forgery to Limited Privilege Escalation
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Years Since – Timeless Texts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CS Framework

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version

Plugin: Twitter News Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Browser-Update-Notify

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Currency Switcher for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.16.3
Recommended Action: Update to version 2.16.3, or a newer patched version

Plugin: melascrivi-plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Greek Multi Tool – Ultimate Greek Language Toolkit for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: I Am Gloria

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthenticated SQL Injection via search Parameter
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar

Vulnerability: SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Essay Wizard (wpCRES)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Debug-Bar-Extender

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 16.26.12
Recommended Action: Update to version 16.26.12, or a newer patched version

Plugin: salavat counter Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version

Plugin: Allow PHP Execute

Vulnerability: Authenticated (Editor+) PHP Code Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooODT Lite – Delivery & pickup date time location for WooCommerce

Vulnerability: Unauthenticated Full Path Dsiclosure
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Quizzin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.6.8
Recommended Action: Update to version 1.4.6.8, or a newer patched version

Plugin: Google Map on Post/Page

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Lockdown

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Post Disclosure
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: School Management System for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP SpaceContent

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Killer Theme Options

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VikRentCar Car Rental Management System

Vulnerability: Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: IP Based Login

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Lightbox slider – Responsive Lightbox Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Keep

Vulnerability: Cross-Site Request Forgery to Email Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP AntiDDOS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Marekkis Watermark-Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Video Player WordPress & WooCommerce Plugin

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Cross-Site Request Forgery (CSRF) To Post Contents Modification
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Post Meta Data Manager

Vulnerability: Authentciated (Admin+) Multisite Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SecuPress Free — WordPress Security

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via secupress_check_ban_ips_form Shortcode
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CS Framework

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version

Plugin: Code Snippets CPT

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UiPress lite | Effortless custom dashboards, admin themes and pages

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.5.05
Recommended Action: Update to version 3.5.05, or a newer patched version

Plugin: Homey Login Register

Vulnerability: Unauthenticated Privilege Escalation in homey_register
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flexo Slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit

Vulnerability: AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.3.6
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CURCY – WooCommerce Multi Currency – Currency Switcher

Vulnerability: WooCommerce Multi Currency
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Curated Search

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AW WooCommerce Kode Pembayaran

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RSVP ME

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ProductDyno

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.25
Recommended Action: Update to version 1.0.25, or a newer patched version

Plugin: WP Online Contract

Vulnerability: Missing Authorization to Unauthenticated Settings Import
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit

Vulnerability: AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.3.8
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: Qubely – Advanced Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via qubely_get_content
Patched Version: 1.8.14
Recommended Action: Update to version 1.8.14, or a newer patched version

Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version

Plugin: Workreap

Vulnerability: Unauthenticated Privilege Escalation via Account Takeover
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: WordPress abandoned cart recovery and email marketing for WooCommerce by Recapture

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.44
Recommended Action: Update to version 1.0.44, or a newer patched version

Plugin: radSLIDE

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Discord Post

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Javo Core

Vulnerability: Unauthenticated Privilege Escalation in ajax_signup
Patched Version: 3.0.0.266
Recommended Action: Update to version 3.0.0.266, or a newer patched version

Plugin: Pre Order Addon for WooCommerce – Advance Order/Backorder Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Staff Directory Plugin: Company Directory

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Function
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Moving Media Library

Vulnerability: Authenticated (Administrator+) Directory Traversal to Arbitrary File Deletion
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version

Plugin: Pit Login Welcome

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TinyMCE Extended Config

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Real Estate Manager

Vulnerability: Authentication Bypass via Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: G Web Pro Store Locator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smooth Dynamic Slider

Vulnerability: Reflected Cross-Site Scriptign
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solace Extra

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Missing Authorization
Patched Version: 2.17.5
Recommended Action: Update to version 2.17.5, or a newer patched version

Plugin: Download Manager

Vulnerability: Unauthenticated Information Disclosure via Unprotected Directory
Patched Version: 3.3.07
Recommended Action: Update to version 3.3.07, or a newer patched version

Plugin: Heartland Management Terminal

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Hero Maps Premium

Vulnerability: Customizable Google Maps Plugin <= 2.3.9
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DeBounce Email Validator

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wp Svg Upload

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SMS Alert Order Notifications – WooCommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.7.9
Recommended Action: Update to version 3.7.9, or a newer patched version

Plugin: Starter Templates by FancyWP

Vulnerability: Unauthenticated Blind Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Platform.ly for WooCommerce

Vulnerability: Unauthenticated Blind Server-Side Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: GoogleMapper

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Awesome Twitter Feeds

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Notibar – Notification Bar for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.3.6.6
Recommended Action: Update to version 1.3.6.6, or a newer patched version

Plugin: Review Schema – Review & Structure Data Schema Plugin

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Post Meta
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: School Management System for WordPress

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Ticket Category and Ticket Type Name
Patched Version: 4.0.7.4
Recommended Action: Update to version 4.0.7.4, or a newer patched version

Plugin: SMTP by BestWebSoft

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Accessibility Suite by Ability, Inc

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SearchIQ – The Search Solution

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: Vampire Character Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sale with Razorpay

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hero Slider – WordPress Slider Plugin

Vulnerability: WordPress Slider Plugin <= 1.3.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: School Management System for WordPress

Vulnerability: Authenticated (Student+) SQL Injection via ‘view-attendance’
Patched Version: 93.0.0
Recommended Action: Update to version 93.0.0, or a newer patched version

Plugin: Razorpay Subscription Button Elementor Plugin

Vulnerability: Reflected Cross-Site Scripting via add_query_arg and remove_query_arg Functions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Course Booking System

Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.0.7
Recommended Action: Update to version 6.0.7, or a newer patched version

Plugin: Product Input Fields for WooCommerce

Vulnerability: Unauthenticated Limited File Upload
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version

Plugin: Google Transliteration

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction
Patched Version: 16.26.12
Recommended Action: Update to version 16.26.12, or a newer patched version

Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Countdown Timer
Patched Version: 2.20.0
Recommended Action: Update to version 2.20.0, or a newer patched version

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Unauthenticated SQL Injection
Patched Version: 16.26.12
Recommended Action: Update to version 16.26.12, or a newer patched version

Plugin: Goodlayers Blocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Awesome Shortcodes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: vcOS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: School Management System for WordPress

Vulnerability: Authenticated (Student+) Account Takeover and Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Traveler Layout Essential For Elementor

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Bandsintown Events

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.2.0.5
Recommended Action: Update to version 1.2.0.5, or a newer patched version

Plugin: GPX Viewer

Vulnerability: Authenticated (Editor+) Path Traversal
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: WordPress Event & Booking Manager Plugin <= 3.9.9.2
Patched Version: 3.9.9.3
Recommended Action: Update to version 3.9.9.3, or a newer patched version

Plugin: Appsero Helper

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Wishlist for WooCommerce: Multi Wishlists Per Customer

Vulnerability: Cross-Site Request Forgery to Cross-Site Scriping via Wishlist Name
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: ts-tree

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ClickBank Storefront WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: rng-refresh

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Point Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Authenticated (Contributor+) Protected Post Disclosure
Patched Version: 16.26.12
Recommended Action: Update to version 16.26.12, or a newer patched version

Plugin: Library Bookshelves

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version

Plugin: Traveler Code

Vulnerability: Unauthenticated Arbitrary SQL Injection
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Gallery Styles

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Recently Purchased Products For Woo

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via view Parameter
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: VK Blocks

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.95.0.3
Recommended Action: Update to version 1.95.0.3, or a newer patched version

Plugin: WPGet API – Connect to any external REST API

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 2.25.1
Recommended Action: Update to version 2.25.1, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version

Plugin: Email Keep

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Survey Submission
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: WP FPO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: InWave Jobs

Vulnerability: Unauthenticated Privilege Escalation via Password Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Countdown Widget
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: WooMail – WooCommerce Email Customizer

Vulnerability: WooCommerce Email Customizer <= 3.0.34
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Notification

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: azurecurve Floating Featured Image

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Us By Lord Linus

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Subscriber+) PHP Object Injection via auxin_template_control_importer
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 8.8.2
Recommended Action: Update to version 8.8.2, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ms_slider Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Awesome Import & Export Plugin – Import & Export WordPress Data

Vulnerability: Import & Export WordPress Data <= 4.1.1
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: ntp-header-images

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version

Plugin: SKU Generator for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: IP Based Login

Vulnerability: Cross-Site Request forgery to Log Deletion
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Predict When

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8.5
Recommended Action: Update to version 1.6.8.5, or a newer patched version

Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 6.2.3
Recommended Action: Update to version 6.2.3, or a newer patched version

Plugin: ProductDyno

Vulnerability: Reflected Cross-Site Scripting via ‘res’ Parameter
Patched Version: 1.0.25
Recommended Action: Update to version 1.0.25, or a newer patched version

Plugin: m1.DownloadList

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.20
Recommended Action: Update to version 0.20, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Leave a Reply

Recent Posts

WordPress