Plugin: AJAX Thumbnail Rebuild
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Emails & Newsletters with Jackmail
Vulnerability: Authenticated (Subscriber+) CSV Injecton
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP BrowserUpdate
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Directory Kit
Vulnerability: Open Redirect
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Mass Email To users
Vulnerability: Unauthenticated Reflected Cross-Site Scripting via ‘entrant’
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Bit File Manager – 100% free file manager for WordPress
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CM On Demand Search And Replace
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: ClickFunnels
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Woo Search
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.78
Recommended Action: Update to version 2.78, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Author+) Server-Side Request Forgery via URL
Patched Version: 2.10.24
Recommended Action: Update to version 2.10.24, or a newer patched version
Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: WP Inventory Manager
Vulnerability: Reflected Cross-Site Scripting via ‘message’
Patched Version: 2.1.0.13
Recommended Action: Update to version 2.1.0.13, or a newer patched version
Plugin: Logo Scheduler – Great for holidays, events, and more
Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-CORS
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Docs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: SEO ALert
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Digital Downloads – Simple eCommerce for Selling Digital Files
Vulnerability: Unauthenticated Arbitrary Password Reset to Privilege Escalation
Patched Version: 3.1.1.4.2
Recommended Action: Update to version 3.1.1.4.2, or a newer patched version
Plugin: WP Search Analytics
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Zephyr Project Manager
Vulnerability: Open Redirect
Patched Version: 3.3.10
Recommended Action: Update to version 3.3.10, or a newer patched version
Plugin: Integration for Contact Form 7 HubSpot
Vulnerability: Open Redirect via state parameter
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Maintenance Switch
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Bet
Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking Manager
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.0.29
Recommended Action: Update to version 2.0.29, or a newer patched version
Plugin: WooCommerce Multivendor Marketplace – REST API
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: User IP and Location
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Thumbs Rating
Vulnerability: Race Condition
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version
Plugin: WP EasyPay – Square for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version
Plugin: Plugins List
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Depicter Slider – Responsive Image Slider, Video Slider & Post Slider
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.