Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CALL ME NOW
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: WP Register Profile With Shortcode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Add Posts to Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SoundCloud Is Gold
Vulnerability: Missing Authorization to Soundcloud User Add
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version
Plugin: WP Category Post List Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WCP Contact Form
Vulnerability: Missing Authorization via downloadCsv
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Injection Guard
Vulnerability: Cross-Site Request Forgery to Whitelist Update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: SEO by 10Web
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Contact Form by Supsystic
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.7.25
Recommended Action: Update to version 1.7.25, or a newer patched version
Plugin: iframe popup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YITH WooCommerce Gift Cards Premium
Vulnerability: Missing Authorization
Patched Version: 3.24.0
Recommended Action: Update to version 3.24.0, or a newer patched version
Plugin: Pinterest RSS Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Featured Image Pro Post Grid
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 5.15
Recommended Action: Update to version 5.15, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Forget About Shortcode Buttons
Vulnerability: Missing Authorization via fasc_buttons
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Cross-Site Request Forgery to Transient Cache Clearing
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version
Plugin: Link Whisper Free
Vulnerability: Missing Authorization via init()
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Portfolio Gallery – Responsive Image Gallery
Vulnerability: Missing Authorization to Arbitrary Gallery Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post State Tags
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Get your number
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ricerca – advanced search
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: eBecas
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Predictive Search
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Product page shipping calculator for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 1.3.26
Recommended Action: Update to version 1.3.26, or a newer patched version
Plugin: Waiting: One-click countdowns
Vulnerability: Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: WP-Chatbot for Messenger
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Injection Guard
Vulnerability: Cross-Site Request Forgery via ig_update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: WP Reactions Lite
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: itemprop WP for SERP/SEO Rich snippets
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Online Booking and Scheduling Plugin – Bookly
Vulnerability: Arbitrary File Deletion
Patched Version: 21.8
Recommended Action: Update to version 21.8, or a newer patched version
Plugin: Injection Guard
Vulnerability: Missing Authorization via ig_update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: PixelYourSite Pro – Your smart PIXEL (TAG) Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.6.2
Recommended Action: Update to version 9.6.2, or a newer patched version
Plugin: File Away
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woodmart Core
Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 1.0.37
Recommended Action: Update to version 1.0.37, or a newer patched version
Plugin: Slimstat Analytics
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: weebotLite
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order Your Posts Manually
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘sortdata’
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brands for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Hyphenator
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Drop Shadow Boxes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Simple Page Ordering
Vulnerability: Missing Authorization to Information Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woo Custom Emails
Vulnerability: Missing Authorization to Unauthenticated Settings Change
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.26.0
Recommended Action: Update to version 2.26.0, or a newer patched version
Plugin: Pricing Table Builder – AP Pricing Tables Lite
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slimstat Analytics
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authentication Bypass
Patched Version: 5.2.1.1
Recommended Action: Update to version 5.2.1.1, or a newer patched version
Plugin: Community by PeepSo – Social Network, Membership, Registration, User Profiles
Vulnerability: Cross-Site Request Forgery to Field Duplication
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version
Plugin: Video Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: Order Your Posts Manually
Vulnerability: Reflected Cross-Site Scripting via ‘_user_request’
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: WP Replicate Post
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version
Plugin: DevBuddy Twitter Feed
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Owl Carousel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Chinese Conversion
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Field Suite
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Column-Matic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Sunny Search
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.71
Recommended Action: Update to version 3.2.71, or a newer patched version
Plugin: Don8
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Injection Guard
Vulnerability: Missing Authorization to Whitelist Update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
Vulnerability: Open Redirect
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OTP Login Woocommerce & Gravity Forms
Vulnerability: Authentication Bypass to Privilege Escalation
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Missing Authorization via save_fields_settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Website Builder
Vulnerability: Missing Authorization to Settings Update
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
Vulnerability: Reflected Cross-Site Scripting via ‘lang’
Patched Version: 3.1.61
Recommended Action: Update to version 3.1.61, or a newer patched version
Plugin: Announcement & Notification Banner – Bulletin
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Sunny Search
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Multi Store Locator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hostel
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.5.2
Recommended Action: Update to version 1.1.5.2, or a newer patched version
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Quick Page/Post Redirect Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authenticated (Admin+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 5.2.1.0
Recommended Action: Update to version 5.2.1.0, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.14.1
Recommended Action: Update to version 8.14.1, or a newer patched version
Plugin: Predictive Search
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Frontend Post WordPress Plugin – AccessPress Anonymous Post
Vulnerability: Authenticated (Contributor+) Arbitrary Redirect
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Announcement & Notification Banner – Bulletin
Vulnerability: Missing Authorization Checks
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: Predictive Search
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: LetterPress – E-Mail campaigns, marketing and newsletter Plugin for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Editing
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Order Your Posts Manually
Vulnerability: Reflected Cross-Site Scripting via ‘cat_id’
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Dyslexiefont Free
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version
Plugin: Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup – NotifyVisitors
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 10Web Social Post Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Missing Authorization to Custom Drop-Down Currency Switcher Creation
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Download Monitor
Vulnerability: Sensitive Information Exposure via REST API
Patched Version: 4.7.70
Recommended Action: Update to version 4.7.70, or a newer patched version
Plugin: WP All Backup
Vulnerability: Cross-Site Request Forgery to Backup Storage Modification
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DBargain
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Locatoraid Store Locator
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.9.19
Recommended Action: Update to version 3.9.19, or a newer patched version
Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Authenticated (Administrator+) Local File Inclusion
Patched Version: 7.5.4
Recommended Action: Update to version 7.5.4, or a newer patched version
Plugin: Custom Base Terms
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: video carousel slider with lightbox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version
Plugin: Essential Addons for Elementor
Vulnerability: Unauthenticated Arbitrary Password Reset to Privilege Escalation
Patched Version: 5.7.2
Recommended Action: Update to version 5.7.2, or a newer patched version
Plugin: Whydonate – FREE Donate button – Crowdfunding – Fundraising
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google Site Verification plugin using Meta Tag
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woodmart Core
Vulnerability: PHP Object Injection
Patched Version: 1.0.37
Recommended Action: Update to version 1.0.37, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: WCP Contact Form
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.