Plugin: JS Job Manager
Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version
Plugin: TS Webfonts for さくらのレンタルサーバ
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Call Now Accessibility Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: WP Report Post
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ajax Pagination and Infinite Scroll
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CRM and Lead Management by vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Aajoda Testimonials
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: bbPress Toolkit
Vulnerability: Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VK Blocks
Vulnerability: Authenticated(Contributor+) Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Builder by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Floating Action Button
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Missing Authorization
Patched Version: 1.8.16
Recommended Action: Update to version 1.8.16, or a newer patched version
Plugin: Yandex Metrica Counter
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Registration Calendar By vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Media Share Buttons & Social Sharing Icons
Vulnerability: Missing Authorization via handle_installation
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Event Registration Calendar By vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Builder by vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder with Image Map by AZEXO
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping
Vulnerability: Cross-Site Request Forgery via enableDisable and deletePost
Patched Version: 1.6.4.6
Recommended Action: Update to version 1.6.4.6, or a newer patched version
Plugin: Page Builder with Image Map by AZEXO
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management
Vulnerability: Cross-Site Request Forgery to Survey Submission
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version
Plugin: WP Hide Post
Vulnerability: Cross-Site Request Forgery via save_bulk_edit_data
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Missing Authorization to Settings Update and Media Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Box Office
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.51
Recommended Action: Update to version 1.1.51, or a newer patched version
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Missing Authorization on REST-API
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form and Calls To Action by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dynamic Visibility for Elementor
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version
Plugin: WP Full Auto Tags Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cart2Cart: Magento to WooCommerce Migration
Vulnerability: Missing Authorization via setToken
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive CSS EDITOR
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Builder by vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPC Smart Wishlist for WooCommerce
Vulnerability: Cross-Site Request Forgery via wishlist_add and wishlist_remove
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dynamic QR Code Generator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Uncanny Toolkit for LearnDash
Vulnerability: Open Redirect
Patched Version: 3.6.4.4
Recommended Action: Update to version 3.6.4.4, or a newer patched version
Plugin: SpamReferrerBlock
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Improper Authorization via get_remote_templates REST endpoint
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.6.14
Recommended Action: Update to version 1.6.14, or a newer patched version
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Missing Authorization to Account Logout
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LWS Hide Login
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kanban Boards for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.21
Recommended Action: Update to version 2.5.21, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: WP Directory Kit
Vulnerability: Reflected Cross-Site Scripting via ‘search’
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Constant Contact Forms
Vulnerability: Missing Authorization via constant_contact_optin_ajax_handler
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Box Office
Vulnerability: Missing Authorization
Patched Version: 1.1.52
Recommended Action: Update to version 1.1.52, or a newer patched version
Plugin: Quick/Bulk Order Form for WooCommerce
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: bbPress Toolkit
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: premium-addons-pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.25
Recommended Action: Update to version 2.8.25, or a newer patched version
Plugin: WP Inventory Manager
Vulnerability: Cross-Site Request Forgery via delete_item
Patched Version: 2.1.0.14
Recommended Action: Update to version 2.1.0.14, or a newer patched version
Plugin: Page Builder with Image Map by AZEXO
Vulnerability: Cross-Site Request Forgery to Post Creation/Modification/Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brizy – Page Builder
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 2.4.19
Recommended Action: Update to version 2.4.19, or a newer patched version
Plugin: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Price Modification
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version
Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version
Plugin: WP Brutal AI
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Extended Post Status
Vulnerability: Missing Authorization via wp_insert_post_data
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Vulnerability: Insecure Direct Object Reference to Arbitrary Post Deletion
Patched Version: 1.11.12
Recommended Action: Update to version 1.11.12, or a newer patched version
Plugin: VK Blocks
Vulnerability: Authenticated(Contributor+) Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Social Login
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CodeColorer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.10.1
Recommended Action: Update to version 0.10.1, or a newer patched version
Plugin: Visitor Traffic Real Time Statistics
Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version
Plugin: Uncanny Toolkit for LearnDash
Vulnerability: Missing Authorization via review-banner-visibility REST route
Patched Version: 3.6.4.4
Recommended Action: Update to version 3.6.4.4, or a newer patched version
Plugin: WP Brutal AI
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Information Disclosure
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version
Plugin: Change WooCommerce Add To Cart Button Text
Vulnerability: Missing Authorization via rexvs_settings_submit
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Online Booking and Scheduling Plugin – Bookly
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 21.8
Recommended Action: Update to version 21.8, or a newer patched version
Plugin: WP Inventory Manager
Vulnerability: Cross-Site Request Forgery via delete_item
Patched Version: 2.1.0.14
Recommended Action: Update to version 2.1.0.14, or a newer patched version
Plugin: Kebo Twitter Feed
Vulnerability: Cross-Site Request Forgery via kebo_twitter_menu_render
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Catalyst Connect Zoho CRM Client Portal
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: SpamReferrerBlock
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Web Directory Free
Vulnerability: Authenticated (Contributor+) SQL Injection via post_id
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TPG Redirect
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version
Plugin: Page Builder with Image Map by AZEXO
Vulnerability: Missing Authorization to Post Creation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gravity Forms Google Sheet Connector
Vulnerability: Cross-Site Request Forgery via verify_code_integation_new
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: CRM and Lead Management by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version
Plugin: WP User Switch
Vulnerability: Authentication Bypass via Cookie
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: WordPress Social Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Cache.com
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Authenticated(Subscriber+) Server Side Request Forgery
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: File Manager Advanced Shortcode WordPress
Vulnerability: Unauthenticated Arbitrary File Upload to Remote Code Execution via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Email Verification for WooCommerce
Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Cross-Site Request Forgery to Account Logout
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GDPR Cookie Consent Notice Box
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version