Plugin: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Reflected Cross-Site Scripting via error message
Patched Version: 4.11.0
Recommended Action: Update to version 4.11.0, or a newer patched version
Plugin: Gravity Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: MStore API
Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Quick Post Duplicator
Vulnerability: Authenticated (Contributor+) SQL Injection via post_id
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lana Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Complianz Premium – GDPR/CCPA Cookie Consent
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.4.7
Recommended Action: Update to version 6.4.7, or a newer patched version
Plugin: OOPSpam Anti-Spam
Vulnerability: Cross-Site Request Forgery via empty_ham_entries and empty_spam_entries
Patched Version: 1.1.45
Recommended Action: Update to version 1.1.45, or a newer patched version
Plugin: google-analytics-premium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.15
Recommended Action: Update to version 8.15, or a newer patched version
Plugin: Membership Plugin – Restrict Content
Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: InventoryPress
Vulnerability: Authenticated(Author+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lana Text to Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Gallery Metabox
Vulnerability: Missing Authorization via refresh_metabox
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Child – Securely Connects Sites to the MainWP WordPress Manager Dashboard
Vulnerability: Information Disclosure via Back-Up Files
Patched Version: 4.4.1.2
Recommended Action: Update to version 4.4.1.2, or a newer patched version
Plugin: teachPress
Vulnerability: Reflected Cross-Site Scripting via meta_field_id and cite_id
Patched Version: 9.0.3
Recommended Action: Update to version 9.0.3, or a newer patched version
Plugin: Customer Service Software & Support Ticket System
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.13
Recommended Action: Update to version 5.13, or a newer patched version
Plugin: About Me 3000 widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Colibri Page Builder
Vulnerability: Authenticated (Administrator+) SQL Injection via post_id
Patched Version: 1.0.229
Recommended Action: Update to version 1.0.229, or a newer patched version
Plugin: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
Vulnerability: Cross-Site Request Forgery via permalink_setup
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Membership Plugin – Restrict Content
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Mail Queue
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: WP-Members Membership Plugin
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Mail Logging
Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.12.0
Recommended Action: Update to version 1.12.0, or a newer patched version
Plugin: Gallery Metabox
Vulnerability: Missing Authorization via gallery_remove
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.