Plugin: affiliate-toolkit – WordPress Affiliate Plugin
Vulnerability: Open Redirect via atkpout.php
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slick Contact Forms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Reflected Cross-Site Scripting via section_id
Patched Version: 5.2.4.2
Recommended Action: Update to version 5.2.4.2, or a newer patched version
Plugin: Urvanov Syntax Highlighter
Vulnerability: Cross-Site Request Forgery via init_ajax
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IRivYou – Add reviews from AliExpress and Amazon to woocommerce
Vulnerability: Cross-Site Request Forgery via saveOptionsReviewsPlugin
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Geo Controller
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.5.3
Recommended Action: Update to version 8.5.3, or a newer patched version
Plugin: Profile Extra Fields by BestWebSoft
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Smart Cookie Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Bold Timeline Lite
Vulnerability: Missing Authorization to Admin Notice Dismissal
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Hotjar
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booster for WooCommerce
Vulnerability: Authenticated (Subscriber+) Information Disclosure via Shortcode
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version
Plugin: WordPress Popular Posts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.3.3
Recommended Action: Update to version 6.3.3, or a newer patched version
Plugin: GEO my WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 5.36.1
Recommended Action: Update to version 5.36.1, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Missing Authorization in Reviews Exporter
Patched Version: 5.36.1
Recommended Action: Update to version 5.36.1, or a newer patched version