Plugin: WP Hotel Booking
Vulnerability: Missing Authorization to (Subscriber+) Arbitrary Post Deletion
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Appointment Calendar
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tab Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Smart App Banner
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventON
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Local Pickup for WooCommerce
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Meta Data Manager
Vulnerability: Missing Authorization to Post, Term, and User Meta Deletion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Delete Usermetas
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: iPanorama 360 – WordPress Virtual Tour Builder
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Cross-Site Request Forgery via duplicate_feed
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Insufficient Authorization to Comment Submission on Deleted Posts
Patched Version: 7.6.11
Recommended Action: Update to version 7.6.11, or a newer patched version
Plugin: TCD Google Maps
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Open Graph Metabox
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Triberr
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WhatsApp Share Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Internal Link Building
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Theme Blvd Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BetterLinks – Shorten, Track and Manage any URL
Vulnerability: Improper Authorization to Data Import and Export
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Add Custom Body Class
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI ChatBot
Vulnerability: Missing Authorization on AJAX actions
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: Headline Analyzer
Vulnerability: Missing Authorization via REST APIs
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI ChatBot
Vulnerability: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: Modern Footnotes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version
Plugin: AI ChatBot
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: AI ChatBot
Vulnerability: Cross-Site Request Forgery on AJAX actions
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: Team Showcase
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Soisy Pagamento Rateale
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Post Columns
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Internal Link Building
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SALESmanago
Vulnerability: Log Injection via Weak Authentication Token
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Archivist – Custom Archive Templates
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Manager for Icomoon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Social proof testimonials and reviews by Repuso
Vulnerability: Missing Authorization
Patched Version: 5.00
Recommended Action: Update to version 5.00, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version
Plugin: Popup by Supsystic
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version
Plugin: Novo-Map : your WP posts on custom google maps
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CPO Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.