Plugin: Advance Menu Manager
Vulnerability: Missing Authorization
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Telephone Number Linker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Featured Image Caption
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Affiliate Disclosure
Vulnerability: Cross-Site Request Forgery via check_capability
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Icons Font Loader
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Category Update
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Animated Rotating Words (Interchanging Random Words in a Sentence)
Vulnerability: Cross-Site Request Forgery via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Vulnerability: Contact Form 7 <= 1.3.7.3
Patched Version: 1.3.7.4
Recommended Action: Update to version 1.3.7.4, or a newer patched version
Plugin: iPages Flipbook For WordPress
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Code Snippets
Vulnerability: Cross-Site Request Forgery via load
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Post Sliders & Post Grids
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bitly's WordPress Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageMapper
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Basic Interactive World Map
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: SEO Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Amazonify
Vulnerability: Cross-Site Request Forgery to Amazon Tracking ID Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Publish for Google My Business
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Arbitrary Post Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3.23
Recommended Action: Update to version 1.2.3.23, or a newer patched version
Plugin: Amazonify
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Animated Rotating Words (Interchanging Random Words in a Sentence)
Vulnerability: Missing Authorization via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Social Feed | All social media in one place
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting]
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Apollo13 Framework Extensions
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Gift Up Gift Cards for WordPress and WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.20.2
Recommended Action: Update to version 2.20.2, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Cross-Site Scripting
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version
Plugin: Comments Ratings
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Test Email Sending
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Defender Security – Malware Scanner, Login Security & Firewall
Vulnerability: Masked Login Area Security Feature Bypass
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Interact: Embed A Quiz On Your Site
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Layer Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to New Category Creation
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Kadence WooCommerce Email Designer
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.12
Recommended Action: Update to version 1.5.12, or a newer patched version
Plugin: WordPress Backup & Migration
Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Web Push Notifications – Webpushr
Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.35.0
Recommended Action: Update to version 4.35.0, or a newer patched version
Plugin: Top 10 – WordPress Popular posts by WebberZone
Vulnerability: Cross-Site Request Forgery via edit_count_ajax
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: WP MapIt
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Post Modification
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Reflected Cross-Site Scripting via add_internal_scripts_to_head
Patched Version: 4.2.5.4
Recommended Action: Update to version 4.2.5.4, or a newer patched version
Plugin: WD WidgetTwitter
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Feed | All social media in one place
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Garden Gnome Package
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: Social Sharing Plugin – Social Warfare
Vulnerability: Social Warfare <= 4.4.3
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version
Plugin: WordPress Backup & Migration
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Insecure Direct Object Reference
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Category Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: ImageMapper
Vulnerability: Cross-Site Request Forgery to Plugin Settings Change via ajax
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPDBSpringClean
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageMapper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Short URL
Vulnerability: Missing Authorization via multiple AJAX functions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Membership Plugin – Restrict Content
Vulnerability: Information Exposure via legacy log file
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Cross-Site Request Forgery via pms-cross-promotion.php
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version
Plugin: Top 25 Social Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageMapper
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via imgmap_save_area_title
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: QR Code Tag
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mmm Simple File List
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SendPress Newsletters
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Enable/Disable Dark Mode
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Advance Menu Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Easy PayPal Shopping Cart
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine
Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Digirisk
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version
Plugin: Decorator – WooCommerce Email Customizer
Vulnerability: WooCommerce Email Customizer <= 1.2.7
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: video carousel slider with lightbox
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: UpdraftPlus: WordPress Backup & Migration Plugin
Vulnerability: Cross-Site Request Forgery to Google Drive Storage Update
Patched Version: 1.23.11
Recommended Action: Update to version 1.23.11, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Arbitrary Post Duplication
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Product Catalog Mode For Woocommerce
Vulnerability:
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version
Plugin: Custom post types, Custom Fields & more
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version
Plugin: Mmm Simple File List
Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Templates Customizer and Designer for WordPress and WooCommerce
Vulnerability: Cross-Site Request Forgery via send_test_email
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Ziteboard Online Whiteboard
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: ShortCodes UI
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Like Page Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: AI ChatBot
Vulnerability: 4.9.6
Patched Version: 4.9.7
Recommended Action: Update to version 4.9.7, or a newer patched version