Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: Authenticated(Administrator+) Stored Cross-site Scripting via settings
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version
Plugin: WooCommerce Easy Duplicate Product
Vulnerability: Missing Authorization via wedp_duplicate_product_action
Patched Version: 0.3.0.8
Recommended Action: Update to version 0.3.0.8, or a newer patched version
Plugin: WooCommerce Warranty Requests
Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: WP Mail Log
Vulnerability: Authenticated(Contributor+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu
Vulnerability: Missing Authorization
Patched Version: 7.0.18
Recommended Action: Update to version 7.0.18, or a newer patched version
Plugin: BERTHA AI. Your AI co-pilot for WordPress and Chrome
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.11.10.8
Recommended Action: Update to version 1.11.10.8, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Command Injection
Patched Version: 4.2.5.8
Recommended Action: Update to version 4.2.5.8, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Insecure Direct Object Reference to Information Disclosure
Patched Version: 4.2.5.8
Recommended Action: Update to version 4.2.5.8, or a newer patched version
Plugin: MapPress Maps for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.88.14
Recommended Action: Update to version 2.88.14, or a newer patched version
Plugin: Rate my Post – WP Rating System
Vulnerability: IP Address Spoofing
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Missing Authorization via CR_Manual
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version
Plugin: Piotnet Forms
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Missing Authorization to Settings Modification
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: Simple Staff List
Vulnerability: Missing Authorization via ajax_flush_rewrite_rules and staff_member_export
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: WP-Members Membership Plugin
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 3.4.9
Recommended Action: Update to version 3.4.9, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: IP Spoofing
Patched Version: 5.2.5.1
Recommended Action: Update to version 5.2.5.1, or a newer patched version
Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.
Vulnerability: Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting
Patched Version: 5.7.10
Recommended Action: Update to version 5.7.10, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Missing Authorization via listen
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version
Plugin: 3D FlipBook – PDF Flipbook WordPress
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Ready Function
Patched Version: 1.15.3
Recommended Action: Update to version 1.15.3, or a newer patched version
Plugin: Woocommerce Shipping Canada Post
Vulnerability: Missing Authorization
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Branda – White Label WordPress, Custom Login Page Customizer
Vulnerability: IP Address Spoofing
Patched Version: 3.4.15
Recommended Action: Update to version 3.4.15, or a newer patched version
Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
Vulnerability: Missing Authorization to Order Export
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: WooCommerce Ship to Multiple Addresses
Vulnerability: Missing Authorization
Patched Version: 3.8.10
Recommended Action: Update to version 3.8.10, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection via order_by
Patched Version: 4.2.5.8
Recommended Action: Update to version 4.2.5.8, or a newer patched version
Plugin: Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.3
Recommended Action: Update to version 5.9.3, or a newer patched version
Plugin: FunnelKit Checkout
Vulnerability: Authenticated(Subscriber+) Missing Authorization to Arbitrary Plugin Activation
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: Verge3D Publishing and E-Commerce
Vulnerability: Authenticated(Subscriber+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ProfileGrid – User Profiles, Memberships, Groups and Communities
Vulnerability: Missing Authorization
Patched Version: 5.6.7
Recommended Action: Update to version 5.6.7, or a newer patched version
Plugin: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
Vulnerability: Reflected Cross-Site Scripting via msg
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Frontend Admin by DynamiApps
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
Vulnerability: Unauthenticated Stored Cross-Site Scripting via device
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Form Submission Limit Bypass
Patched Version: 5.2.5.1
Recommended Action: Update to version 5.2.5.1, or a newer patched version
Plugin: WooCommerce Per Product Shipping
Vulnerability: Missing Authorization
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version
Plugin: BulkGate SMS Plugin for WooCommerce
Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Vulnerability: Cross-Site Request Forgery to Subscriber Deletion
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: FunnelKit Checkout
Vulnerability: Authenticated(Subscriber+) Missing Authorization to Settings Change
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: Booster Elite for WooCommerce
Vulnerability: Authenticated(Subscriber+) Content Injection
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version
Plugin: JVM Gutenberg Rich Text Icons
Vulnerability: Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
Vulnerability: Missing Authorization via save_settings
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Doofinder WP & WooCommerce Search
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Vulnerability: Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: Product Expiry for WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: WooCommerce Warranty Requests
Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: FunnelKit Checkout
Vulnerability: Unauthenticated Arbitrary Content Deletion
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: JVM Gutenberg Rich Text Icons
Vulnerability: Authenticated(Subscriber+) Arbitrary File Upload
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Insecure Direct Object Reference to Arbitrary Email Sending
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Slider by Soliloquy – Responsive Image Slider for WordPress
Vulnerability: Missing Authorization
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: FooGallery Premium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: WP Compress – Image Optimizer [All-In-One]
Vulnerability: Unauthenticated Directory Traversal via css
Patched Version: 6.10.34
Recommended Action: Update to version 6.10.34, or a newer patched version
Plugin: Product Vendors
Vulnerability: Missing Authorization
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Missing Authorization via dispatch
Patched Version: 6.3.10
Recommended Action: Update to version 6.3.10, or a newer patched version
Plugin: Piotnet Forms
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Vulnerability: Missing Authorization via export_form_entries
Patched Version: 1.6.19
Recommended Action: Update to version 1.6.19, or a newer patched version
Plugin: Malware Scanner
Vulnerability: IP Spoofing
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version
Plugin: Product Vendors
Vulnerability: Missing Authorization
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.14
Recommended Action: Update to version 2.7.14, or a newer patched version