Plugin: Display custom fields in the frontend – Post and User Profile Fields
Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Post Meta Disclosure
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Order Export & Order Import for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Reflected Cross-Site Scripting via Referer
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update
Patched Version: 3.10.9
Recommended Action: Update to version 3.10.9, or a newer patched version
Plugin: Voting Record
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Display custom fields in the frontend – Post and User Profile Fields
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via vg_display_data
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image URl
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version
Plugin: WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.4.0
Recommended Action: Update to version 8.4.0, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Directory Traversal
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: WP Testimonials
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Woocommerce Vietnam Checkout
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
Vulnerability: Information Exposure via ma_debug
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via icon_color
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Profile Builder Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version
Plugin: InstaWP Connect – 1-click WP Staging & Migration
Vulnerability: Cross-Site Request Forgery via create_file_db_manager
Patched Version: 0.1.0.9
Recommended Action: Update to version 0.1.0.9, or a newer patched version
Plugin: Newsletter – Send awesome emails from WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.7
Recommended Action: Update to version 8.0.7, or a newer patched version
Plugin: Schema & Structured Data for WP & AMP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version
Plugin: InstaWP Connect – 1-click WP Staging & Migration
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 0.1.0.9
Recommended Action: Update to version 0.1.0.9, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Recipe Notes
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Missing Authorization to Recaptcha API Key Modification
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: FastDup – Fastest WordPress Migration & Duplicator
Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Information Exposure in Debug Logs
Patched Version: 2.12.7
Recommended Action: Update to version 2.12.7, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.23
Recommended Action: Update to version 4.0.23, or a newer patched version
Plugin: Shortcodes Finder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Woo Search
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.97
Recommended Action: Update to version 2.97, or a newer patched version
Plugin: WP Spell Check
Vulnerability: Cross-Site Request Forgery
Patched Version: 9.18
Recommended Action: Update to version 9.18, or a newer patched version
Plugin: Profile Builder Pro
Vulnerability: Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version
Plugin: Contact Form 7 – Dynamic Text Extension
Vulnerability: Insecure Direct Object Reference
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: WordPress Manutenção
Vulnerability: IP Spoofing to Maintenance Mode Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Unlimited Addons for WPBakery Page Builder
Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘tag’
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Constant Contact Forms by MailMunch
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Plugin for Google Reviews
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: PDF Invoices & Packing Slips for WooCommerce
Vulnerability: Authenticated (Shop Manager+) SQL Injection
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version
Plugin: Contact Form 7 Connector
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: WPS Hide Login
Vulnerability: Hidden Login Page Location Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scritping
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version
Plugin: Index Now
Vulnerability: Cross-Site Request Forgery via reset_form
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version
Plugin: WP Register Profile With Shortcode
Vulnerability: Cross-Site Request Forgery to User Password Reset
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Captcha Bypass
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Products, Order & Customers Export for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Display custom fields in the frontend – Post and User Profile Fields
Vulnerability: Authenticated (Contributor+) Code Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress
Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
Patched Version: 6.2.5
Recommended Action: Update to version 6.2.5, or a newer patched version
Plugin: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
Vulnerability: Authorization Bypass via type connect-app API
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget
Patched Version: 2.10.28
Recommended Action: Update to version 2.10.28, or a newer patched version
Plugin: Profile Builder Pro
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version
Plugin: Voting Record
Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Events Calendar
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version