Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: 2.8.2
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.32
Recommended Action: Update to version 2.10.32, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxDeleteCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Archivist – Custom Archive Templates
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Addon Library
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxAddCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Maintenance Page
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Directory Traversal to Local File Inclusion
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Colibri Page Builder
Vulnerability: Cross-Site Request Fogery via extend_builder
Patched Version: 1.0.260
Recommended Action: Update to version 1.0.260, or a newer patched version
Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Data Export
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Dual Button Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxUpdateFolderPosition
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: BackWPup – WordPress Backup Plugin
Vulnerability: Plaintext Storage of Backup Destination Password
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Vulnerability: Reflected Cross-Site Scripting via plugin
Patched Version: 3.1.42
Recommended Action: Update to version 3.1.42, or a newer patched version
Plugin: SuperFaktura WooCommerce
Vulnerability: Authenticated (Subscriber+) Blind Server-Side Request Forgery
Patched Version: 1.40.4
Recommended Action: Update to version 1.40.4, or a newer patched version
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Missing Authorization to Unauthenticated Read Status Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode
Patched Version: 4.15.1
Recommended Action: Update to version 4.15.1, or a newer patched version
Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxRenameCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Maintenance Page
Vulnerability: Security Mechanism Bypass via REST API
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxUpdateFolderPosition
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Directory Traversal
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: User Shortcodes Plus
Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxAddCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Relevanssi – A Better Search
Vulnerability: Missing Authorization to Unauthenticated Query Log Export
Patched Version: 4.22.1
Recommended Action: Update to version 4.22.1, or a newer patched version
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gestpay for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) via ajax_set_default_card
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ArtiBot Free Chat Bot for WordPress WebSites
Vulnerability: Missing Authorization to Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KODO Qiniu
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Comments Extra Fields For Post,Pages and CPT
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Thumbnail Slider Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Duitku Payment Gateway
Vulnerability: Missing Authorization via check_duitku_response
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Colibri Page Builder
Vulnerability: Cross-Site Request Fogery via cp_shortcode_refresh
Patched Version: 1.0.260
Recommended Action: Update to version 1.0.260, or a newer patched version
Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Event Tickets and Registration
Vulnerability: Missing Authorization
Patched Version: 5.8.2
Recommended Action: Update to version 5.8.2, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxClearCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Academy LMS – eLearning and online course solution for WordPress
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.9.20
Recommended Action: Update to version 1.9.20, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxClearCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via form widget addr2_width attribute
Patched Version: 2.10.31
Recommended Action: Update to version 2.10.31, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: YML for Yandex Market
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxDeleteCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Bulk Edit Post Titles
Vulnerability: Missing Authorization via bulkUpdatePostTitles
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Comments Extra Fields For Post,Pages and CPT
Vulnerability: Missing Authorization
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via profilepress-edit-profile Shortcode
Patched Version: 4.15.1
Recommended Action: Update to version 4.15.1, or a newer patched version
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Missing Authorization to Unauthenticated Bookmark Status Alteration
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.31
Recommended Action: Update to version 2.10.31, or a newer patched version
Plugin: NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: SMS Alert Order Notifications – WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: Restrict User Access – Ultimate Membership & Content Protection
Vulnerability: Information Exposure
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxRenameCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version