Plugin: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.0.88
Recommended Action: Update to version 1.0.88, or a newer patched version
Plugin: Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy)
Vulnerability: Sensitive Information Exposure
Patched Version: 3.2.10
Recommended Action: Update to version 3.2.10, or a newer patched version
Plugin: WP Directory Kit
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Insecure Direct Object Reference
Patched Version: 4.2.6.4
Recommended Action: Update to version 4.2.6.4, or a newer patched version
Plugin: Ultimate Bootstrap Elements for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Widget
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: WordPress Tag and Category Manager – AI Autotagger
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.20.0
Recommended Action: Update to version 3.20.0, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via CSV import
Patched Version: 5.7.16
Recommended Action: Update to version 5.7.16, or a newer patched version
Plugin: Elementor Addons, Widgets and Enhancements – Stax
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CGC Maintenance Mode
Vulnerability: Sensitive Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPvivid Backup for MainWP
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.9.34
Recommended Action: Update to version 0.9.34, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget URL Attribute
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via WL Universal Product Layout
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Custom post types, Custom Fields & more
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Directory Traversal via X-FILENAME
Patched Version: 4.0.28
Recommended Action: Update to version 4.0.28, or a newer patched version
Plugin: Image Watermark
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Watermark Modification
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: Beaver Themer
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via shortcode
Patched Version: 1.4.9.1
Recommended Action: Update to version 1.4.9.1, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via title_tag
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version
Plugin: Classified Listing – Classified ads & Business Directory Plugin
Vulnerability: Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Trailer Box Widget
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version
Plugin: FancyBox for WordPress
Vulnerability: 3.3.3
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: Bannerlid
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MM-email2image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title HTML Tag
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version
Plugin: WordPress Gallery Plugin – NextGEN Gallery
Vulnerability: Missing Authorization to Unauthenticated Information Disclosure
Patched Version: 3.59.1
Recommended Action: Update to version 3.59.1, or a newer patched version
Plugin: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.15
Recommended Action: Update to version 3.9.15, or a newer patched version
Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Error Message
Patched Version: 4.3.4
Recommended Action: Update to version 4.3.4, or a newer patched version
Plugin: Passster – Password Protect Pages and Content
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via content_protector Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MM-email2image
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sp_wp_carousel_shortcode’
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: rehub-framework
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 19.6.2
Recommended Action: Update to version 19.6.2, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via SVG
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version
Plugin: Relevanssi – A Better Search (Pro)
Vulnerability: Unauthenticated Second Order CSV Injection
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version
Plugin: WP-Stateless – Google Cloud Storage
Vulnerability: Missing Authorization to Limited Arbitrary Options Update
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Unauthenticated Local File Inclusion via template
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Block
Patched Version: 3.9.15
Recommended Action: Update to version 3.9.15, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Custom Gallery’ Widget
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated(LP Instructor+) Stored Cross-Site Scripting
Patched Version: 4.2.6.4
Recommended Action: Update to version 4.2.6.4, or a newer patched version
Plugin: Watu Quiz
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.4.1.1
Recommended Action: Update to version 3.4.1.1, or a newer patched version
Plugin: Squelch Tabs and Accordions Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via accordions Shortcode
Patched Version: 0.4.4
Recommended Action: Update to version 0.4.4, or a newer patched version
Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
Vulnerability: Missing Authorization to Unauthenticated Settings Reset
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Incorrect Authorization to Information Exposure
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version
Plugin: Announce from the Dashboard
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: ElementsKit Elementor addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Countdown and CountUp Widget
Patched Version: 3.2.32
Recommended Action: Update to version 3.2.32, or a newer patched version
Plugin: Beaver Themer
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.9.1
Recommended Action: Update to version 1.4.9.1, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Calendy
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version
Plugin: Watu Quiz
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4.1.1
Recommended Action: Update to version 3.4.1.1, or a newer patched version
Plugin: CMB2
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: File Manager
Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 7.2.6
Recommended Action: Update to version 7.2.6, or a newer patched version
Plugin: Sydney Toolbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery
Patched Version: 1.29
Recommended Action: Update to version 1.29, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Authenticated(Contributor+) Cross-Site Scripting via Custom CSS
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version
Plugin: BoldGrid Easy SEO – Simple and Effective SEO
Vulnerability: Information Exposure
Patched Version: 1.6.15
Recommended Action: Update to version 1.6.15, or a newer patched version
Plugin: Best WordPress Gallery Plugin – FooGallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Image Attachment Fields
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version
Plugin: Global Elementor Buttons
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via button link
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting via QR Code Widget
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version
Plugin: Best WordPress Gallery Plugin – FooGallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version
Plugin: Relevanssi – A Better Search (Pro)
Vulnerability: Missing Authorization to Unauthenticated Count Option Update
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Page Title HTML Tag
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_price_list Shortcode
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version
Plugin: Powerkit – Supercharge your WordPress Site
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Photo Stack Widget
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version
Plugin: Classified Listing – Classified ads & Business Directory Plugin
Vulnerability: Missing Authorization
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Modal Popup Box – Popup Builder, Show Offers And News in Popup
Vulnerability: Authenticated (Contributor+) PHP Object Injection in awl_modal_popup_box_shortcode
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version