Plugin: 3D FlipBook – PDF Flipbook WordPress
Vulnerability: Authenticated (Author+) Stored Cross-Site Scritping via Bookmark URL
Patched Version: 1.15.5
Recommended Action: Update to version 1.15.5, or a newer patched version
Plugin: ConvertPlug
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.21.2
Recommended Action: Update to version 3.21.2, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 7.1.9
Recommended Action: Update to version 7.1.9, or a newer patched version
Plugin: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder
Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Cross-Site Request Forgery (CSRF) via sfs_process
Patched Version: 2024.5
Recommended Action: Update to version 2024.5, or a newer patched version
Plugin: Simple Basic Contact Form
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20240502
Recommended Action: Update to version 20240502, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Missing Authorization via purchased_new_products
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: BuddyPress
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 12.4.1
Recommended Action: Update to version 12.4.1, or a newer patched version
Plugin: SimpleShop
Vulnerability: Missing Authorization
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via LaStudioKit Post Author Widget
Patched Version: 1.3.7.6
Recommended Action: Update to version 1.3.7.6, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated (contributor+) Stored Cross-Site Scripting via _id
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: Simple Membership
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version
Plugin: Swift Framework
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form by WPForms – Drag & Drop Form Builder for WordPress
Vulnerability: Unauthenticated Price Manipulation
Patched Version: 1.8.8.2
Recommended Action: Update to version 1.8.8.2, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode
Patched Version: 9.4.0
Recommended Action: Update to version 9.4.0, or a newer patched version
Plugin: Swift Framework
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Vulnerability: Authenticated (AccountingManager+) SQL Injection
Patched Version: 1.13.2
Recommended Action: Update to version 1.13.2, or a newer patched version
Plugin: Rank Math SEO with AI Best SEO Tools
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.218
Recommended Action: Update to version 1.0.218, or a newer patched version
Plugin: SimpleShop
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version
Plugin: Last Viewed Posts by WPBeginner
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Sydney Toolbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version
Plugin: Testimonial Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: Missing Authorization
Patched Version: 1.26.6
Recommended Action: Update to version 1.26.6, or a newer patched version
Plugin: WP Video Lightbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version
Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via User First Name and Last Name
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: All-in-One Video Gallery
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload via featured image
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Breakdance
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Follow Us Badges
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsite_follow_us_badges Shortcode
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version
Plugin: ConvertPlug
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version