Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: 3D FlipBook – PDF Flipbook WordPress
Vulnerability: Authenticated (Author+) Stored Cross-Site Scritping via Bookmark URL
Patched Version: 1.15.5
Recommended Action: Update to version 1.15.5, or a newer patched version
Plugin: ConvertPlug
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.21.2
Recommended Action: Update to version 3.21.2, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 7.1.9
Recommended Action: Update to version 7.1.9, or a newer patched version
Plugin: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder
Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Cross-Site Request Forgery (CSRF) via sfs_process
Patched Version: 2024.5
Recommended Action: Update to version 2024.5, or a newer patched version
Plugin: Simple Basic Contact Form
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20240502
Recommended Action: Update to version 20240502, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Missing Authorization via purchased_new_products
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: BuddyPress
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 12.4.1
Recommended Action: Update to version 12.4.1, or a newer patched version
Plugin: SimpleShop
Vulnerability: Missing Authorization
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via LaStudioKit Post Author Widget
Patched Version: 1.3.7.6
Recommended Action: Update to version 1.3.7.6, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated (contributor+) Stored Cross-Site Scripting via _id
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: Simple Membership
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version
Plugin: Swift Framework
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form by WPForms – Drag & Drop Form Builder for WordPress
Vulnerability: Unauthenticated Price Manipulation
Patched Version: 1.8.8.2
Recommended Action: Update to version 1.8.8.2, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode
Patched Version: 9.4.0
Recommended Action: Update to version 9.4.0, or a newer patched version
Plugin: Swift Framework
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Vulnerability: Authenticated (AccountingManager+) SQL Injection
Patched Version: 1.13.2
Recommended Action: Update to version 1.13.2, or a newer patched version
Plugin: Rank Math SEO with AI Best SEO Tools
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.218
Recommended Action: Update to version 1.0.218, or a newer patched version
Plugin: SimpleShop
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version
Plugin: Last Viewed Posts by WPBeginner
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Sydney Toolbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version
Plugin: Testimonial Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: Missing Authorization
Patched Version: 1.26.6
Recommended Action: Update to version 1.26.6, or a newer patched version
Plugin: WP Video Lightbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version
Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via User First Name and Last Name
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: All-in-One Video Gallery
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload via featured image
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Breakdance
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Follow Us Badges
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsite_follow_us_badges Shortcode
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version
Plugin: ConvertPlug
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version