Watch Out Wednesday – May 15, 2024

Plugin: Breakdance

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: White Label CMS

Vulnerability: Missing Authorization to Plugin Settings Reset
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Dual Color Header’, ‘Event Calendar’, & ‘Advanced Data Table’
Patched Version: 5.9.20
Recommended Action: Update to version 5.9.20, or a newer patched version

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Animation Title widget img tag
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 3.9.17
Recommended Action: Update to version 3.9.17, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated Time-Based SQL Injection
Patched Version: 4.2.6.6
Recommended Action: Update to version 4.2.6.6, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via layout_html Parameter
Patched Version: 4.2.6.6
Recommended Action: Update to version 4.2.6.6, or a newer patched version

Plugin: Gallery Block (Meow Gallery)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version

Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Several Widgets
Patched Version: 5.9.20
Recommended Action: Update to version 5.9.20, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Admin+) Command Injection
Patched Version: 1.5.103
Recommended Action: Update to version 1.5.103, or a newer patched version

Plugin: Swift Performance Lite

Vulnerability: Incorrect Authorization to Authenticated (Subscriber+) Settings Modification
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pure Chat – Live Chat Plugin & More!

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Heading widget
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Interactive Circles’
Patched Version: 5.9.20
Recommended Action: Update to version 5.9.20, or a newer patched version

Plugin: Orders Tracking for WooCommerce

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pod Form Redirect URL
Patched Version: 3.2.1.1
Recommended Action: Update to version 3.2.1.1, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Link
Patched Version: 3.2.37
Recommended Action: Update to version 3.2.37, or a newer patched version

Plugin: Themify Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via themify_button Shortcode
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated Bypass to User Registration
Patched Version: 4.2.6.6
Recommended Action: Update to version 4.2.6.6, or a newer patched version

Plugin: HTML5 Audio Player- Best WordPress Audio Player Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.2.22
Recommended Action: Update to version 2.2.22, or a newer patched version

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: Spectra Pro

Vulnerability: Authenticated (Author+) Privilege Escalation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Instructor+) Arbitrary File Upload
Patched Version: 4.2.6.6
Recommended Action: Update to version 4.2.6.6, or a newer patched version

Plugin: Divi Builder

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 4.25.1
Recommended Action: Update to version 4.25.1, or a newer patched version

Plugin: Porto Theme – Functionality

Vulnerability: Functionality <= 3.0.9
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.103
Recommended Action: Update to version 1.5.103, or a newer patched version

Plugin: Porto Theme – Functionality

Vulnerability: Functionality <= 3.1.0
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version