Watch Out Wednesday – May 8, 2024

Plugin: 3D FlipBook – PDF Flipbook WordPress

Vulnerability: Authenticated (Author+) Stored Cross-Site Scritping via Bookmark URL
Patched Version: 1.15.5
Recommended Action: Update to version 1.15.5, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Justify
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Breakdance

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: ConvertPlug

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.21.2
Recommended Action: Update to version 3.21.2, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.1.39
Recommended Action: Update to version 3.1.39, or a newer patched version

Plugin: Simple Image Popup

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EAN for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Arbitrary Options Update
Patched Version: 4.9.0
Recommended Action: Update to version 4.9.0, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 7.1.9
Recommended Action: Update to version 7.1.9, or a newer patched version

Plugin: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder

Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Subscriber+) Arbitrary Folder Name Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Cross-Site Request Forgery (CSRF) via sfs_process
Patched Version: 2024.5
Recommended Action: Update to version 2024.5, or a newer patched version

Plugin: Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery

Vulnerability: Missing Authorization
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Simple Basic Contact Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20240502
Recommended Action: Update to version 20240502, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Missing Authorization via purchased_new_products
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Login with phone number

Vulnerability: Missing Authorization
Patched Version: 1.7.20
Recommended Action: Update to version 1.7.20, or a newer patched version

Plugin: Social Connect

Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Affiliate Links

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 6.4.4
Recommended Action: Update to version 6.4.4, or a newer patched version

Plugin: Link Library

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via link-library Shortcode
Patched Version: 7.7
Recommended Action: Update to version 7.7, or a newer patched version

Plugin: Web Push Notifications – Webpushr

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.36.0
Recommended Action: Update to version 4.36.0, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 12.4.1
Recommended Action: Update to version 12.4.1, or a newer patched version

Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Startklar Elementor Addons

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.7.14
Recommended Action: Update to version 1.7.14, or a newer patched version

Plugin: Table Plugin for WordPress with Google Sheets Integration – Sheets to WP Table Live Sync

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: WP Post Author – Enhance Your Posts with the Author Bio, Co-Authors, Guest Authors, and Post Rating System, including User Registration Form Builder

Vulnerability: Missing Authorization to Rating Manipulation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Hover Effects – Elementor Addon

Vulnerability: Elementor Addon <= 1.4.1
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: SimpleShop

Vulnerability: Missing Authorization
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 22.6
Recommended Action: Update to version 22.6, or a newer patched version

Plugin: Advanced Ads – Ad Manager & AdSense

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget
Patched Version: 1.52.2
Recommended Action: Update to version 1.52.2, or a newer patched version

Plugin: Mesmerize Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mesmerize_contact_form Shortcode
Patched Version: 1.6.149
Recommended Action: Update to version 1.6.149, or a newer patched version

Plugin: ElementsReady Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.0
Recommended Action: Update to version 5.9.0, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via LaStudioKit Post Author Widget
Patched Version: 1.3.7.6
Recommended Action: Update to version 1.3.7.6, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (contributor+) Stored Cross-Site Scripting via _id
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Simple Membership

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: Swift Framework

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Latest Posts

Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 5.0.8
Recommended Action: Update to version 5.0.8, or a newer patched version

Plugin: Soccer Engine – Soccer Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: ClickCease Click Fraud Protection

Vulnerability: Improper Authorization to sensitive information exposure via get_settings
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Alt Text AI – Automatically generate image alt text for SEO and accessibility

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via pagingType Parameter
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Contact Form by WPForms – Drag & Drop Form Builder for WordPress

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 1.8.8.2
Recommended Action: Update to version 1.8.8.2, or a newer patched version

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authentication Bypass due to Missing Empty Value Check
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode
Patched Version: 9.4.0
Recommended Action: Update to version 9.4.0, or a newer patched version

Plugin: Hostel

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.5.4
Recommended Action: Update to version 1.1.5.4, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.14.4
Recommended Action: Update to version 3.14.4, or a newer patched version

Plugin: Mihdan: Yandex Turbo Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Text Effect Widget
Patched Version: 1.1.38
Recommended Action: Update to version 1.1.38, or a newer patched version

Plugin: Swift Framework

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: XML Sitemap & Google News

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: ADFO – Custom data in admin dashboard

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (AccountingManager+) SQL Injection
Patched Version: 1.13.2
Recommended Action: Update to version 1.13.2, or a newer patched version

Plugin: Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel (Free to install)

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: Rank Math SEO with AI Best SEO Tools

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.218
Recommended Action: Update to version 1.0.218, or a newer patched version

Plugin: Shared Counts – Social Media Share Buttons

Vulnerability: Missing Authorization to Arbitrary Email Sending
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: SimpleShop

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip & Popover Widget
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.1.2
Recommended Action: Update to version 2.8.1.2, or a newer patched version

Plugin: WordPress Affiliates Plugin — SliceWP Affiliates

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: Visual Footer Credit Remover

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Startklar Elementor Addons

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 1.7.14
Recommended Action: Update to version 1.7.14, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Unauthenticated Information Exposure
Patched Version: 3.2.19
Recommended Action: Update to version 3.2.19, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Information Exposure
Patched Version: 7.7
Recommended Action: Update to version 7.7, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.3.3.3
Recommended Action: Update to version 1.3.3.3, or a newer patched version

Plugin: GDPR Compliance

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Last Viewed Posts by WPBeginner

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Vulnerability: Missing Authorization
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Mooberry Book Manager

Vulnerability: Unauthenticated Information Exposure via Export Files
Patched Version: 4.15.13
Recommended Action: Update to version 4.15.13, or a newer patched version

Plugin: Joli FAQ SEO – WordPress FAQ Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Sydney Toolbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.31
Recommended Action: Update to version 1.31, or a newer patched version

Plugin: Testimonial Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Squelch Tabs and Accordions Shortcodes

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.4.8
Recommended Action: Update to version 0.4.8, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Missing Authorization
Patched Version: 1.26.6
Recommended Action: Update to version 1.26.6, or a newer patched version

Plugin: Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: WP Video Lightbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version

Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via User First Name and Last Name
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: WP Post Author – Enhance Your Posts with the Author Bio, Co-Authors, Guest Authors, and Post Rating System, including User Registration Form Builder

Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-in-One Video Gallery

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload via featured image
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: ADFO – Custom data in admin dashboard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Breakdance

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: PropertyHive

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Follow Us Badges

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsite_follow_us_badges Shortcode
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: ChatBot Conversational Forms

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Advanced Ads – Ad Manager & AdSense

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.52.2
Recommended Action: Update to version 1.52.2, or a newer patched version

Plugin: ConvertPlug

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.5.26
Recommended Action: Update to version 3.5.26, or a newer patched version

Plugin: Popup Box – Best WordPress Popup Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version