Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Missing Authorization in Multiple AJAX Actions
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: FooEvents for WooCommerce
Vulnerability: Improper Authorization to (Contributor+) Arbitrary File Upload
Patched Version: 1.19.21
Recommended Action: Update to version 1.19.21, or a newer patched version
Plugin: Download Manager
Vulnerability: Improper Authorization via protectMediaLibrary
Patched Version: 3.2.90
Recommended Action: Update to version 3.2.90, or a newer patched version
Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads
Vulnerability:
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Schema App Structured Data
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP STAGING Pro WordPress Backup Plugin
Vulnerability: Backup Duplicator & Migration <= 5.6.0
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via titleFont Parameter
Patched Version: 3.2.39
Recommended Action: Update to version 3.2.39, or a newer patched version
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Motion Text and Table Widgets
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: WPBakery Visual Composer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via VC Single Image link attribute
Patched Version: 7.7
Recommended Action: Update to version 7.7, or a newer patched version
Plugin: Master Slider – Responsive Touch Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI Infographic Maker
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Title Update
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version
Plugin: Restaurant Menu – Food Ordering System – Table Reservation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: PDF Viewer for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via render
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Scheduling Plugin – Online Booking for WordPress
Vulnerability: Missing Authorization to Unauthenticated Service Disconnection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LatePoint Plugin
Vulnerability: Missing Authorization and Sensitive Information Exposure via IDOR
Patched Version: 4.9.9.1
Recommended Action: Update to version 4.9.9.1, or a newer patched version
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: Where I Was, Where I Will Be
Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Vulnerability: Missing Authorization to Limited Privilege Escalation
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version
Plugin: Stratum – Elementor Widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Canto
Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elespare – News, Magazine and Blog Elements & Blog Addons for Elementor with Header Footer Builder. One Click Import: No Coding Required!
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Horizontal Nav Menu Widget
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.6.2
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Shariff Wrapper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.14
Recommended Action: Update to version 4.6.14, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Missing Authorization and Nonce Exposure
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: MaxGalleria
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via maxgallery_thumb Shortcode
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Simple Sitemap – Create a Responsive HTML Sitemap
Vulnerability: Cross-Site Request Forgery via admin_notices
Patched Version: 3.5.14
Recommended Action: Update to version 3.5.14, or a newer patched version
Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
Vulnerability: Authenticated (Contributor+) Arbitrary File Inclusion via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Custom URL
Patched Version: 2.4.16
Recommended Action: Update to version 2.4.16, or a newer patched version
Plugin: Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin
Vulnerability: Exposure of Sensitive Information via the UI
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Vulnerability: Directory Traversal via handle_folders_file_upload
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Elementor Header & Footer Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Site Title Widget
Patched Version: 1.6.36
Recommended Action: Update to version 1.6.36, or a newer patched version
Plugin: Jeg Elementor Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via JKit
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via PDF Widget URL
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version
Plugin: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Link Effects Widget
Patched Version: 2.7.21
Recommended Action: Update to version 2.7.21, or a newer patched version
Plugin: Dashboard Widgets Suite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: CoDesigner – The Most Compact and User-Friendly Elementor WooCommerce Builder
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Collapse-O-Matic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tickera – WordPress Event Ticketing
Vulnerability: Missing Authorization to Authenticated (Susbcriber+) Ticket Deletion
Patched Version: 3.5.2.9
Recommended Action: Update to version 3.5.2.9, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.0.39
Recommended Action: Update to version 9.0.39, or a newer patched version
Plugin: Ibtana – WordPress Website Builder
Vulnerability: WordPress Website Builder <= 1.2.3.3
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 6.4.4
Recommended Action: Update to version 6.4.4, or a newer patched version
Plugin: Folders Pro
Vulnerability: Authenticated(Author+) Arbitrary File Upload via handle_folders_file_upload
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.6.2
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version