Watch Out Wednesday – July 3, 2024

Plugin: Auto Featured Image

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Create by Mediavine

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Schema Meta Shortcode
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version

Plugin: Portfolio Gallery – Image Gallery Plugin

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability:
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting in Google Maps Widget
Patched Version: 3.2.43
Recommended Action: Update to version 3.2.43, or a newer patched version