Plugin: Ultimate Blocks – WordPress Blocks Plugin
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Multiple Blocks
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Cost Calculator Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Missing Authorization to Unauthenticated User Registration Bypass
Patched Version: 4.2.6.8.2
Recommended Action: Update to version 4.2.6.8.2, or a newer patched version
Plugin: Login with phone number
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.36
Recommended Action: Update to version 1.7.36, or a newer patched version
Plugin: Page and Post Clone
Vulnerability: Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Limited Local File Inclusion via Widgets
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Snippet Shortcodes
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Vulnerability: Unauthenticated SQL Injection via unsubscribe
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version
Plugin: Church Admin
Vulnerability: Missing Authorization
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.21.3
Recommended Action: Update to version 3.21.3, or a newer patched version
Plugin: Featured Image from URL (FIFU)
Vulnerability: Missing Authorization
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version
Plugin: Branda – White Label WordPress, Custom Login Page Customizer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.18
Recommended Action: Update to version 3.4.18, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version
Plugin: Defender Security – Malware Scanner, Login Security & Firewall
Vulnerability: Missing Authorization
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version
Plugin: Stock Ticker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode
Patched Version: 3.24.6
Recommended Action: Update to version 3.24.6, or a newer patched version
Plugin: Void Contact Form 7 Widget For Elementor Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via cf7_redirect_page Attribute
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Newspack Blocks
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Uncanny Toolkit Pro for LearnDash
Vulnerability: Missing Authorization to Arbitrary Page/Post Duplication
Patched Version: 4.1.4.1
Recommended Action: Update to version 4.1.4.1, or a newer patched version
Plugin: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Rife Elementor Extensions & Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: WP Photo Album Plus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.00.003
Recommended Action: Update to version 8.8.00.003, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
Vulnerability: Unauthenticated SQL Injection via ‘uwp_sort_by’
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version
Plugin: Easy Age Verify
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: All-in-One Addons for Elementor – WidgetKit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via galleryID and className Parameters
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Ultimate Blocks – WordPress Blocks Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title tag attribute
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Patreon WordPress
Vulnerability: Protection Mechanism Bypass
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Unauthenticated Insecure Direct Object Reference to Order Status Update
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Easy Google Maps
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.11.16
Recommended Action: Update to version 1.11.16, or a newer patched version
Plugin: WP Job Manager – Resume Manager
Vulnerability: Resume Manager <= 2.1.0
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Auto Featured Image
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Maps – Display Google Maps Perfectly with Ease
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: Newspack Blocks
Vulnerability: Authenticated (Contributor+) Arbitrary Directory Deletion
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Social Rocket – Social Sharing Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.32
Recommended Action: Update to version 3.32, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Marquee Text Widget, Testimonials Widget, and Testimonial Slider Widgets
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Masterstudy Elementor Widgets
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Enter Addons – Ultimate Template Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: E2Pdf – Export To Pdf Tool for WordPress
Vulnerability: Missing Authorization
Patched Version: 1.23.00
Recommended Action: Update to version 1.23.00, or a newer patched version
Plugin: Motors – Car Dealer, Classifieds & Listing
Vulnerability: Missing Authorization
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version
Plugin: Extensions for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Patched Version: 2.0.31
Recommended Action: Update to version 2.0.31, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version
Plugin: Mailster – Email Newsletter Plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: Zita Elementor Site Library
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: PayPlus Payment Gateway
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.6.9
Recommended Action: Update to version 6.6.9, or a newer patched version
Plugin: Events Manager – Calendar, Bookings, Tickets, and more!
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.9
Recommended Action: Update to version 6.4.9, or a newer patched version
Plugin: Filter & Grids
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.8.33
Recommended Action: Update to version 2.8.33, or a newer patched version
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Cards for Beaver Builder
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Various Widgets
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.27.1
Recommended Action: Update to version 3.27.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated Bypass to User Registration
Patched Version: 4.2.6.8.2
Recommended Action: Update to version 4.2.6.8.2, or a newer patched version
Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: File Manager
Vulnerability: Missing Authorization
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version
Plugin: PowerPack Lite for Beaver Builder
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.3.0.5
Recommended Action: Update to version 1.3.0.5, or a newer patched version
Plugin: Progress Planner
Vulnerability: Missing Authorization
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version
Plugin: Slider Revolution
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.7.14
Recommended Action: Update to version 6.7.14, or a newer patched version
Plugin: Uncanny Automator Pro
Vulnerability: Missing Authorization to Unauthenticated License Setting Reset
Patched Version: 5.3.0.1
Recommended Action: Update to version 5.3.0.1, or a newer patched version
Plugin: Uncanny Toolkit Pro for LearnDash
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.4.1
Recommended Action: Update to version 4.1.4.1, or a newer patched version
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Lister Lite for Amazon
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.17
Recommended Action: Update to version 2.6.17, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Grid
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DethemeKit For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Create by Mediavine
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Schema Meta Shortcode
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version
Plugin: Advanced File Manager
Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 5.2.5
Recommended Action: Update to version 5.2.5, or a newer patched version
Plugin: Post Meta Data Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 4.10.36
Recommended Action: Update to version 4.10.36, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Authenticated (Administrator+) HTML Injection
Patched Version: 5.7.1
Recommended Action: Update to version 5.7.1, or a newer patched version
Plugin: ElementsKit Elementor addons
Vulnerability: Missing Authorization
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.2.9
Recommended Action: Update to version 1.3.2.9, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version
Plugin: Portfolio Gallery – Image Gallery Plugin
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: PowerPack Lite for Beaver Builder
Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: 1.3.0.4
Recommended Action: Update to version 1.3.0.4, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Social Count (Static) Widget
Patched Version: 3.11.8
Recommended Action: Update to version 3.11.8, or a newer patched version
Plugin: Floating Social Buttons
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TrustedLogin Vendor
Vulnerability: Unauthenticated Information Disclosure
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: Newspack Blocks
Vulnerability: Missing Authorization
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Progress Planner
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 0.9.3
Recommended Action: Update to version 0.9.3, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes
Patched Version: 3.2.46
Recommended Action: Update to version 3.2.46, or a newer patched version
Plugin: PixelYourSite – Your smart PIXEL (TAG) & API Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.6.2
Recommended Action: Update to version 9.6.2, or a newer patched version
Plugin: WP Mobile Menu – The Mobile-Friendly Responsive Menu
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.4.4
Recommended Action: Update to version 2.8.4.4, or a newer patched version
Plugin: Easy Image Collage
Vulnerability: Missing Authorization to Authenticated (Contributor+) Data Clearance
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version
Plugin: Media Library Assistant
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.18
Recommended Action: Update to version 3.18, or a newer patched version
Plugin: Uncanny Automator Pro
Vulnerability: Cross-Site Request Forgery to License Setting Reset
Patched Version: 5.3.0.1
Recommended Action: Update to version 5.3.0.1, or a newer patched version
Plugin: HTML5 Audio Player- Audio Player Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.24
Recommended Action: Update to version 2.2.24, or a newer patched version
Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via read_more_text Parameter
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: IdeaPush
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 8.61
Recommended Action: Update to version 8.61, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability:
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version
Plugin: Stackable – Page Builder Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3.4
Recommended Action: Update to version 2.4.3.4, or a newer patched version
Plugin: Easy Affiliate Links
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Reset
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version
Plugin: Uncanny Toolkit Pro for LearnDash
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.4.1
Recommended Action: Update to version 4.1.4.1, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated (Shop Manager+) Content Injection
Patched Version: 9.0.0
Recommended Action: Update to version 9.0.0, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated (Contributor+) Arbitrary SVG Download
Patched Version: 3.22.2
Recommended Action: Update to version 3.22.2, or a newer patched version
Plugin: SEO SIMPLE PACK
Vulnerability: Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Conversios – Google Analytics 4 (GA4), Google Ads, Meta Pixel & more for WooCommerce
Vulnerability: All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce <= 7.1.0
Patched Version: 7.1.1
Recommended Action: Update to version 7.1.1, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting in Google Maps Widget
Patched Version: 3.2.43
Recommended Action: Update to version 3.2.43, or a newer patched version
Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via section title tag
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version
Plugin: Cost Calculator Builder
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version
Plugin: WP Lightbox 2
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.0.6.7
Recommended Action: Update to version 3.0.6.7, or a newer patched version