Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Updates
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Timeline Event History
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Mercado Pago payments for WooCommerce
Vulnerability: 7.6.1
Patched Version: 7.6.2
Recommended Action: Update to version 7.6.2, or a newer patched version
Plugin: Redux Framework
Vulnerability: 4.4.17
Patched Version: 4.4.18
Recommended Action: Update to version 4.4.18, or a newer patched version
Plugin: MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: Easy Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin
Vulnerability: Authenticated (Admin+) SMTP Password Exposure
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Insecure Direct Object Reference to Authenticated (GiveWP Worker+) Arbitrary Post Actions
Patched Version: 3.14.0
Recommended Action: Update to version 3.14.0, or a newer patched version
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via File Upload
Patched Version: 1.26.7
Recommended Action: Update to version 1.26.7, or a newer patched version
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version
Plugin: Duplica – Duplicate Posts, Pages, Custom Posts or Users
Vulnerability: Authenticated (Subscriber+) Missing Authorization to Users/Posts Duplicates Creation
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version
Plugin: SVG Support
Vulnerability: Authenticated (Author+) Cross-Site Scripting via SVG
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: ElementsKit Elementor addons
Vulnerability: Unauthenticated Information Exposure via ekit_widgetarea_content Function
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Conditional Fields for Contact Form 7
Vulnerability: Cross-Site Request Forgery to Plugin Setting Reset
Patched Version: 2.4.14
Recommended Action: Update to version 2.4.14, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 2.4.45
Recommended Action: Update to version 2.4.45, or a newer patched version
Plugin: RegLevel
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Authenticated (Contributor+) SQL Injection via url Parameter
Patched Version: 12.3.20
Recommended Action: Update to version 12.3.20, or a newer patched version
Plugin: Addonify – Quick View For WooCommerce
Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version
Plugin: YITH Essential Kit for WooCommerce #1
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install, Activation, and Deactivation
Patched Version: 2.35.0
Recommended Action: Update to version 2.35.0, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Authenticated (Subscriber+) SQL Injection via exclude Parameter
Patched Version: 7.5.47.7212
Recommended Action: Update to version 7.5.47.7212, or a newer patched version
Plugin: Meks Video Importer
Vulnerability: Missing Authorization to Authenticated (Subscriber+) API Keys Modification
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Missing Authentication to MailChimp API key update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Missing Authorization to Google API key update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version