August 2024

Plugin: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive FunctionPatched Version: 9.8.0Recommended Action: Update to version 9.8.0, or a newer patched version Plugin: User Private Files – WordPress File Sharing Plugin Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Private File AccessPatched Version: […]

Plugin: AFI – The Easiest Integration Plugin Vulnerability: Cross-Site Request ForgeryPatched Version: 1.89.6Recommended Action: Update to version 1.89.6, or a newer patched version Plugin: Custom Layouts – Post + Product grids made easy Vulnerability: Authenticated (Contributor+) Stored Cross-Site ScriptingPatched Version: 1.4.12Recommended Action: Update to version 1.4.12, or a newer patched version Plugin: The Ultimate Video

Plugin: ElementsKit Pro Vulnerability: Authenticated (Contributor+) Stored Cross-Site ScriptingPatched Version: 3.6.6Recommended Action: Update to version 3.6.6, or a newer patched version Plugin: WP MultiTasking – WP Utilities Vulnerability: Reflected Cross-Site ScriptingPatched Version: n/aRecommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Currency SettingsPatched Version: 3.3.3Recommended Action: Update to version 3.3.3, or a newer patched version Plugin: Organization chart Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via title_input and node_description ParametersPatched Version: 1.5.1Recommended Action: Update to version 1.5.1, or a

Plugin: Organization chart Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via title_input and node_description ParametersPatched Version: 1.5.1Recommended Action: Update to version 1.5.1, or a newer patched version Plugin: Fuse Social Floating Sidebar Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File UploadPatched Version: 5.4.11Recommended Action: Update to version 5.4.11, or a newer patched version Plugin: Appointment Booking

Plugin: Forminator – Contact Form, Payment Form & Custom Form Builder Vulnerability: HubSpot Developer API Key Sensitive Information ExposurePatched Version: 1.29.2Recommended Action: Update to version 1.29.2, or a newer patched version Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) Vulnerability: Authenticated (Contributor+) Stored Cross-Site ScriptingPatched Version: n/aRecommended Action:

Plugin: CTT Expresso para WooCommerce Vulnerability: Information Exposure via Unprotected DirectoryPatched Version: 3.2.13Recommended Action: Update to version 3.2.13, or a newer patched version Plugin: Gutenberg Blocks, Page Builder – ComboBlocks Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via redirectURL Parameter of Date Countdown WidgetPatched Version: 2.2.86Recommended Action: Update to version 2.2.86, or a newer patched version