Plugin: Forminator – Contact Form, Payment Form & Custom Form Builder
Vulnerability: HubSpot Developer API Key Sensitive Information Exposure
Patched Version: 1.29.2
Recommended Action: Update to version 1.29.2, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CTT Expresso para WooCommerce
Vulnerability: Information Exposure via Unprotected Directory
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version
Plugin: Gutenberg Blocks, Page Builder – ComboBlocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via redirectURL Parameter of Date Countdown Widget
Patched Version: 2.2.86
Recommended Action: Update to version 2.2.86, or a newer patched version
Plugin: Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin
Vulnerability: Addon for Elementor Page Builder WordPress Plugin <= 7.9.0
Patched Version: 7.9.1
Recommended Action: Update to version 7.9.1, or a newer patched version
Plugin: FundEngine – Donation and Crowdfunding Platform
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: WordPress Menu Plugin — Superfly Responsive Menu
Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 5.0.30
Recommended Action: Update to version 5.0.30, or a newer patched version
Plugin: Spectra Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block IDs
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
Vulnerability: Missing Authorization to Unauthenticated Ad Status Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File Upload
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version
Plugin: Breakdance
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Breakdance
Vulnerability: Missing Authorization
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Ebook Store
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Remote Content Shortcode
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Comments – wpDiscuz
Vulnerability: Unauthenticated HTML Injection
Patched Version: 7.6.22
Recommended Action: Update to version 7.6.22, or a newer patched version