Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Currency Settings
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Organization chart
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via title_input and node_description Parameters
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Linkify Text
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fuse Social Floating Sidebar
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File Upload
Patched Version: 5.4.11
Recommended Action: Update to version 5.4.11, or a newer patched version
Plugin: Obfuscate Email
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin
Vulnerability: Unauthenticated PHP Code Injection to Remote Code Execution
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: PDF Builder for WPForms
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 1.2.117
Recommended Action: Update to version 1.2.117, or a newer patched version
Plugin: Reveal Template
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Viral Signup – limited opt-in with viral refferal sharing
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: 1.1.7
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Viral Signup – limited opt-in with viral refferal sharing
Vulnerability: Unauthenticated SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated (Contributor+) SQL Injection via order Parameter
Patched Version: 4.2.6.9.4
Recommended Action: Update to version 4.2.6.9.4, or a newer patched version
Plugin: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via no_more_items_text Parameter
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: Slider by 10Web – Responsive Image Slider
Vulnerability: Authenticated (Contributor+) SQL Injection via id Parameter
Patched Version: 1.2.58
Recommended Action: Update to version 1.2.58, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: No Update Nag
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Paid Memberships Pro – Membership Maps Add On
Vulnerability: Membership Maps Add On < 0.7
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Gallery and Countdown Widgets
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lightbox & Modal Popup WordPress Plugin – FooBox
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes
Patched Version: 2.7.32
Recommended Action: Update to version 2.7.32, or a newer patched version
Plugin: Media Library Assistant
Vulnerability: Authenticated (Author+) Arbitrary File Upload via mla-inline-edit-upload-scripts AJAX Action
Patched Version: 3.19
Recommended Action: Update to version 3.19, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Christmasify!
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update
Patched Version: 4.10.39
Recommended Action: Update to version 4.10.39, or a newer patched version
Plugin: WP Bannerize Pro
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Falang multilanguage for WordPress
Vulnerability: Missing Authorization to Translation Update and Information Exposure
Patched Version: 1.3.53
Recommended Action: Update to version 1.3.53, or a newer patched version
Plugin: MainWP Child Reports
Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: My Custom CSS PHP & ADS
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Opal Membership
Vulnerability: Authenticated (Subscriber+) Information Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Agreement Text
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Opal Membership
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.7.5
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: affiliate-toolkit – WordPress Affiliate Plugin
Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.