Plugin: Ivory Search – WordPress Search Plugin
Vulnerability: Information Exposure via AJAX Search Form
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version
Plugin: Remember Me Controls
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: HelloAsso
Vulnerability: Missing Authorization to Authenticated (Contributor+) Limited Options Update
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: Big File Uploads – Increase Maximum File Upload Size
Vulnerability: Authenticated (Author+) Full Path Disclosure
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Cab fare calculator
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Newsletters
Vulnerability: Authenticated Privilege Escalation
Patched Version: 4.9.9.3
Recommended Action: Update to version 4.9.9.3, or a newer patched version
Plugin: Geo Controller
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Menu Creation/Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booking for Appointments and Events Calendar – Amelia Premium
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Revision Manager TMC
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Patched Version: 2.8.20
Recommended Action: Update to version 2.8.20, or a newer patched version
Plugin: LiteSpeed Cache
Vulnerability: Unauthenticated Sensitive Information Exposure via Log Files
Patched Version: 6.5.0.1
Recommended Action: Update to version 6.5.0.1, or a newer patched version
Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 7.7.6
Recommended Action: Update to version 7.7.6, or a newer patched version
Plugin: Advanced Sermons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Ninja Forms – File Uploads
Vulnerability: Unauthenticated Stored Cross-Site Scripting via File Upload
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version
Plugin: Geo Controller
Vulnerability: Missing Authorization to Unauthenticated Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability:
Patched Version: 2.9.9.5.1
Recommended Action: Update to version 2.9.9.5.1, or a newer patched version
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: 6.5.5
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version
Plugin: Dynamic Featured Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dfiFeatured Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Customizer Export/Import
Vulnerability: Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import
Patched Version: 0.9.7.1
Recommended Action: Update to version 0.9.7.1, or a newer patched version
Plugin: Preloader Plus – WordPress Loading Screen Plugin
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Recall – Registration, Profile, Commerce & More
Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update
Patched Version: 16.26.9
Recommended Action: Update to version 16.26.9, or a newer patched version
Plugin: RD Station
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version
Plugin: Form Vibes – Database Manager for Forms
Vulnerability: Missing Authorization in Multiple Functions
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version
Plugin: WP AdCenter – Ad Manager & Adsense Ads
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ad_alignment Attribute
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version
Plugin: ForumWP – Forum & Discussion Board Plugin
Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Security, Antivirus, Firewall – S.A.F
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Share This Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode
Patched Version: 2.03
Recommended Action: Update to version 2.03, or a newer patched version
Plugin: Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: WPCOM Member
Vulnerability: Unauthenticated Privilege Escalation via User Meta
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Enter Addons – Ultimate Template Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Events Card Widget
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cost Calculator Builder PRO
Vulnerability: Unauthenticated Price Manipulation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.