Plugin: YITH Custom Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: WP Booking System – Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.19.9
Recommended Action: Update to version 2.0.19.9, or a newer patched version
Plugin: Roles & Capabilities
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.8.12
Recommended Action: Update to version 2.8.12, or a newer patched version
Plugin: WordPress Affiliates Plugin — SliceWP Affiliates
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.21
Recommended Action: Update to version 1.1.21, or a newer patched version
Plugin: Classified Listing – Classified ads & Business Directory Plugin
Vulnerability: Missing Authorization
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthorized User Registration
Patched Version: 4.15.4
Recommended Action: Update to version 4.15.4, or a newer patched version
Plugin: amCharts: Charts and Maps
Vulnerability: Reflected Cross-Site Scripting via Cross-Site Request Forgery
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Cron Jobs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Backuply – Backup, Restore, Migrate and Clone
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: WP Test Email
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery Widget
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version
Plugin: Email Obfuscate Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fusion Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode
Patched Version: 3.11.10
Recommended Action: Update to version 3.11.10, or a newer patched version
Plugin: Simple Spoiler
Vulnerability: 1.3
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Custom Post Limits
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stream
Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: PDF Thumbnail Generator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Waitlist Woocommerce ( Back in stock notifier )
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection via ‘c_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version
Plugin: WP Simple Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: WPFactory Helper
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: WooCommerce Multiple Free Gift
Vulnerability: Insufficient Server-Side Validation to Arbitrary Gift Adding
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lucas String Replace
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Exit Notifier
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login with phone number
Vulnerability: Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
Patched Version: 1.7.50
Recommended Action: Update to version 1.7.50, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.4.2.2
Recommended Action: Update to version 1.4.2.2, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection via ‘c_only_fields’
Patched Version: 4.2.7.1
Recommended Action: Update to version 4.2.7.1, or a newer patched version
Plugin: WP Editor
Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 1.2.9.1
Recommended Action: Update to version 1.2.9.1, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Authenticated (Subscriber+) Limited Arbitrary File Upload
Patched Version: 4.15.4
Recommended Action: Update to version 4.15.4, or a newer patched version