Plugin: LiteSpeed Cache
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version
Plugin: Backup Database
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via template_id
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Premium Packages – Sell Digital Products Securely
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Insecure Direct Object Reference to Account Takeover and Privilege Escalation
Patched Version: 1.8.1.15
Recommended Action: Update to version 1.8.1.15, or a newer patched version
Plugin: Special Text Boxes
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Themesflat Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: 4.9.16
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification
Vulnerability: Missing Authorization to Unauthenticated Database Upgrade
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Appointment & Event Booking Calendar Plugin – Webba Booking
Vulnerability: Missing Authorization to Authenticated (Subscriber+) CSS Settings Update
Patched Version: 5.0.50
Recommended Action: Update to version 5.0.50, or a newer patched version
Plugin: AnWP Football Leagues
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 0.16.8
Recommended Action: Update to version 0.16.8, or a newer patched version
Plugin: Garden Gnome Package
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: WPZOOM Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via box Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: W3 Total Cache
Vulnerability: Sensitive Credentials Stored in Plaintext
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beam me up Scotty – Back to Top Button
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version
Plugin: Graphicsly – The ultimate graphics plugin for WordPress website builder ( Gutenberg, Elementor, Beaver Builder, WPBakery )
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form to Any API
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Contact Form
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Nav Archives
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooEvents – Calendar and Event Booking
Vulnerability: Unauthenticated Arbitrary File Overwrite
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: OneElements – Best Elementor Addons
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Prisna GWT – Google Website Translator
Vulnerability: Google Website Translator <= 1.4.11
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: Kodex Posts likes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: 2.0.79
Recommended Action: Update to version 2.0.79, or a newer patched version
Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.70.4
Recommended Action: Update to version 1.2.70.4, or a newer patched version
Plugin: BA Book Everything
Vulnerability: Unauthenticated Arbitrary User Password Reset
Patched Version: 1.6.21
Recommended Action: Update to version 1.6.21, or a newer patched version
Plugin: Confetti Fall Animation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via confetti-fall-animation Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy PayPal Events
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: Uncanny Groups for LearnDash
Vulnerability: Authenticated (Group Leader+) Privilege Escalation
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version
Plugin: REST API TO MiniProgram
Vulnerability: Unauthenticated SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Revolut Gateway for WooCommerce
Vulnerability: Missing Authorization to Unauthenticated Order Status Update
Patched Version: 4.17.4
Recommended Action: Update to version 4.17.4, or a newer patched version
Plugin: Themesflat Addons For Elementor
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Vulnerability: Insecure Direct Object Reference to Account Takeover/Privilege Escalation
Patched Version: 6.7.13
Recommended Action: Update to version 6.7.13, or a newer patched version
Plugin: MAS Static Content
Vulnerability: Authenticated (Contributor+) Private Static Content Page Disclosure
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: WP Category Dropdown
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Daily Prayer Time
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2024.09.14
Recommended Action: Update to version 2024.09.14, or a newer patched version
Plugin: WP GPX Maps
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sgpx Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.3.4
Recommended Action: Update to version 1.3.3.4, or a newer patched version
Plugin: Material Design Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mdi-icon Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 3.12.3
Recommended Action: Update to version 3.12.3, or a newer patched version
Plugin: XT Ajax Add To Cart for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Uncanny Groups for LearnDash
Vulnerability: Missing Authorization to Authenticated (Group Leader+) User Group Add
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.9.17
Recommended Action: Update to version 4.9.17, or a newer patched version
Plugin: Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version
Plugin: REST API TO MiniProgram
Vulnerability: Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BA Book Everything
Vulnerability: Cross-Site Request Forgery to Email Address Update/Account Takeover
Patched Version: 1.6.21
Recommended Action: Update to version 1.6.21, or a newer patched version
Plugin: MDTF – Meta Data and Taxonomies Filter
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.3.3.4
Recommended Action: Update to version 1.3.3.4, or a newer patched version
Plugin: Easy Mega Menu Plugin for WordPress – ThemeHunk
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Updates
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementsKit Elementor addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Video Widget
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via piechart_settings Parameter
Patched Version: 8.5.1
Recommended Action: Update to version 8.5.1, or a newer patched version
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Insecure Direct Object Reference to Unsubscribe
Patched Version: 1.3.6.2
Recommended Action: Update to version 1.3.6.2, or a newer patched version
Plugin: Koko Analytics
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version
Plugin: PeoplePond
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Custom Fields Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpcfs-preset Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GutenGeek Free Gutenberg Blocks for WordPress
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Simple HTML Sitemap
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: The Events Calendar
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.6.4.1
Recommended Action: Update to version 6.6.4.1, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Reflected Self-Based Cross-Site Scripting via Referer
Patched Version: 3.8.16
Recommended Action: Update to version 3.8.16, or a newer patched version
Plugin: Seriously Simple Stats
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Pixel Cat – Conversion Pixel Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version