Plugin: PWA — easy way to Progressive Web App
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Wechat Social login 微信QQ钉钉登录插件
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ibtana – WordPress Website Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: 1.2.4.5
Recommended Action: Update to version 1.2.4.5, or a newer patched version
Plugin: WP MultiTasking – WP Utilities
Vulnerability: WP Utilities <= 0.1.17
Patched Version: 0.1.18
Recommended Action: Update to version 0.1.18, or a newer patched version
Plugin: SVG Complete
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Relogo
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Absolute Reviews
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Criteria Name
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Group Module
Patched Version: 2.8.3.7
Recommended Action: Update to version 2.8.3.7, or a newer patched version
Plugin: PDF Image Generator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wechat Social login 微信QQ钉钉登录插件
Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 123.chat – Video Chat
Vulnerability: Video Chat <= 1.3.1
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Popup Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slider Revolution
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 6.7.19
Recommended Action: Update to version 6.7.19, or a newer patched version
Plugin: WP Search Analytics
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GTM Server Side
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.20
Recommended Action: Update to version 2.1.20, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.28
Recommended Action: Update to version 1.15.28, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.3.3
Recommended Action: Update to version 5.9.3.3, or a newer patched version
Plugin: Hello World
Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 012 Ps Multi Languages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elastik Page Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Monitor
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Shop Enable
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version
Plugin: Broken Link Checker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: EU/UK VAT Manager for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.14
Recommended Action: Update to version 2.12.14, or a newer patched version
Plugin: Demo Importer Plus
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: king_IE
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Banners
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (GiveWP Manager+) SQL Injection via order Parameter
Patched Version: 3.16.2
Recommended Action: Update to version 3.16.2, or a newer patched version
Plugin: Gravity Forms Toolbar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RumbleTalk Live Group Chat – HTML5
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEOPress – On-site SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version
Plugin: Super Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: R Animated Icon Plugin
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Loggedin – Limit Active Logins
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced File Manager
Vulnerability: Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version
Plugin: Guten Post Layout – An Advanced Post Grid Collection for WordPress Gutenberg
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KB Support – WordPress Help Desk and Knowledge Base
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: QS Dark Mode Plugin
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Store Hours for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.22
Recommended Action: Update to version 4.3.22, or a newer patched version
Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version
Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: Themedy Toolbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: KB Support – WordPress Help Desk and Knowledge Base
Vulnerability: Missing Authorization to Unauthenticated Ticket Reply Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-WebAuthn
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wwa_login_form Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Hotel Booking
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 5.7.35
Recommended Action: Update to version 5.7.35, or a newer patched version
Plugin: Advanced File Manager
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version
Plugin: OSM – OpenStreetMap
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version
Plugin: GF Custom Style
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Geo Mashup
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via geo_mashup_visible_posts_list Shortcode
Patched Version: 1.13.14
Recommended Action: Update to version 1.13.14, or a newer patched version
Plugin: LH Copy Media File
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Enquiry for WooCommerce, WooCommerce product catalog
Vulnerability: Authenticated (Author+) PHP Object Injection in enquiry_detail.php
Patched Version: 2.2.33.34
Recommended Action: Update to version 2.2.33.34, or a newer patched version
Plugin: AVIF Uploader
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: LocateAndFilter
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mapplic Lite
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: Authenticated (Contributor+) SQL Injection via key Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Featured Image from Title
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YML for Yandex Market
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version
Plugin: Soumettre.fr
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via stars_testimonials Shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: MC4WP: Mailchimp Top Bar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Easy WordPress Subscribe – Optin Hound
Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.21.1
Recommended Action: Update to version 2.21.1, or a newer patched version
Plugin: XO Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Echo RSS Feed Post Generator
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.16.2
Recommended Action: Update to version 3.16.2, or a newer patched version
Plugin: EU/UK VAT Manager for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.12.14
Recommended Action: Update to version 2.12.14, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Ajax Load More <= 7.1.2
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version
Plugin: Simple LDAP Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Advanced File Manager
Vulnerability: Authenticated (Subscriber+) Limited File Upload
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version
Plugin: Common Tools for Site
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bulk NoIndex & NoFollow Toolkit
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.16
Recommended Action: Update to version 2.16, or a newer patched version
Plugin: DK PDF
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Load More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Media Grid Widget
Patched Version: 4.10.53
Recommended Action: Update to version 4.10.53, or a newer patched version
Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.15
Recommended Action: Update to version 1.3.15, or a newer patched version
Plugin: Spice Starter Sites
Vulnerability: Missing Authorization to Unauthenticated Demo Content Import
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress & WooCommerce Affiliate Program
Vulnerability: Authentication Bypass to Account Takeover and Privilege Escalation
Patched Version: 8.5.0
Recommended Action: Update to version 8.5.0, or a newer patched version
Plugin: Jupiter X Core
Vulnerability: Limited Unauthenticated Authentication Bypass to Account Takeover
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version
Plugin: Sight – Professional Image Gallery and Portfolio
Vulnerability: Missing Authorization to Sensitive Information Exposure in handler_post_title
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 5.7.35
Recommended Action: Update to version 5.7.35, or a newer patched version
Plugin: WordPress Visitors
Vulnerability: Unauthenticated Stored Cross-Site Scripting via HTTP Header
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.