Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading and Icon Picker Widgets
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version
Plugin: Clio Grow
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Delivery Date for WooCommerce – Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: WP Booking Calendar
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 10.6.1
Recommended Action: Update to version 10.6.1, or a newer patched version
Plugin: Bridge Core
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Easy Demo Importer – A Modern One-Click Demo Import Solution
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: WP Cleanup and Basic Functions
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: Authenticated (Subscriber+) Limited JavaScript File Upload
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version
Plugin: Image Optimizer, Resizer and CDN – Sirv
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version
Plugin: CMSMasters Content Composer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: WooCommerce Multilingual & Multicurrency with WPML
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version
Plugin: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
Vulnerability: Authenticated (Form Manager+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version
Plugin: Popularis Extra
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Limit Login Attempts (Spam Protection)
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget
Patched Version: 1.3.987
Recommended Action: Update to version 1.3.987, or a newer patched version
Plugin: Survey Maker
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Private Gallery Title Disclosure
Patched Version: 3.2.22
Recommended Action: Update to version 3.2.22, or a newer patched version
Plugin: Social Web Suite – Social Media Auto Post, Social Media Auto Publish
Vulnerability: Directory Traversal to Arbitrary File Download
Patched Version: 4.1.12
Recommended Action: Update to version 4.1.12, or a newer patched version
Plugin: WP Blocks Hub
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Missing Authorization to Unauthenticated User and Term Metadata Insert, Update, and Delete
Patched Version: 1.0.229
Recommended Action: Update to version 1.0.229, or a newer patched version
Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.3
Recommended Action: Update to version 5.4.3, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Cross-Site Request Forgery to Membership Status Change
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Checkout Field Editor (Checkout Manager) for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via render_review_request_notice
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Aggregator Advanced Settings
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login Logout Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smart Custom 404 Error Page
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.4.8
Recommended Action: Update to version 11.4.8, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Re:WP
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Themify Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version
Plugin: Code Embed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 1.0.229
Recommended Action: Update to version 1.0.229, or a newer patched version
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Authenticated (Admin+) Limited Arbitrary Function Call
Patched Version: 6.3.6.1
Recommended Action: Update to one of the following versions, or a newer patched version: 6.3.6.1, 6.3.8
Plugin: BuddyPress Docs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Captcha Plugin by Captcha Bank
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Display Medium Posts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via display_medium_posts Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hash Form – Drag & Drop Form Builder
Vulnerability: Drag & Drop Form Builder <= 1.1.9
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Fish and Ships – Most flexible shipping table rate. A WooCommerce shipping rate
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: ShiftController Employee Shift Scheduling
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.67
Recommended Action: Update to version 4.9.67, or a newer patched version
Plugin: Quantity Dynamic Pricing & Bulk Discounts for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version
Plugin: Memberful – Membership Plugin
Vulnerability: Authenticated (contributor+) Stored Cross-Site Scripting
Patched Version: 1.73.8
Recommended Action: Update to version 1.73.8, or a newer patched version
Plugin: Easy Mega Menu Plugin for WordPress – ThemeHunk
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version