Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Authentication Bypass
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Fonto – Custom Web Fonts Manager
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: WP Photo Album Plus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.07.004
Recommended Action: Update to version 8.8.07.004, or a newer patched version
Plugin: Parallax Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: SendPulse Free Web Push
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Draft Custom Form Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Draft Quiz Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Unauthenticated Arbitrary User Password Change
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Flexmls® IDX Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.14.23
Recommended Action: Update to version 3.14.23, or a newer patched version
Plugin: ReDi Restaurant Reservation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 24.1015
Recommended Action: Update to version 24.1015, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Subscriber+) Private Post Disclosure
Patched Version: 1.3.987
Recommended Action: Update to version 1.3.987, or a newer patched version
Plugin: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Vulnerability: Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: HTML Injection
Patched Version: 5.2.46
Recommended Action: Update to version 5.2.46, or a newer patched version
Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Privilege Escalation via Registration due to Administrator Default User Role Value
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version