Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Authentication Bypass
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Product Customizer Light
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Suki Sites Import
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventON Pro
Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.6.8
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: Time Clock Pro
Vulnerability: Unauthenticated (Limited) Remote Code Execution
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Social Share With Floating Bar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fonto – Custom Web Fonts Manager
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Edit WooCommerce Templates
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Photo Album Plus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.07.004
Recommended Action: Update to version 8.8.07.004, or a newer patched version
Plugin: Infinite-Scroll
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elemenda
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GetResponse Forms by Optin Cat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Parallax Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: DPD Baltic Shipping
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SendPulse Free Web Push
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Draft Custom Form Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: The Ultimate WordPress Toolkit – WP Extended
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version
Plugin: Branding
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Draft Quiz Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: Parcel Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementInvader Addons for Elementor
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Unauthenticated Arbitrary User Password Change
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Bulk images optimizer: Resize, optimize, convert to webp, rename …
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Debrandify · Remove or Replace WordPress Branding
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Flexmls® IDX Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.14.23
Recommended Action: Update to version 3.14.23, or a newer patched version
Plugin: WordPress Social Share Buttons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.20
Recommended Action: Update to version 1.20, or a newer patched version
Plugin: Click to Chat – WP Support All-in-One Floating Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsaio_snapchat Shortcode
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: RSS Feed Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via rfw-youtube-videos Shortcode
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: SendGrid for WordPress
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ReDi Restaurant Reservation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 24.1015
Recommended Action: Update to version 24.1015, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Subscriber+) Private Post Disclosure
Patched Version: 1.3.987
Recommended Action: Update to version 1.3.987, or a newer patched version
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Vulnerability: Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version
Plugin: WP Easy Post Types
Vulnerability: Authenticated (Subscriber+) Missing Authorization via Multiple Functions
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: StreamWeasels Twitch Integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sw-twitch-embed Shortcode
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Gantry 4 Framework
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MAS Companies For WP Job Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Add Widget After Content
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: HTML Injection
Patched Version: 5.2.46
Recommended Action: Update to version 5.2.46, or a newer patched version
Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version
Plugin: Flat UI Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via flatbtn Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Arconix Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version
Plugin: Miniorange OTP Verification with Firebase
Vulnerability: Privilege Escalation via Registration due to Administrator Default User Role Value
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Advanced Category and Custom Taxonomy Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ad_tax_image Shortcode
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Easy Menu Manager | WPZest
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.