Plugin: ID-SK Toolkit
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementsKit Elementor addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Contact Form 7 – Repeatable Fields
Vulnerability: Repeatable Fields <= 2.0.1
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: WP Awesome Login
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘tooltip’
Patched Version: 9.7.0
Recommended Action: Update to version 9.7.0, or a newer patched version
Plugin: Extra Product Options Builder for WooCommerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.134
Recommended Action: Update to version 1.2.134, or a newer patched version
Plugin: App Builder – Create Native Android & iOS Apps On The Flight
Vulnerability: Privilege Escalation and Account Takeover via Weak OTP
Patched Version: 5.3.8
Recommended Action: Update to version 5.3.8, or a newer patched version
Plugin: File Upload Types by WPForms
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Transaction Log
Patched Version: 4.0.4.8
Recommended Action: Update to version 4.0.4.8, or a newer patched version
Plugin: WP show more
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via show_more Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.21
Recommended Action: Update to version 6.0.21, or a newer patched version
Plugin: League of Legends Shortcodes
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Uix Shortcodes – Compatible with Gutenberg
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: School Management System – WPSchoolPress
Vulnerability: Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BuddyPress
Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: 14.2.1
Recommended Action: Update to version 14.2.1, or a newer patched version
Plugin: League of Legends Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wux Blog Editor
Vulnerability: Authentication Bypass to Administrator
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beek Widget Extention
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WatchTowerHQ
Vulnerability: Authentication Bypass to Administrator due to Missing Empty Value Check
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bamazoo – Button Generator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via dgs Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Missing Authorization to Forged Vendor Profile Deletion Email Sending
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version
Plugin: WP-Members Membership Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_loginout Shortcode
Patched Version: 3.4.9.6
Recommended Action: Update to version 3.4.9.6, or a newer patched version
Plugin: WordPress Post Grid Layouts with Pagination – Sogrid
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PriPre
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 4.0.1.7
Recommended Action: Update to version 4.0.1.7, or a newer patched version
Plugin: WooCommerce UPS Shipping – Live Rates and Access Points
Vulnerability: Missing Authorization to Plugin API key reset
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 1.0.99.2
Recommended Action: Update to version 1.0.99.2, or a newer patched version
Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.42
Recommended Action: Update to version 2.3.42, or a newer patched version
Plugin: WP Crowdfunding
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpcf_donate Shortcode
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version
Plugin: Simple News
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce
Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: Image Map Pro – Drag-and-drop Builder for Interactive Images
Vulnerability: Missing Authorization to Authenticated (Contributor+) Map Project Add/Update/Delete
Patched Version: 6.0.21
Recommended Action: Update to version 6.0.21, or a newer patched version
Plugin: Shoutcast Icecast HTML5 Radio Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Toolkit
Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Awesome buttons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via btn2 Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPS Telegram Chat
Vulnerability: Missing Authorization to Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Editorial Assistant by Sovrn
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Attachment Upload and Set Post Featured Image
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Authenticated (Administrator+) SQL Injection via Order_by Parameter
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Poll Settings
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version
Plugin: Editor Custom Color Palette
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wp Social Login and Register Social Counter
Vulnerability: Authentication Bypass
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Authentication Bypass
Patched Version: 7.6.25
Recommended Action: Update to version 7.6.25, or a newer patched version
Plugin: Mapster WP Maps
Vulnerability: Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Cross-Site Request Forgery to Vendor Updates
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version
Plugin: Compact WP Audio Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode
Patched Version: 1.9.14
Recommended Action: Update to version 1.9.14, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0.4.8
Recommended Action: Update to version 4.0.4.8, or a newer patched version
Plugin: 10Web Social Post Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Missing Authorization to Authenticated (Contributor+) Form Update and Creation
Patched Version: 1.36.0
Recommended Action: Update to version 1.36.0, or a newer patched version
Plugin: Order Notification for Telegram
Vulnerability: Missing Authorization to Unauthenticated Send Telegram Test Message
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wux Blog Editor
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Monkee-Boy Essentials
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPS Telegram Chat
Vulnerability: Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Extensions by HocWP Team
Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clever Addons for Elementor
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FormFacade – WordPress plugin for Google Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Monitor
Vulnerability: Missing Authorization to API Key Manipulation
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version
Plugin: Terms descriptions
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version