Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Custom Gallery Widget
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version
Plugin: SIP Reviews Shortcode for WooCommerce
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy SVG Upload
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Get Quote For Woocommerce – Request A Quote For Woocommerce
Vulnerability: Missing Authorization to Unauthenticated Quote PDF and CSV Download
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ReCaptcha Integration for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Missing Authorization
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate
Patched Version: 5.10.2
Recommended Action: Update to version 5.10.2, or a newer patched version
Plugin: Shortcodes Blocks Creator Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: BBP Core – Expand bbPress powered forums with useful features
Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Woo Manage Fraud Orders
Vulnerability: Unauthenticated Information Exposure via Log Files
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SIP Reviews Shortcode for WooCommerce
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Group Chat & Video Chat by AtomChat
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via atomchat Shortcode
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: AI Power: Complete AI Pack
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.8.90
Recommended Action: Update to version 1.8.90, or a newer patched version
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: WP Simple Anchors Links
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpanchor Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPGlobus Translate Options
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Insecure Direct Object Reference to Submission Manipulation
Patched Version: 1.36.1
Recommended Action: Update to version 1.36.1, or a newer patched version