Plugin: Envo Extra
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version
Plugin: Algori PDF Viewer
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: SysBasics Customize My Account for WooCommerce
Vulnerability: Reflected Cross-Site Scripting via tab Parameter
Patched Version: 2.7.30
Recommended Action: Update to version 2.7.30, or a newer patched version
Plugin: Code Embed
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 1.15.31
Recommended Action: Update to version 1.15.31, or a newer patched version
Plugin: WooCommerce Support Ticket System
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 17.8
Recommended Action: Update to version 17.8, or a newer patched version
Plugin: Debug Tool
Vulnerability: Missing Authorization to Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: Countdown Timer block – Display the event's date into a timer.
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Lenxel Core for Lenxel(LNX) LMS
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Shortcode for Google Maps
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Category Ajax Filter
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: CE21 Suite
Vulnerability: Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: PayPal & Stripe Add-on <= 2.3.1
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: User Meta – User Profile Builder and User management plugin
Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Photo Album Plus
Vulnerability: Unauthenticated Arbitrary Shortcode Execution via getshortcodedrenderedfenodelay
Patched Version: 8.9.01.001
Recommended Action: Update to version 8.9.01.001, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Authenticated (Administrator+) Time-Based SQL Injection
Patched Version: 5.4.7
Recommended Action: Update to version 5.4.7, or a newer patched version
Plugin: Debug Tool
Vulnerability: Unauthenticated Arbitrary File Creation
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy SVG Support
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: CE21 Suite
Vulnerability: JWT Token Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Membership
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.3.1
Recommended Action: Update to version 1.8.3.1, or a newer patched version
Plugin: WordPress User Extra Fields
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 16.6
Recommended Action: Update to version 16.6, or a newer patched version
Plugin: Elementor Header & Footer Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6.46
Recommended Action: Update to version 1.6.46, or a newer patched version
Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: SKT Addons for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Attesa Extra
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Quform – WordPress Form Builder
Vulnerability: WordPress Form Builder <= 2.20.0
Patched Version: 2.21.0
Recommended Action: Update to version 2.21.0, or a newer patched version
Plugin: Leopard – WordPress Offload Media
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Content Slider Block
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version
Plugin: RegistrationMagic – User Registration Plugin with Custom Registration Forms
Vulnerability: Unauthenticated Privilege Escalation via Password Recovery
Patched Version: 6.0.2.7
Recommended Action: Update to version 6.0.2.7, or a newer patched version
Plugin: CE21 Suite
Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Change
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 1.4.2.3
Recommended Action: Update to version 1.4.2.3, or a newer patched version
Plugin: WooCommerce Support Ticket System
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 17.8
Recommended Action: Update to version 17.8, or a newer patched version
Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.13.1
Recommended Action: Update to version 2.13.1, or a newer patched version
Plugin: Cowidgets – Elementor Addons
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Support Ticket System
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 17.8
Recommended Action: Update to version 17.8, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)
Vulnerability: Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider <= 3.15.18
Patched Version: 3.15.19
Recommended Action: Update to version 3.15.19, or a newer patched version
Plugin: Cowidgets – Elementor Addons
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.