Plugin: SimpleForm – Contact form made simple
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP AdCenter – Ad Manager & Adsense Ads
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpadcenter_ad Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Blogger 301 Redirect
Vulnerability: Unauthenticated SQL Injection via br
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elfsight Telegram Chat CC
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 4.1.17
Recommended Action: Update to version 4.1.17, or a newer patched version
Plugin: SimpleForm Contact Form Submissions
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popularis Extra
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Music Player for Elementor – Audio Player & Podcast Player
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Template Import
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login using WordPress Users ( WP as SAML IDP )
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.15.7
Recommended Action: Update to version 1.15.7, or a newer patched version
Plugin: WP Chat App
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version
Plugin: PJW Mime Config
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Video Robot – The Ultimate Video Importer
Vulnerability: Authenticated (Subscriber+) Privilege Escalation via User Meta Update
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Yotpo: Product & Photo Reviews for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.10
Recommended Action: Update to version 1.7.10, or a newer patched version
Plugin: Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Author+) Sensitive Information Exposure to Privilege Escalation
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version
Plugin: PDF Generator Addon for Elementor Page Builder
Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto
Vulnerability: Unauthentiated Stored Cross-Site Scripting via Form File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mapster WP Maps
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Simple Pricing Table
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Activity Log
Vulnerability: Unauthenticated Stored Cross-Site Scripting via User_id Parameter
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version
Plugin: Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.8
Recommended Action: Update to version 6.0.8, or a newer patched version
Plugin: 404 Error Monitor
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google for WooCommerce
Vulnerability: Information Disclosure via Publicly Accessible PHP Info File
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: SVGPlus
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SVG Block
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.1.25
Recommended Action: Update to version 1.1.25, or a newer patched version
Plugin: Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Really Simple Security Pro multisite
Vulnerability: 9.1.1.1
Patched Version: 9.1.2
Recommended Action: Update to version 9.1.2, or a newer patched version
Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sonaar_audioplayer Shortcode
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version
Plugin: Tutor LMS Elementor Addons
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 0.9.108
Recommended Action: Update to version 0.9.108, or a newer patched version
Plugin: WordPress GDPR
Vulnerability: Missing Authorization to Unauthenticated Arbitrary User Deletion
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Steel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via btn Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 6.0.10
Recommended Action: Update to version 6.0.10, or a newer patched version
Plugin: GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress
Vulnerability: Unauthenticated Arbitrary Shortcode Execution via gamipress_get_user_earnings
Patched Version: 7.1.6
Recommended Action: Update to version 7.1.6, or a newer patched version
Plugin: BulkPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress GDPR
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: ConvertCalculator for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id and type Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EleForms – All In One Form Integration including DB for Elementor
Vulnerability: Cross-Site Request Forgery
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Missing Authorization to Unauthenticated Limited Options Update
Patched Version: 4.9.8
Recommended Action: Update to version 4.9.8, or a newer patched version
Plugin: Hide My WP Ghost – Security & Firewall
Vulnerability: Reflected Cross-Site Scripting via URL
Patched Version: 5.3.02
Recommended Action: Update to version 5.3.02, or a newer patched version
Plugin: LearnPress Export Import – WordPress extension for LearnPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: Bounce Handler MailPoet 3
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: External Database Based Actions
Vulnerability: Authenticated (Subscriber+) Authentication Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chartify – WordPress Chart Plugin
Vulnerability: Unauthenticated Local File Inclusion via source
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version
Plugin: 404 Solution
Vulnerability: Missing Authentication to Sensitive Information Exposure
Patched Version: 2.35.18
Recommended Action: Update to version 2.35.18, or a newer patched version
Plugin: SVG Case Study
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PeproDev WooCommerce Receipt Uploader
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Local Avatars
Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Cache Clearing
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Import Cancellation
Patched Version: 5.62.0
Recommended Action: Update to version 5.62.0, or a newer patched version
Plugin: WP Log Viewer
Vulnerability: Missing Authorization
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Uix Slideshow
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Subscription Popup
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via print_email_subscribe_form Shortcode
Patched Version: 1.2.23
Recommended Action: Update to version 1.2.23, or a newer patched version
Plugin: Drop Shadow Boxes
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Backup and Staging by WP Time Capsule
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.22.22
Recommended Action: Update to version 1.22.22, or a newer patched version