Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Announcement & Notification Banner – Bulletin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LSX Tour Operator
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stratum – Elementor Widgets
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version
Plugin: Premium Packages – Sell Digital Products Securely
Vulnerability: Sell Digital Products Securely <= 5.9.3
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RecipePress Reloaded
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bard Extra
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Demo Import
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Control horas
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Run Contests, Raffles, and Giveaways with ContestsWP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: StreamWeasels Online Status Bar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version
Plugin: Include Mastodon Feed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Designer
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Subaccounts for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Friendly Functions for Welcart
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate YouTube Video & Shorts Player With Vimeo
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Playlist/Video Deletion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Content Switcher Widget Elementor Template
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Lazy load videos and sticky control
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SuevaFree Essential Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: salavat counter Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: Ultimate YouTube Video & Shorts Player With Vimeo
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Setting Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shine PDF Embeder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPAdverts – Classifieds Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vulnerability: Cross-Site Request Forgery to Limited Arbitrary Options Update
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Lock User Account
Vulnerability: User Lock Bypass
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Theater for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.18.7
Recommended Action: Update to version 0.18.7, or a newer patched version
Plugin: If-So Dynamic Content Personalization
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.9.2.2
Recommended Action: Update to version 1.9.2.2, or a newer patched version
Plugin: Co-marquage service-public.fr
Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 0.5.77
Recommended Action: Update to version 0.5.77, or a newer patched version
Plugin: UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)
Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure via UA_Template Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Parts
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Theme Builder For Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Activity Log – Monitor & Record User Changes
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Event Context
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version
Plugin: My Contador lesr
Vulnerability: Missing Authorization to Unauthenticated User Registration CSV Export
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.2.4.3
Recommended Action: Update to version 3.2.4.3, or a newer patched version
Plugin: Anonymous Restricted Content
Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version
Plugin: Button Block – Get fully customizable & multi-functional buttons
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Slick Sitemap
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Packages – Sell Digital Products Securely
Vulnerability: Reflected Cross-Site Scripting via add_query_arg
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Grid View Gallery
Vulnerability: Authenticated (Editor+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dino Game – Embed Google Chrome Dinosaur Game in WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MailMunch – Grow your Email List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: F4 Improvements
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Unauthenticated SQL Injection via rating_filter
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: User Registration Setting Bypass to Unauthorized User Registration
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version
Plugin: Pure CSS Circle Progress bar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Membership
Vulnerability: Exposure of Private Personal Information to an Unauthorized Actor
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version
Plugin: WPBakery Visual Composer WHMCS Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via void_wbwhmcse_laouts_search Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form 7 Email Add on
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Twitter Feed – Twitter feeds plugin for WP
Vulnerability: Authenticated (Contributor+) Post Exposure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WIP Incoming Lite
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Crypto and DeFi Widgets – Web3 Cryptocurrency Shortcodes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beds24 Online Booking
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via beds24-link Shortcode
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.22
Recommended Action: Update to version 3.4.22, or a newer patched version
Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: Grey Owl Lightbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.