Plugin: LegalWeb Cloud
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: StreamWeasels YouTube Integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Authentication Bypass to Account Takeover and Privilege Escalation
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
Plugin: Posti Shipping
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via generate_notices_html Function
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TI WooCommerce Wishlist
Vulnerability: Missing Authorization to Unauthenticated Plugin Setup Wizard Access
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover
Patched Version: 24.0.8
Recommended Action: Update to version 24.0.8, or a newer patched version
Plugin: Simple Redirection
Vulnerability: Cross-Site Request Forgery to Arbitrary Site Redirect
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘provider_name’
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version
Plugin: Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Intro Tour Tutorial DeepPresentation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: AWeber Forms by Optin Cat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Image Alt Text
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Image Alt Text Update
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: File Manager Pro – Filester
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version
Plugin: Additional Custom Order Status for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: IdeaPush
Vulnerability: Missing Authorization to Board Term Deletion
Patched Version: 8.72
Recommended Action: Update to version 8.72, or a newer patched version
Plugin: Knowledge Base documentation & wiki plugin – BasePress Docs
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Database Update
Patched Version: 2.16.3.4
Recommended Action: Update to version 2.16.3.4, or a newer patched version
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Reflected Cross-Site Scripting via heateor_mastodon_share Parameter
Patched Version: 3.3.70
Recommended Action: Update to version 3.3.70, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget
Patched Version: 5.10.6
Recommended Action: Update to version 5.10.6, or a newer patched version
Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version
Plugin: Pie Register – Social Sites Login (Add on)
Vulnerability: Authentication Bypass
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: BMLT Tabbed Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.7.1004
Recommended Action: Update to version 1.7.1004, or a newer patched version
Plugin: Ragic Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: WIP WooCarousel Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: My auctions allegro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.18
Recommended Action: Update to version 3.6.18, or a newer patched version
Plugin: Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: Contact Form Builder by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode
Patched Version: 4.10.5
Recommended Action: Update to version 4.10.5, or a newer patched version
Plugin: Primary Addon for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: Form Data Collector
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: jAlbum Bridge
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ar Parameter
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version
Plugin: Charity Addon for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quick License Manager – WooCommerce Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.18
Recommended Action: Update to version 2.4.18, or a newer patched version
Plugin: File Manager Pro – Filester
Vulnerability: Authenticated (Administrator+) Local JavaScript File Inclusion
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: CMSMasters Elementor Addon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.15.0
Recommended Action: Update to version 1.15.0, or a newer patched version
Plugin: HLS Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins
Vulnerability: Sensitive Information Exposure
Patched Version: 2.0.59
Recommended Action: Update to version 2.0.59, or a newer patched version
Plugin: SearchIQ – The Search Solution
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: Authors List
Vulnerability: Unauthenticated Arbitrary Shortcode Execution via update_authors_list_ajax
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Address Obfuscation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Widget Options – The #1 WordPress Widget & Block Control Plugin
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: SG Helper
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Mailster
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.18.0
Recommended Action: Update to version 1.8.18.0, or a newer patched version
Plugin: Flower Delivery by Florist One
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version
Plugin: Campaign Monitor Forms by Optin Cat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Classic Addons – WPBakery Page Builder
Vulnerability: Authenticated (Contributor+) Limited Local PHP File Inclusion
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: SEO Landing Page Generator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.66.3
Recommended Action: Update to version 1.66.3, or a newer patched version
Plugin: Listdom – Business Directory and Classified Ads Listings WordPress Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Parameter
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Kudos Donations – Easy donations and payments with Mollie
Vulnerability: Reflected Cross-Site Scripting via ‘add_query_arg’
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Accessibility by AllAccessible
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Tumult Hype Animations
Vulnerability: Authenticated (Author+) Arbitrary File Upload via hypeanimations_panel Function
Patched Version: 1.9.16
Recommended Action: Update to version 1.9.16, or a newer patched version
Plugin: AnyWhere Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Widget
Patched Version: 2.16.3
Recommended Action: Update to version 2.16.3, or a newer patched version
Plugin: FAQ Builder AYS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Contact Form, Survey & Form Builder – MightyForms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Job Manager – Company Profiles
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Pulsating Chat Button
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login with Vipps and MobilePay
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: BP Profile Shortcodes Extra
Vulnerability: Authenticated (Contributor+) SQL Injection via tab Parameter
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Lightbox & Gallery
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version
Plugin: Goodlayers Core
Vulnerability: Reflected Cross-Site Scripting via ‘font-family’
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: B Testimonial – Testimonial plugin for WP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Advanced File Manager
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.2.11
Recommended Action: Update to version 5.2.11, or a newer patched version
Plugin: Kudos Donations – Easy donations and payments with Mollie
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Dollie Hub – Build Your Own WordPress Cloud Platform
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: Accounting for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Eleblog – Elementor Blog And Magazine Addons
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Deactivation Submission
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Videos
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: n/a
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPBITS Addons For Elementor Page Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: WP eCards
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.905
Recommended Action: Update to version 1.3.905, or a newer patched version
Plugin: NPS computy
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Wallet for WooCommerce
Vulnerability: Authenticated (Subscriber+) Incorrect Conversion between Numeric Types
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version