Watch Out Wednesday – April 10, 2024

Home » Watch Out Wednesday – April 10, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Auto Poster

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Rights Access Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Falang multilanguage for WordPress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.3.48
Recommended Action: Update to version 1.3.48, or a newer patched version

Plugin: App Builder – Create Native Android & iOS Apps On The Flight

Vulnerability: Open Redirection
Patched Version: 3.8.8
Recommended Action: Update to version 3.8.8, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.0.88
Recommended Action: Update to version 1.0.88, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Request Forgery to IP Blocking
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version

Plugin: Popup Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Super Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Smart Online Order for Clover

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Sensitive Information Exposure
Patched Version: 3.2.10
Recommended Action: Update to version 3.2.10, or a newer patched version

Plugin: Loan Repayment Calculator and Application Form

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Import WP – Export and Import CSV and XML files to WordPress

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.13.1
Recommended Action: Update to version 2.13.1, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Call Now Button – The #1 Click to Call Button for WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Insecure Direct Object Reference
Patched Version: 4.2.6.4
Recommended Action: Update to version 4.2.6.4, or a newer patched version

Plugin: Ultimate Bootstrap Elements for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Widget
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Missing Authorization
Patched Version: 3.9.12
Recommended Action: Update to version 3.9.12, or a newer patched version

Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Tracking Code Manager

Vulnerability: Missing Authorization via change_order()
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.20.0
Recommended Action: Update to version 3.20.0, or a newer patched version

Plugin: Customily Product Personalizer

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Wrapper Link Widget
Patched Version: 4.10.17
Recommended Action: Update to version 4.10.17, or a newer patched version

Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version

Plugin: WordPress Tooltips

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.5.3
Recommended Action: Update to version 9.5.3, or a newer patched version

Plugin: Download Monitor

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Missing Authorization
Patched Version: 4.9.11
Recommended Action: Update to version 4.9.11, or a newer patched version

Plugin: Slugs Manager: Delete Old Permalinks from WordPress Database

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Print Page block – Print the entire page or Section.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: HeartThis

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.7.9
Recommended Action: Update to version 5.7.9, or a newer patched version

Plugin: OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Missing Authorization
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Nelio Content – Editorial Calendar & Social Media Scheduling

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via CSV import
Patched Version: 5.7.16
Recommended Action: Update to version 5.7.16, or a newer patched version

Plugin: Calendarista Basic Edition – WordPress appointment booking system

Vulnerability: Missing Authorization
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Elementor Addons, Widgets and Enhancements – Stax

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: IP Spoofing
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Cross-Site Request Forgery via toggle_logging_callback()
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: underConstruction

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version

Plugin: DX-Watermark

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 4.10.25
Recommended Action: Update to version 4.10.25, or a newer patched version

Plugin: Carousel Anything For WPBakery Page Builder – Touch Slider and Carousel

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode
Patched Version: 1.29.3
Recommended Action: Update to version 1.29.3, or a newer patched version

Plugin: Media Library Folders

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 8.1.8
Recommended Action: Update to version 8.1.8, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.76
Recommended Action: Update to version 2.2.76, or a newer patched version

Plugin: Hash Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: CGC Maintenance Mode

Vulnerability: IP Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CGC Maintenance Mode

Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI WP Writer – automatic content creator, ChatGPT, GPT-4, Dalle 3, FLUX

Vulnerability: Missing Authorization
Patched Version: 3.6.5.6
Recommended Action: Update to version 3.6.5.6, or a newer patched version

Plugin: Broken Images

Plugin: Contact Form Email

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.3.45
Recommended Action: Update to version 1.3.45, or a newer patched version

Plugin: WPC Badge Management for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.6.3
Recommended Action: Update to version 6.6.3, or a newer patched version

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Missing Authorization in activate_ai_handler and deactivate_ai_handler
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Contact Form 7 Newsletter

Plugin: Whizzy

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Layouts for Elementor

Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: JCH Optimize

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Modification
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: WPvivid Backup for MainWP

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.9.34
Recommended Action: Update to version 0.9.34, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Plugin: PDF Viewer for Elementor

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Restricted Email Bypass
Patched Version: 3.11.3
Recommended Action: Update to version 3.11.3, or a newer patched version

Plugin: SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget URL Attribute
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0.2
Recommended Action: Update to version 1.2.0.2, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.5.1
Recommended Action: Update to version 7.5.1, or a newer patched version

Plugin: Add Shortcodes Actions And Filters

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: pageMash > Page Management

Plugin: Easy Social Share Buttons for WordPress

Vulnerability: Missing Authorization
Patched Version: 9.5
Recommended Action: Update to version 9.5, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: LionScripts: IP Blocker Lite

Plugin: A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Vulnerability: Limited Privilege Escalation
Patched Version: 240325
Recommended Action: Update to version 240325, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via WL Universal Product Layout
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Social Icons Widget & Block by WPZOOM

Vulnerability: Missing Authorization
Patched Version: 4.2.16
Recommended Action: Update to version 4.2.16, or a newer patched version

Plugin: Zotpress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 7.3.8
Recommended Action: Update to version 7.3.8, or a newer patched version

Plugin: WP Cost Estimation & Payment Forms Builder

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 10.1.76
Recommended Action: Update to version 10.1.76, or a newer patched version

Plugin: Custom post types, Custom Fields & more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Wholesale For WooCommerce

Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.7.9
Recommended Action: Update to version 5.7.9, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Directory Traversal via X-FILENAME
Patched Version: 4.0.28
Recommended Action: Update to version 4.0.28, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: 3.2.26
Recommended Action: Update to version 3.2.26, or a newer patched version

Plugin: Post Views Counter

Vulnerability: Cross-Site Request Forgery via save_bulk_post_views()
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Separator Element
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Post Sliders & Post Grids

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Missing Authorization
Patched Version: 1.1.4.4
Recommended Action: Update to version 1.1.4.4, or a newer patched version

Plugin: WP Activity Log Premium

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.6.4.1
Recommended Action: Update to version 4.6.4.1, or a newer patched version

Plugin: WP Google Review Slider

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 13.6
Recommended Action: Update to version 13.6, or a newer patched version

Plugin: Image Watermark

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Watermark Modification
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Missing Authorization Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sponsors

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3.2
Recommended Action: Update to version 1.3.3.2, or a newer patched version

Plugin: Gradient Text Widget for Elementor

Plugin: Mighty Classic Pros And Cons

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.45
Recommended Action: Update to version 2.8.45, or a newer patched version

Plugin: Kanban Boards for WordPress

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.96
Recommended Action: Update to version 2.6.96, or a newer patched version

Plugin: bunny.net – WordPress CDN Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Ultimate Maps by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: Benchmark Email Lite

Vulnerability: Cross-Site Request Forgery via page_settings()
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Broken Access Control
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version

Plugin: Post Type Builder

Vulnerability: Missing Authorization to Arbitrary Post/Page Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive flipbook wordpress plugin free download

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.19
Recommended Action: Update to version 1.7.19, or a newer patched version

Plugin: LayerSlider

Vulnerability: 7.10.0
Patched Version: 7.10.1
Recommended Action: Update to version 7.10.1, or a newer patched version

Plugin: WebToffee WP Backup and Migration

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Chauffeur Taxi Booking System for WordPress

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paid Memberships Pro – Mailchimp Add On

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Beaver Themer

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via shortcode
Patched Version: 1.4.9.1
Recommended Action: Update to version 1.4.9.1, or a newer patched version

Plugin: Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version

Plugin: FG Drupal to WordPress

Vulnerability: Sensitive Information Exposure
Patched Version: 3.71.0
Recommended Action: Update to version 3.71.0, or a newer patched version

Plugin: WP Express Checkout (Accept PayPal Payments Easily)

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Media Library Folders

Vulnerability: Authenticated (Author+) Directory Traversal
Patched Version: 8.1.9
Recommended Action: Update to version 8.1.9, or a newer patched version

Plugin: Booking Activities

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.20
Recommended Action: Update to version 1.15.20, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Email Settings
Patched Version: 9.6.6
Recommended Action: Update to version 9.6.6, or a newer patched version

Plugin: DELUCKS SEO

Vulnerability: Missing Authorization
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: Klarna for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via title_tag
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Church Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Yoo Slider – Image Slider & Video Slider

Plugin: Lordicon Animated Icons

Plugin: WP Radio – Worldwide Online Radio Stations Directory for WordPress

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via Settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Hotel Booking

Vulnerability: Missing Authorization
Patched Version: 2.0.9.3
Recommended Action: Update to version 2.0.9.3, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Better Comments

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version

Plugin: Special Box for Content

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Builderall Builder for WordPress

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: VS Contact Form

Vulnerability: CAPTCHA Bypass
Patched Version: 14.8
Recommended Action: Update to version 14.8, or a newer patched version

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Open Redirect
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: WordPress Page Builder – Zion Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version

Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Prenotazioni

Plugin: ReDi Restaurant Reservation

Vulnerability: Cross-Site Request Forgery via redi_restaurant_admin_options_page()
Patched Version: 24.0303
Recommended Action: Update to version 24.0303, or a newer patched version

Plugin: Olive One Click Demo Import

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload in olive_one_click_demo_import_save_file
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Checkout Field Manager for WooCommerce (My Account, Register)

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Simple Revisions Delete

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Formsite | Embed online forms to collect orders, registrations, leads, and surveys

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via widget _id attribute
Patched Version: 8.3.7
Recommended Action: Update to version 8.3.7, or a newer patched version

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Trailer Box Widget
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: FancyBox for WordPress

Vulnerability: 3.3.3
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization
Patched Version: 4.4.10
Recommended Action: Update to version 4.4.10, or a newer patched version

Plugin: Announcer – Sticky Message Banner, Notification Bar – Add to Top, Bottom of your Website

Vulnerability: Missing Authorization
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: ePoll – Best WordPress Voting Plugin for Poll & Contest

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Mang Board WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Chatbot for WordPress by Collect.chat ⚡️

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Booking Package

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 1.6.29
Recommended Action: Update to version 1.6.29, or a newer patched version

Plugin: PeproDev Ultimate Invoice

Vulnerability: Unauthenticated Sensitive Information Exposure via init_plugin
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: Easy Google Maps

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.12
Recommended Action: Update to version 1.11.12, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Missing Authorization
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Bannerlid

Plugin: Social Author Bio

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Church Admin

Vulnerability: Missing Authorization
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.12.9
Recommended Action: Update to version 3.12.9, or a newer patched version

Plugin: Post-Plugin Library

Plugin: Gutenberg

Vulnerability: 18.0.0
Patched Version: 18.01
Recommended Action: Update to version 18.01, or a newer patched version

Plugin: WP Twitter Mega Fan Box Widget

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via AI Features
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Announcement & Notification Banner – Bulletin

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: SpiderFAQ

Plugin: WP Server Health Stats

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Custom WooCommerce Checkout Fields Editor

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Display Name
Patched Version: 8.3.7
Recommended Action: Update to version 8.3.7, or a newer patched version

Plugin: WooCommerce Cart Abandonment Recovery

Vulnerability: Cross-Site Request Forgery to Templates/Abandoned Orders Deletion
Patched Version: 1.2.27
Recommended Action: Update to version 1.2.27, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Authenticated (Shop Manager+) Path Traversal
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: OpenID

Plugin: WooCommerce Bookings Calendar

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: CubeWP – All-in-One Dynamic Content Framework

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.1.13
Recommended Action: Update to version 1.1.13, or a newer patched version

Plugin: SearchIQ – The Search Solution

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Hacklog Down As PDF

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via “Price List” Element
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1.8
Recommended Action: Update to version 1.4.1.8, or a newer patched version

Plugin: RT Easy Builder – Advanced addons for Elementor

Vulnerability: Missing Authorization
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Landingi Landing Pages

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Exposure via redirect_guess_404_permalink
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Missing Authorization
Patched Version: 6.4.7
Recommended Action: Update to version 6.4.7, or a newer patched version

Plugin: User Spam Remover

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Bricksforge

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Email Sending
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Tainacan

Vulnerability: Missing Authorization
Patched Version: 0.20.8
Recommended Action: Update to version 0.20.8, or a newer patched version

Plugin: MM-email2image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slider by Supsystic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.11
Recommended Action: Update to version 1.8.11, or a newer patched version

Plugin: Bricksforge

Vulnerability: Missing Authorization to Unauthenticated WordPress Settings Update
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: OSS Aliyun

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title HTML Tag
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Missing Authorization to Unauthenticated Information Disclosure
Patched Version: 3.59.1
Recommended Action: Update to version 3.59.1, or a newer patched version

Plugin: Platinum SEO

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.15
Recommended Action: Update to version 3.9.15, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Missing Authorization
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: iFlyChat – WordPress Chat

Plugin: Better Comments

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, Security+

Vulnerability: Sensitive Information Exposure via insufficiently protected files
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress

Vulnerability: Cross-Site Request Forgery via wpea_deauthorize_user()
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Error Message
Patched Version: 4.3.4
Recommended Action: Update to version 4.3.4, or a newer patched version

Plugin: Ultimate Social Comments – Email Notification & Lazy Load

Plugin: Wholesale For WooCommerce

Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Filter Custom Fields & Taxonomies Light

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Photo Album Plus

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 8.6.03.005
Recommended Action: Update to version 8.6.03.005, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version

Plugin: Whizzy

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Twitter Feeds (Twitter widget & shortcode)

Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.1.18
Recommended Action: Update to version 1.1.18, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Authenticated (Shop Manager+) Remote Code Execution
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.5.2
Recommended Action: Update to version 1.3.5.2, or a newer patched version

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via content_protector Shortcode
Patched Version: 4.2.6.5
Recommended Action: Update to version 4.2.6.5, or a newer patched version

Plugin: New Order Notification for Woocommerce

Plugin: ENL Newsletter

Vulnerability: Cross-Site Request Forgery to Campaign Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Missing Authorization
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Web Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.0.11
Recommended Action: Update to version 1.0.0.11, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 21.3.6
Recommended Action: Update to version 21.3.6, or a newer patched version

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: LMS <= 1.7.2
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Custom Field Bulk Editor

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Missing Authorization
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: MM-email2image

Plugin: Easy Social Share Buttons for WordPress

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 9.5
Recommended Action: Update to version 9.5, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Missing Authorization
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: WordPress Comments Import & Export

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 9.5.1
Recommended Action: Update to version 9.5.1, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Missing Authorization
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sp_wp_carousel_shortcode’
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Aesop Story Engine

Plugin: rehub-framework

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 19.6.2
Recommended Action: Update to version 19.6.2, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 5.7.9
Recommended Action: Update to version 5.7.9, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Booking Price Maniputlation
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via SVG
Patched Version: 1.8.22
Recommended Action: Update to version 1.8.22, or a newer patched version

Plugin: Relevanssi – A Better Search (Pro)

Vulnerability: Unauthenticated Second Order CSV Injection
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

Vulnerability: Missing Authorization
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Church Admin

Vulnerability: Missing Authorization
Patched Version: 4.1.19
Recommended Action: Update to version 4.1.19, or a newer patched version

Plugin: WP-Stateless – Google Cloud Storage

Vulnerability: Missing Authorization to Limited Arbitrary Options Update
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated Local File Inclusion via template
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: Themify Event Post

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.5.1.8
Recommended Action: Update to version 1.5.1.8, or a newer patched version

Plugin: Change default login logo,url and title

Plugin: B Slider- Gutenberg Slider Block for WP

Vulnerability: Slider for your block editor <= 1.1.12
Patched Version: 1.1.13
Recommended Action: Update to version 1.1.13, or a newer patched version

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.1.9
Recommended Action: Update to version 3.1.9, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Sign-up Sheets

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Block
Patched Version: 3.9.15
Recommended Action: Update to version 3.9.15, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Custom Gallery’ Widget
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 4.10.23
Recommended Action: Update to version 4.10.23, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Customer+) Insecure Direct Object Reference
Patched Version: 1.0.82
Recommended Action: Update to version 1.0.82, or a newer patched version

Plugin: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 0.6.6
Recommended Action: Update to version 0.6.6, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Spin 360 deg and 3D Model Viewer

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated(LP Instructor+) Stored Cross-Site Scripting
Patched Version: 4.2.6.4
Recommended Action: Update to version 4.2.6.4, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.2
Recommended Action: Update to version 1.13.2, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.4.1.1
Recommended Action: Update to version 3.4.1.1, or a newer patched version

Plugin: DD Rating

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Grid Gallery WordPress Plugin

Vulnerability: Unauthenticated Private Post Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Missing Authorization via Information Disclosure
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Squelch Tabs and Accordions Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via accordions Shortcode
Patched Version: 0.4.4
Recommended Action: Update to version 0.4.4, or a newer patched version

Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

Vulnerability: Missing Authorization to Unauthenticated Settings Reset
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.4.28
Recommended Action: Update to version 2.4.28, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Incorrect Authorization to Information Exposure
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated(Contributor+) Server-Side Request Forgery (SSRF)
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: Announce from the Dashboard

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: MailMunch – Grow your Email List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: All-in-One Video Gallery

Vulnerability: Missing Authorization
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via CountUp Widget
Patched Version: 3.2.32
Recommended Action: Update to version 3.2.32, or a newer patched version

Plugin: WP Radio – Worldwide Online Radio Stations Directory for WordPress

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All In One Redirection

Plugin: Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.35
Recommended Action: Update to version 1.35, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.8.6
Recommended Action: Update to version 6.8.6, or a newer patched version

Plugin: BizCalendar Web

Vulnerability: Reflected Cross-Site Scripting via ‘tab’
Patched Version: 1.1.0.26
Recommended Action: Update to version 1.1.0.26, or a newer patched version

Plugin: Beaver Themer

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.9.1
Recommended Action: Update to version 1.4.9.1, or a newer patched version

Plugin: WordPress Gallery Exporter – Export your NextGen, Envira and FooGallery galleries to your computer

Vulnerability: Authenticated (Administrator+) Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sticky Anything

Plugin: Appointment Calendar

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Calendy
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Easy Login Styler – White Label Admin Login Page for WordPress

Plugin: YITH WooCommerce Account Funds Premium

Vulnerability: Missing Authorization
Patched Version: 1.34.0
Recommended Action: Update to version 1.34.0, or a newer patched version

Plugin: Bricksforge

Vulnerability: Missing Authorization to Unauthenticated WordPress Settings Deletion
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version

Plugin: Creative Image Slider – Responsive Slider Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Tax Rate Upload

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Missing Authorization via handle_calendly_data
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Kattene

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Sliced Invoices – WordPress Invoice Plugin

Vulnerability: Missing Authorization
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Product Designer

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.33
Recommended Action: Update to version 1.0.33, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Incorrect Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4.1.1
Recommended Action: Update to version 3.4.1.1, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scriting
Patched Version: 1.3.95
Recommended Action: Update to version 1.3.95, or a newer patched version

Plugin: CMB2

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 29.8
Recommended Action: Update to version 29.8, or a newer patched version

Plugin: Woocommerce Social Media Share Buttons

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subscribe To Comments Reloaded

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 240119
Recommended Action: Update to version 240119, or a newer patched version

Plugin: Nudgify Social Proof, Sales Popup & FOMO – Best WordPress Social Proof Plugin

Vulnerability: Cross-Site Request Forgery via sync_orders_manually()
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Form to Chat App ⚡️

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: ELEX WooCommerce Dynamic Pricing and Discounts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WordPress CRM Plugin – WP-CRM System

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.9.1
Recommended Action: Update to version 3.2.9.1, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.61
Recommended Action: Update to version 3.3.61, or a newer patched version

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: LWS Optimize

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Convert Post Types

Plugin: User Activity Log

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: WordPress Webinar Plugin – WebinarPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.33.10
Recommended Action: Update to version 1.33.10, or a newer patched version

Plugin: ELEX WooCommerce Dynamic Pricing and Discounts

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: File Manager

Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 7.2.6
Recommended Action: Update to version 7.2.6, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button
Patched Version: 4.10.28
Recommended Action: Update to version 4.10.28, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg

Vulnerability: Missing Authorization
Patched Version: 1.3.02
Recommended Action: Update to version 1.3.02, or a newer patched version

Plugin: Mailster WordPress Newsletter Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WP Chat App

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.25
Recommended Action: Update to version 4.10.25, or a newer patched version

Plugin: Sydney Toolbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery
Patched Version: 1.29
Recommended Action: Update to version 1.29, or a newer patched version

Plugin: Transcoder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Genesis Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Content
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Import XML and RSS Feeds

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: No-Bot Registration

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: WP Import Export Lite

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 3.9.27
Recommended Action: Update to version 3.9.27, or a newer patched version

Plugin: ENL Newsletter

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.7.14
Recommended Action: Update to version 5.7.14, or a newer patched version

Plugin: Header Image Slider

Plugin: Advanced Search

Plugin: Comic Easel

Plugin: Paid Memberships Pro – Payfast Gateway Add On

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated(Contributor+) Cross-Site Scripting via Custom CSS
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: BoldGrid Easy SEO – Simple and Effective SEO

Vulnerability: Information Exposure
Patched Version: 1.6.15
Recommended Action: Update to version 1.6.15, or a newer patched version

Plugin: AIKit – WordPress AI Automatic Writer, Chatbot, Writing Assistant & Content Repurposer / OpenAI GPT

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Image Attachment Fields
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version

Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Captcha by BestWebSoft – Spam Protection, Security Plugin for WordPress Forms

Vulnerability: Captcha Bypass
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: Generate Child Theme

Vulnerability: Cross-Site Request Forgery via process_create_form()
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Weekly Class Schedule

Plugin: Slideshow Gallery LITE

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Geo Controller

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.6.5
Recommended Action: Update to version 8.6.5, or a newer patched version

Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Patched Version: 2.18.1
Recommended Action: Update to version 2.18.1, or a newer patched version

Plugin: Real Estate Manager – Property Listing and Agent Management

Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Global Elementor Buttons

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via button link
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting via QR Code Widget
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: FG PrestaShop to WooCommerce

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: 4.47.0
Recommended Action: Update to version 4.47.0, or a newer patched version

Plugin: Better Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: Demo My WordPress

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 5.7.7
Recommended Action: Update to version 5.7.7, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 9.6.6
Recommended Action: Update to version 9.6.6, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version

Core: WordPress

Vulnerability: Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block
Patched Version: 6.0.8
Recommended Action: Update to one of the following versions, or a newer patched version: 6.0.8, 6.1.6, 6.2.5, 6.3.4, 6.4.4, 6.5.2

Plugin: Genesis Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via postTitleTag
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: wp-forecast

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: Relevanssi – A Better Search (Pro)

Vulnerability: Missing Authorization to Unauthenticated Count Option Update
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: WP Sort Order

Vulnerability: Missing Authorization
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Post Type Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Better Elementor Addons

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via widget links
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Thumbs Rating

Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Page Title HTML Tag
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Tumult Hype Animations

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_price_list Shortcode
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Powerkit – Supercharge your WordPress Site

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: AdsPlace'r – Ad Manager, Inserter, AdSense Ads

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Photo Stack Widget
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘reg-single-checkbox’
Patched Version: 4.15.6
Recommended Action: Update to version 4.15.6, or a newer patched version

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Missing Authorization
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Webinar and Video Conference with Jitsi Meet – Create Branded Webinars for WordPress, Meetings & Livestreaming

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.7.0
Recommended Action: Update to version 6.7.0, or a newer patched version

Plugin: WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden

Vulnerability: Missing Authorization
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Premmerce Product Filter for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: SEO Title Tag

Plugin: WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.6.0
Recommended Action: Update to version 8.6.0, or a newer patched version

Plugin: Real Estate Manager – Property Listing and Agent Management

Vulnerability: Cross-Site Scripting
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: WooCommerce Multilingual & Multicurrency with WPML

Vulnerability: Missing Authorization
Patched Version: 5.3.5
Recommended Action: Update to version 5.3.5, or a newer patched version

Plugin: Modal Popup Box – Popup Builder, Show Offers And News in Popup

Vulnerability: Authenticated (Contributor+) PHP Object Injection in awl_modal_popup_box_shortcode
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.