Watch Out Wednesday – April 17, 2024

Home » Watch Out Wednesday – April 17, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Novelist

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Vulnerability: Missing Authorization
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Auto Poster

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Meta SEO

Vulnerability: Information Exposure via Meta Description
Patched Version: 4.5.13
Recommended Action: Update to version 4.5.13, or a newer patched version

Plugin: App Builder – Create Native Android & iOS Apps On The Flight

Vulnerability: Open Redirection
Patched Version: 3.8.8
Recommended Action: Update to version 3.8.8, or a newer patched version

Plugin: CBX Bookmark & Favorite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: Super Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Smart Online Order for Clover

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: EWWW Image Optimizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.0.28
Recommended Action: Update to version 4.0.28, or a newer patched version

Plugin: EasyEvent

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loan Repayment Calculator and Application Form

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Country State City Dropdown CF7

Vulnerability: Missing Authorization
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Translate WordPress with ConveyThis

Vulnerability: Unauthenticated Stored Cross-Site Scripting via api_key
Patched Version: 224
Recommended Action: Update to version 224, or a newer patched version

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: Convert Post Types

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Calendarista Basic Edition – WordPress appointment booking system

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: WP Cost Estimation & Payment Forms Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 10.1.76
Recommended Action: Update to version 10.1.76, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.16.9
Recommended Action: Update to version 1.16.9, or a newer patched version

Plugin: Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Missing Authorization
Patched Version: 3.9.12
Recommended Action: Update to version 3.9.12, or a newer patched version

Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.06.0
Recommended Action: Update to version 3.06.0, or a newer patched version

Plugin: Tracking Code Manager

Vulnerability: Missing Authorization via change_order()
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Matterport Shortcode

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘size’
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: WordPress Tooltips

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.5.3
Recommended Action: Update to version 9.5.3, or a newer patched version

Plugin: BA Book Everything

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Mailster – Email Newsletter Plugin for WordPress

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.1.4.2
Recommended Action: Update to version 1.1.4.2, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Cross-Site Request Forgery via force_logging_off()
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: DirectoryPress – Business Directory And Classified Ad Listing

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Enhanced Media Library

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Cross-Site Request Forgery via toggle_logging_callback()
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Debug Log Manager

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Responsive Gallery Grid

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.11
Recommended Action: Update to version 2.3.11, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 4.10.25
Recommended Action: Update to version 4.10.25, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Missing Authorization
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: EZ Form Calculator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via metaslider Shortcode
Patched Version: 3.70.1
Recommended Action: Update to version 3.70.1, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.3.45
Recommended Action: Update to version 1.3.45, or a newer patched version

Plugin: F4 Improvements

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Product Input Fields for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Restricted Email Bypass
Patched Version: 3.11.3
Recommended Action: Update to version 3.11.3, or a newer patched version

Plugin: Easy Logo

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spotlight Social Feeds – Block, Shortcode, and Widget

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.11
Recommended Action: Update to version 1.6.11, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Easy Social Share Buttons for WordPress

Vulnerability: Missing Authorization
Patched Version: 9.5
Recommended Action: Update to version 9.5, or a newer patched version

Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Libsyn Publisher Hub

Plugin: ELEX WooCommerce Dynamic Pricing and Discounts

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: GP Unique ID

Vulnerability: Unauthenticated Form Submission Unique ID Modification
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Vulnerability: Limited Privilege Escalation
Patched Version: 240325
Recommended Action: Update to version 240325, or a newer patched version

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Widgets
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MWW Disclaimer Buttons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Carousel Slider

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Float menu – awesome floating side menu

Vulnerability: Cross-Site Request Forgery to Menu Deletion
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: WP 404 Auto Redirect to Similar Post

Vulnerability: Reflected Cross-Site Scripting via Debug Mode URI
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Crony Cronjob Manager

Plugin: Libsyn Publisher Hub

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Post Grid
Patched Version: 2.6.9.3
Recommended Action: Update to version 2.6.9.3, or a newer patched version

Plugin: Post Views Counter

Vulnerability: Cross-Site Request Forgery via save_bulk_post_views()
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Separator Element
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Login with phone number

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.94
Recommended Action: Update to version 1.6.94, or a newer patched version

Plugin: WPML String Translation

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘context’
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: WPBITS Addons For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Mega Addons For Elementor

Vulnerability: Missing Authorization
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: WP-Cufon

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Related Posts for WordPress

Plugin: The Events Calendar

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: Fixed HTML Toolbar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Gradient Text Widget for Elementor

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Grid Widget
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: WPBakery Visual Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title tag attribute
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Authenticated (Contributor+) Arbitrary Redirect
Patched Version: 7.5.45.7212
Recommended Action: Update to version 7.5.45.7212, or a newer patched version

Plugin: Navigation menu as Dropdown Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Freshdesk (official)

Vulnerability: Open Redirect
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘aux_gmaps’ Shortcode
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Missing Authorization via handle_optin_optout
Patched Version: 10.43
Recommended Action: Update to version 10.43, or a newer patched version

Plugin: WooCommerce Google Feed Manager

Vulnerability: Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Download Manager

Vulnerability: Password Protected File Bypass
Patched Version: 3.2.83
Recommended Action: Update to version 3.2.83, or a newer patched version

Plugin: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 8.0.0
Recommended Action: Update to version 8.0.0, or a newer patched version

Plugin: Easy CountDowner

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Sensitive Information Exposure via element_pack_ajax_search
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: Ultimate Maps by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: Blocksy Companion

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.29
Recommended Action: Update to version 2.0.29, or a newer patched version

Plugin: DSGVO Youtube

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Post Type Builder

Vulnerability: Missing Authorization to Arbitrary Post/Page Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Membership Plugin – Restrict Content

Vulnerability: Missing Authorization
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Canva – Design beautiful blog graphics

Plugin: Live News – Responsive News Ticker

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.07
Recommended Action: Update to version 1.07, or a newer patched version

Plugin: WebToffee WP Backup and Migration

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Support Genix – Support Tickets Managing System & Helpdesk Plugin for WordPress and WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Top Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: FG Drupal to WordPress

Vulnerability: Sensitive Information Exposure
Patched Version: 3.71.0
Recommended Action: Update to version 3.71.0, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Media Library Folders

Vulnerability: Authenticated (Author+) Directory Traversal
Patched Version: 8.1.9
Recommended Action: Update to version 8.1.9, or a newer patched version

Plugin: WPC Smart Quick View for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Mega Elements – Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Find Duplicates

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Vulnerability: Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF)
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version

Plugin: Side Menu Lite – add sticky fixed buttons

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Product Feed on WooCommerce for Google, Awin, Shareasale, Bing, and More

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import Users from CSV

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: WP Radio – Worldwide Online Radio Stations Directory for WordPress

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via Settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zero Spam for WordPress

Vulnerability: Spam Protection Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ReDi Restaurant Reservation

Vulnerability: Cross-Site Request Forgery via redi_restaurant_admin_options_page()
Patched Version: 24.0303
Recommended Action: Update to version 24.0303, or a newer patched version

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Favicon by RealFaviconGenerator

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.3.30
Recommended Action: Update to version 1.3.30, or a newer patched version

Plugin: SEO Booster

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.10
Recommended Action: Update to version 3.8.10, or a newer patched version

Plugin: Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WP Login and Logout Redirect

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Aspose.Words – Import and Export word documents

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Open Redirect
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: EnvíaloSimple: Email Marketing y Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Short URL

Plugin: Easy Google Maps

Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.15.5
Recommended Action: Update to version 4.15.5, or a newer patched version

Plugin: ReDi Restaurant Reservation

Vulnerability: Cross-Site Request Forgery via redi_restaurant_admin_options_page()
Patched Version: 24.0303
Recommended Action: Update to version 24.0303, or a newer patched version

Plugin: Checkout Field Manager for WooCommerce (My Account, Register)

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Plugin: Formsite | Embed online forms to collect orders, registrations, leads, and surveys

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Social Proof Popups & Real-Time Notifications – Herd Effects

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion/FAQ
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via widget _id attribute
Patched Version: 8.3.7
Recommended Action: Update to version 8.3.7, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Sensitive Information Exposure via purchased_products
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Premmerce

Vulnerability: Cross-Site Request Forgery via runAction
Patched Version: 1.3.19
Recommended Action: Update to version 1.3.19, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘title_tag’
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.0.7
Recommended Action: Update to version 8.0.7, or a newer patched version

Plugin: WP Cost Estimation & Payment Forms Builder

Vulnerability: Missing Authorization
Patched Version: 10.1.77
Recommended Action: Update to version 10.1.77, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.23.00
Recommended Action: Update to version 1.23.00, or a newer patched version

Plugin: Currency per Product for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: Announcer – Sticky Message Banner, Notification Bar – Add to Top, Bottom of your Website

Vulnerability: Missing Authorization
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: ePoll – Best WordPress Voting Plugin for Poll & Contest

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Simple Post Notes

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: Cornerstone

Vulnerability: Reflected Cross-Site Scripting via PHP_SELF
Patched Version: 0.8.1
Recommended Action: Update to version 0.8.1, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Author+) SQL Injeciton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Void Elementor WHMCS Elements For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels

Vulnerability: Missing Authorization
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Realtyna Organic IDX plugin + WPL Real Estate

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.14.8
Recommended Action: Update to version 4.14.8, or a newer patched version

Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 6.15.21
Recommended Action: Update to version 6.15.21, or a newer patched version

Plugin: WP-FormAssembly

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: eRoom – Zoom Meetings & Webinars

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 1.4.19
Recommended Action: Update to version 1.4.19, or a newer patched version

Plugin: WP-Lister Lite for eBay

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Missing Authorization
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: No subtitle
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Church Admin

Vulnerability: Missing Authorization
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: App Builder – Create Native Android & iOS Apps On The Flight

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.9
Recommended Action: Update to version 3.8.9, or a newer patched version

Plugin: Gutenberg

Vulnerability: 18.0.0
Patched Version: 18.01
Recommended Action: Update to version 18.01, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via AI Features
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Code Insert Manager (Q2W3 Inc Manager)

Plugin: WPBakery Visual Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Heading tag attribute
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Citadela Directory

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Cross-Site Request Forgery via reset_settings()
Patched Version: 5.2.16
Recommended Action: Update to version 5.2.16, or a newer patched version

Plugin: WP Server Health Stats

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Bulk Block Converter

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Display Name
Patched Version: 8.3.7
Recommended Action: Update to version 8.3.7, or a newer patched version

Plugin: EleForms – All In One Form Integration including DB for Elementor

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.9.9.8
Recommended Action: Update to version 2.9.9.8, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version

Plugin: Import Content in WordPress & WooCommerce with Excel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Authenticated (Administrator+) Stored Cross-Site-Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Envo Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: SearchIQ – The Search Solution

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via “Price List” Element
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Easy Textillate

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flash Video Player

Plugin: IP2Location Country Blocker

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.34.3
Recommended Action: Update to version 2.34.3, or a newer patched version

Plugin: User Spam Remover

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Cross-Site Request Forgery to User Post Creation
Patched Version: 6.3.1.2
Recommended Action: Update to version 6.3.1.2, or a newer patched version

Plugin: Bricksforge

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Email Sending
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: WordPress Menu Plugin — Superfly Responsive Menu

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PeproDev Ultimate Invoice

Vulnerability: Missing Authorization
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Simple Testimonials Showcase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Bricksforge

Vulnerability: Missing Authorization to Unauthenticated WordPress Settings Update
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Missing Authorization
Patched Version: 1.10.28
Recommended Action: Update to version 1.10.28, or a newer patched version

Plugin: Sticky Buttons – floating buttons builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Knight Lab Timeline

Plugin: Elements Plus!

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Missing Authorization
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: WPBakery Visual Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button onclick attribute
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: POEditor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version

Plugin: Zoho Campaigns

Vulnerability: Cross-Site Request Forgery via zcwc_integration_disconnect
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Advanced Cron Manager – debug & control

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: GEO my WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: MailChimp Forms by MailMunch

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Kimili Flash Embed

Plugin: Wholesale For WooCommerce

Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Jobs for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Simple Registration for WooCommerce

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook

Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Advanced iFrame

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2024.3
Recommended Action: Update to version 2024.3, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 8.6.03.005
Recommended Action: Update to version 8.6.03.005, or a newer patched version

Plugin: Speed Optimizer – The All-In-One Performance-Boosting Plugin

Vulnerability: Missing Authorization via purge_on_other_events()
Patched Version: 7.5.0
Recommended Action: Update to version 7.5.0, or a newer patched version

Plugin: Link Whisper Free

Vulnerability: No subtitle
Patched Version: 0.7.0
Recommended Action: Update to version 0.7.0, or a newer patched version

Plugin: WP Compress – Instant Performance & Speed Optimization

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.11.01
Recommended Action: Update to version 6.11.01, or a newer patched version

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: WordPress Tooltips

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 9.4.5
Recommended Action: Update to version 9.4.5, or a newer patched version

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Missing Authorization to Unauthenticated Media Deletion
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags
Patched Version: 4.8.9
Recommended Action: Update to version 4.8.9, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Authenticated (Shop Manager+) Remote Code Execution
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: Popup Like box – Page Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: Filter Custom Fields & Taxonomies Light

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via content_protector Shortcode
Patched Version: 4.2.6.5
Recommended Action: Update to version 4.2.6.5, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Coupon Search
Patched Version: 5.47.0
Recommended Action: Update to version 5.47.0, or a newer patched version

Plugin: Button Generator – easily Button Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.15.24
Recommended Action: Update to version 1.15.24, or a newer patched version

Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha

Vulnerability: Cross-Site Request Forgery via saveData()
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Automatic QR Code Generator – QR Code Composer

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WooCommerce Multilingual & Multicurrency with WPML

Vulnerability: Authenticated (Shop Manager+) SQL Injection
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version

Plugin: ePoll – Best WordPress Voting Plugin for Poll & Contest

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: LMS <= 1.7.2
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Ads.txt Admin

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Lightbox Widget
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Missing Authorization
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Marker.io – Visual Website Feedback

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Advanced Post Block- Great solution for displaying Posts

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 1.13.5
Recommended Action: Update to version 1.13.5, or a newer patched version

Plugin: Easy Social Share Buttons for WordPress

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 9.5
Recommended Action: Update to version 9.5, or a newer patched version

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Missing Authorization
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: Modal Window – create popup modal window

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.10
Recommended Action: Update to version 5.3.10, or a newer patched version

Plugin: Citadela Directory

Plugin: Smart Slider 3

Vulnerability: Missing Authorization to Limited File Upload
Patched Version: 3.5.1.23
Recommended Action: Update to version 3.5.1.23, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: WordPress Comments Import & Export

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Missing Authorization
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Contact Form Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.25
Recommended Action: Update to version 1.1.25, or a newer patched version

Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sp_wp_carousel_shortcode’
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Open Close WooCommerce Store – Best Business Schedules Manager

Vulnerability: Missing Authorization
Patched Version: 4.9.2
Recommended Action: Update to version 4.9.2, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization to Booking Price Maniputlation
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: Login with phone number

Vulnerability: Unauthorized Account Password Change to Privilege Escalation
Patched Version: 1.7.17
Recommended Action: Update to version 1.7.17, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Ovic Addon Toolkit

Plugin: Church Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.28
Recommended Action: Update to version 4.0.28, or a newer patched version

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: WP Dynamic Keywords Injector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.22
Recommended Action: Update to version 2.3.22, or a newer patched version

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Insecure Direct Object Reference
Patched Version: 16.26.6
Recommended Action: Update to version 16.26.6, or a newer patched version

Plugin: Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

Vulnerability: Missing Authorization
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: WordPress Simple HTML Sitemap

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9
Recommended Action: Update to version 2.9, or a newer patched version

Plugin: CBX Bookmark & Favorite

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.7.21
Recommended Action: Update to version 1.7.21, or a newer patched version

Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Yoga Schedule Momoyoga

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: AffiEasy

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.94
Recommended Action: Update to version 2.6.94, or a newer patched version

Plugin: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version

Plugin: Zynith SEO

Plugin: Ovic Responsive WPBakery

Plugin: Backend Designer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Patched Version: 5.47.0
Recommended Action: Update to version 5.47.0, or a newer patched version

Plugin: Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.26
Recommended Action: Update to version 2.4.26, or a newer patched version

Plugin: WP Dummy Content Generator

Vulnerability: Unauthenticated Code Injection
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: ActiveCampaign – Forms, Site Tracking, Live Chat

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 8.1.15
Recommended Action: Update to version 8.1.15, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.32
Recommended Action: Update to version 3.1.32, or a newer patched version

Plugin: Sign-up Sheets

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Netgsm

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Widget
Patched Version: 2.15.6
Recommended Action: Update to version 2.15.6, or a newer patched version

Plugin: WishSuite – Wishlist for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Customer+) Insecure Direct Object Reference
Patched Version: 1.0.82
Recommended Action: Update to version 1.0.82, or a newer patched version

Plugin: Crelly Slider

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Canto

Vulnerability: Remote File Inclusion to Code Execution
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.18.1
Recommended Action: Update to version 2.18.1, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Store Cross-Site Scripting via Widget URL Attribute
Patched Version: 5.9.15
Recommended Action: Update to version 5.9.15, or a newer patched version

Plugin: BWL Advanced FAQ Manager

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Wow Skype Buttons

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: BA Book Everything

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Responsive Lightbox & Gallery

Vulnerability: Missing Authorization via Information Disclosure
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Custom Thank You Page Customize For WooCommerce by Binary Carpenter

Vulnerability: Missing Authorization
Patched Version: 1.4.14
Recommended Action: Update to version 1.4.14, or a newer patched version

Plugin: BA Book Everything

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: MailMunch – Grow your Email List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Responsive Slider – Sangar Slider

Plugin: Disable Comments | WPZest

Plugin: All-in-One Video Gallery

Vulnerability: Missing Authorization
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: WP Radio – Worldwide Online Radio Stations Directory for WordPress

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.35
Recommended Action: Update to version 1.35, or a newer patched version

Plugin: WP TradingView

Plugin: Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: Website Article Monetization By MageNet

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: WordPress Gallery Exporter – Export your NextGen, Envira and FooGallery galleries to your computer

Vulnerability: Authenticated (Administrator+) Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NextMove Lite – Thank You Page for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.18.2
Recommended Action: Update to version 2.18.2, or a newer patched version

Plugin: Shopkeeper Extender

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Easy Login Styler – White Label Admin Login Page for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPC Grouped Product for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Bricksforge

Vulnerability: Missing Authorization to Unauthenticated WordPress Settings Deletion
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: 2Checkout Payment Gateway for WooCommerce

Vulnerability: Missing Authorization via sniff_ins
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Missing Authorization via handle_calendly_data
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Intagrate Lite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated (Admin+) PHAR Deserialization
Patched Version: 0.9.100
Recommended Action: Update to version 0.9.100, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization
Patched Version: 5.8.4
Recommended Action: Update to version 5.8.4, or a newer patched version

Plugin: Delete Custom Fields

Vulnerability: Cross-Site Request Forgery to Post Meta Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Inline Related Posts

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Sync Post With Other Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: User Activity Log Pro

Plugin: Product Designer

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.33
Recommended Action: Update to version 1.0.33, or a newer patched version

Plugin: RestroPress – Online Food Ordering System

Vulnerability: Cross-Site Request Forgery via rpress_orders_list_table_process_bulk_actions
Patched Version: 3.1.2.1
Recommended Action: Update to version 3.1.2.1, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Incorrect Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Attesa Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scriting
Patched Version: 1.3.95
Recommended Action: Update to version 1.3.95, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.36
Recommended Action: Update to version 1.5.36, or a newer patched version

Plugin: Subscribe To Comments Reloaded

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 240119
Recommended Action: Update to version 240119, or a newer patched version

Plugin: Nudgify Social Proof, Sales Popup & FOMO – Best WordPress Social Proof Plugin

Vulnerability: Cross-Site Request Forgery via sync_orders_manually()
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: MF Gig Calendar

Plugin: Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds

Vulnerability: Sensitive Information Exposure via Log Files
Patched Version: 13.3.2
Recommended Action: Update to version 13.3.2, or a newer patched version

Plugin: Form to Chat App ⚡️

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.0.14
Recommended Action: Update to version 4.0.14, or a newer patched version

Plugin: ELEX WooCommerce Dynamic Pricing and Discounts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Before And After: Lead Capture Forms For WordPress

Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WordPress Webinar Plugin – WebinarPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.33.10
Recommended Action: Update to version 1.33.10, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Referer header
Patched Version: 4.5.13
Recommended Action: Update to version 4.5.13, or a newer patched version

Plugin: WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: WP File Download Light

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPBakery Visual Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Author
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: OneClick Chat to Order

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Tagembed: Embed Twitter Feed, Google Reviews, YouTube Videos, TikTok, RSS Feed & More Social Media Feeds

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Index Creation
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.25
Recommended Action: Update to version 4.10.25, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Transcoder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: WP Client Reports

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘titleTag’
Patched Version: 2.6.10
Recommended Action: Update to version 2.6.10, or a newer patched version

Plugin: Import XML and RSS Feeds

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: EleForms – All In One Form Integration including DB for Elementor

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.9.9.8
Recommended Action: Update to version 2.9.9.8, or a newer patched version

Plugin: Appointment Bookings for Zoom GoogleMeet and more – Wappointment

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Mail logging – WP Mail Catcher

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: WP Import Export Lite

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 3.9.27
Recommended Action: Update to version 3.9.27, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Missing Authorization
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.7.14
Recommended Action: Update to version 5.7.14, or a newer patched version

Plugin: Access Category Password

Plugin: UPS Shipping for WooCommerce – Live Rates and Access Point

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.55
Recommended Action: Update to version 1.2.55, or a newer patched version

Plugin: Real Media Library: Media Library Folder & File Manager

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.22.12
Recommended Action: Update to version 4.22.12, or a newer patched version

Plugin: AIKit – WordPress AI Automatic Writer, Chatbot, Writing Assistant & Content Repurposer / OpenAI GPT

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shorcode
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Captcha by BestWebSoft – Spam Protection, Security Plugin for WordPress Forms

Vulnerability: Captcha Bypass
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: Generate Child Theme

Vulnerability: Cross-Site Request Forgery via process_create_form()
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Extra Product Options Builder for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.2.105
Recommended Action: Update to version 1.2.105, or a newer patched version

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Remove Footer Credit

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Church Content – Sermons, Events and More

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: What's New Generator

Plugin: Export Products, Order & Customers for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Author+) Limited File Upload to Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Demo My WordPress

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Zoho Campaigns

Vulnerability: Cross-Site Request Forgery via zcwc_optin_save
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Missing Authorization
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 5.7.7
Recommended Action: Update to version 5.7.7, or a newer patched version

Plugin: MF Gig Calendar

Vulnerability: Cross-Site Request Forgery to Event Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MJ Update History

Plugin: Custom Order Statuses for WooCommerce

Plugin: Ultimate Before After Image Slider & Gallery – BEAF

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.14
Patched Version: 5.7.15
Recommended Action: Update to version 5.7.15, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Plugin: Leadinfo

Plugin: WPZOOM Social Feed Widget & Block

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Instagram Image Deletion
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: Tax Rate Upload

Plugin: Theme My Login

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 7.1.7
Recommended Action: Update to version 7.1.7, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.29
Recommended Action: Update to version 3.3.29, or a newer patched version

Plugin: WP Sort Order

Vulnerability: Missing Authorization
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WP Show Posts

Vulnerability: Improper Authorization to Information Exposure
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: PeproDev CF7 Database

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: LH Add Media From Url

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version

Plugin: Multi Currency For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Account Engagement

Vulnerability: Missing Authorization
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via InfoBox
Patched Version: 2.6.9.3
Recommended Action: Update to version 2.6.9.3, or a newer patched version

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.96
Recommended Action: Update to version 1.0.96, or a newer patched version

Plugin: Search Keyword Redirect

Plugin: Login With Ajax – Fast Logins, 2FA, Redirects

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: BMI Adult & Kid Calculator

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via License Field
Patched Version: 6.1.81
Recommended Action: Update to version 6.1.81, or a newer patched version

Plugin: Popup Box: Create Popups Easily

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: MihanPanel – User Login , Registration and Dashboard

Vulnerability: Cross-Site Request Forgery
Patched Version: 12.7
Recommended Action: Update to version 12.7, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Subscriber+) PHP Object Injection via auxin_template_control_importer
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Hosting Benchmark tool

Vulnerability: Cross-Site Request Forgery via execute_plugin()
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Accounting Manager+) SQL Injection via id
Patched Version: 1.13.0
Recommended Action: Update to version 1.13.0, or a newer patched version

Plugin: USPS Shipping for WooCommerce – Live Rates

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘reg-single-checkbox’
Patched Version: 4.15.6
Recommended Action: Update to version 4.15.6, or a newer patched version

Plugin: Email Marketing for WooCommerce by Omnisend

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.14.4
Recommended Action: Update to version 1.14.4, or a newer patched version

Plugin: Mortgage Calculators WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.60
Recommended Action: Update to version 1.60, or a newer patched version

Plugin: LiveJournal Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 0.1.0.23
Recommended Action: Update to version 0.1.0.23, or a newer patched version

Plugin: WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden

Vulnerability: Missing Authorization
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.6.0
Recommended Action: Update to version 8.6.0, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.26
Recommended Action: Update to version 3.2.26, or a newer patched version

Plugin: WP Helper Premium

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version

Plugin: Save as Image Plugin by Pdfcrowd

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: WP Club Manager – WordPress Sports Club Plugin

Vulnerability: Authenticated (Player+) Stored Cross-Site Scripting
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Dashboard To-Do List

Vulnerability: Cross-Site Request Forgery via ardtdw_widgetupdate()
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WP Accessibility Helper (WAH)

Vulnerability: Missing Authorization
Patched Version: 0.6.2.6
Recommended Action: Update to version 0.6.2.6, or a newer patched version

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘aux_timeline’ Shortcode
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version

Plugin: WP Stripe Checkout

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2.42
Recommended Action: Update to version 1.2.2.42, or a newer patched version

Plugin: WP Synchro – WordPress Migration Plugin for Database & Files

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.3
Recommended Action: Update to version 1.11.3, or a newer patched version

Plugin: SSL Mixed Content Fix

Vulnerability: Missing Authorization
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Order Delivery Date for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 3.21.1
Recommended Action: Update to version 3.21.1, or a newer patched version

Plugin: Siteimprove

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.