Watch Out Wednesday – April 24, 2024

Home » Watch Out Wednesday – April 24, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Novelist

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Max Addons Pro for Bricks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Easy Testimonial Slider and Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: WPCal.io – Easy Meeting Scheduler

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.5.9
Recommended Action: Update to version 0.9.5.9, or a newer patched version

Plugin: SharkDropship and Affiliate for AliExpress, Temu, eBay, Amazon and Etsy to woocommerce

Vulnerability: Unauthenticated Arbitrary Content Deletion
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Under Construction

Vulnerability: Cross-Site Request Forgery via admin_action_ucp_dismiss_notice
Patched Version: 3.97
Recommended Action: Update to version 3.97, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Missing Authorization via admin notice dismissal
Patched Version: 1.12.7
Recommended Action: Update to version 1.12.7, or a newer patched version

Plugin: MaxGalleria

Vulnerability: Missing Authorization
Patched Version: 6.4.3
Recommended Action: Update to version 6.4.3, or a newer patched version

Plugin: Send PDF for Contact Form 7

Vulnerability: Missing Authorization
Patched Version: 1.0.2.4
Recommended Action: Update to version 1.0.2.4, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Insecure Direct Object Reference
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Missing Authorization
Patched Version: 1.3.3.1
Recommended Action: Update to version 1.3.3.1, or a newer patched version

Plugin: Convert Post Types

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.

Vulnerability: Missing Authorization via showTemplatePreview()
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

Vulnerability: Missing Authorization
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: WP LinkedIn Auto Publish

Vulnerability: Missing Authorization
Patched Version: 8.12
Recommended Action: Update to version 8.12, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.16.9
Recommended Action: Update to version 1.16.9, or a newer patched version

Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.06.0
Recommended Action: Update to version 3.06.0, or a newer patched version

Plugin: RomethemeForm For Elementor

Vulnerability: Missing Authorization
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: StreamWeasels Twitch Integration

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Missing Authorization
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Bypass Group Members Limit
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Missing Authorization
Patched Version: 1.3.91
Recommended Action: Update to version 1.3.91, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.6.2
Recommended Action: Update to version 4.4.6.2, or a newer patched version

Plugin: BA Book Everything

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.1.4.2
Recommended Action: Update to version 1.1.4.2, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: LoginPress Pro

Vulnerability: Missing Authorization to License Status Update
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: WP Ultimate Review

Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Maintenance Mode

Vulnerability: Unauthenticated IP Spoofing
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory

Vulnerability: Insecure Direct Object Reference to Sensitve Information Exposure via Shortcode
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables

Vulnerability: Missing Authorization
Patched Version: 1.0.6.3
Recommended Action: Update to version 1.0.6.3, or a newer patched version

Plugin: WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

Vulnerability: Information Exposure
Patched Version: 3.43.0
Recommended Action: Update to version 3.43.0, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 7.2.3
Recommended Action: Update to version 7.2.3, or a newer patched version

Plugin: EZ Form Calculator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Data Tables Generator by Supsystic

Vulnerability: Missing Authorization
Patched Version: 1.10.32
Recommended Action: Update to version 1.10.32, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Missing Authorization
Patched Version: 2.4.33
Recommended Action: Update to version 2.4.33, or a newer patched version

Plugin: LetterPress – Elevate Your WordPress Site's E-Mail Campaigns and Marketing

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action
Patched Version: 2.6.9.5
Recommended Action: Update to version 2.6.9.5, or a newer patched version

Plugin: Product Input Fields for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘titleWrapper’
Patched Version: 1.0.217
Recommended Action: Update to version 1.0.217, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.29.3
Recommended Action: Update to version 1.29.3, or a newer patched version

Plugin: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media

Vulnerability: Missing Authorization
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Unauthenticated Arbitrary File Read and Server-Side Request Forgery
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Libsyn Publisher Hub

Plugin: Vision – Interactive Image Map Builder

Vulnerability: Missing Authorization
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Advanced Testimonial Carousel for Elementor

Vulnerability: Missing Authorization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Unauthenticated IP Spoofing
Patched Version: 1.3.95
Recommended Action: Update to version 1.3.95, or a newer patched version

Plugin: HelloAsso

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Add Custom CSS and JS

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MWW Disclaimer Buttons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: WP Club Manager – WordPress Sports Club Plugin

Vulnerability: Missing Authorization
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Crony Cronjob Manager

Plugin: Embed Google Photos album

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: reCAPTCHA Jetpack

Plugin: WP GoToWebinar

Vulnerability: Missing Authorization
Patched Version: 15.1
Recommended Action: Update to version 15.1, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Missing Authorization
Patched Version: 0.1.0.25
Recommended Action: Update to version 0.1.0.25, or a newer patched version

Plugin: Libsyn Publisher Hub

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.26
Recommended Action: Update to version 4.10.26, or a newer patched version

Plugin: All-in-one Like Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Price List Widget
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: WP Google Review Slider

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 13.6
Recommended Action: Update to version 13.6, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Patched Version: 2.6.9.4
Recommended Action: Update to version 2.6.9.4, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Authenticated (Contributor+) SQL Injection via rtmedia_gallery Shortcode
Patched Version: 4.6.19
Recommended Action: Update to version 4.6.19, or a newer patched version

Plugin: Pricing Table by Supsystic

Vulnerability: Authenticated (Admin+) Content Injection
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Flip Carousel, Flip Box, Post Grid, and Taxonomy List Widget Attributes
Patched Version: 1.3.972
Recommended Action: Update to version 1.3.972, or a newer patched version

Plugin: WebToffee WP Backup and Migration

Vulnerability: Missing Authorization to Directory Traversal
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: WPB Show Core

Vulnerability: Reflected Cross-Site Scripting via ‘file’
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: List Custom Taxonomy Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 4.0.12
Recommended Action: Update to version 4.0.12, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Authenticated (Contributor+) Arbitrary Redirect
Patched Version: 7.5.45.7212
Recommended Action: Update to version 7.5.45.7212, or a newer patched version

Plugin: Jobs for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Download Manager

Vulnerability: Password Protected File Bypass
Patched Version: 3.2.83
Recommended Action: Update to version 3.2.83, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.0.264
Recommended Action: Update to version 1.0.264, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Alternative Text
Patched Version: 7.6.16
Recommended Action: Update to version 7.6.16, or a newer patched version

Plugin: Poll | Vote | Contest – Best Poll Plugin for WordPress

Vulnerability: Missing Authorization
Patched Version: 4.10.0
Recommended Action: Update to version 4.10.0, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Linker – URL shortener & track outbound link clicks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags
Patched Version: 1.3.972
Recommended Action: Update to version 1.3.972, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.29
Recommended Action: Update to version 4.10.29, or a newer patched version

Plugin: TrackShip for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.2.23
Recommended Action: Update to version 2.2.23, or a newer patched version

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.0.8.3
Recommended Action: Update to version 2.0.8.3, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Missing Authorization
Patched Version: 1.3.91
Recommended Action: Update to version 1.3.91, or a newer patched version

Plugin: WP Datepicker

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)

Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg

Vulnerability: Missing Authorization
Patched Version: 1.3.02
Recommended Action: Update to version 1.3.02, or a newer patched version

Plugin: Find Duplicates

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Feed on WooCommerce for Google, Awin, Shareasale, Bing, and More

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Import Users from CSV

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Favicon by RealFaviconGenerator

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.3.30
Recommended Action: Update to version 1.3.30, or a newer patched version

Plugin: SEO Booster

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.10
Recommended Action: Update to version 3.8.10, or a newer patched version

Plugin: Max Addons Pro for Bricks

Vulnerability: Missing Authorization
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Attachment Meta
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: Aspose.Words – Import and Export word documents

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Meteor Website Speed Optimization Addon

Vulnerability: Cross-Site Request Forgery via processAjaxNoticeDismiss
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Short URL

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Missing Authorization
Patched Version: 1.5.39
Recommended Action: Update to version 1.5.39, or a newer patched version

Plugin: MyRewards – Loyalty Points and Rewards for WooCommerce – Reward orders, referrals, product reviews and more

Vulnerability: Missing Authorization
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: Fatal Error Notify

Vulnerability: Missing Authorization to Test Error Email Sending
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Plugin: Admin Menu Editor

Vulnerability: Cross-Site Request Forgery via ajax_hide_hint()
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version

Plugin: ChatBot Conversational Forms

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Headline Analyzer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.7.17
Recommended Action: Update to version 1.7.17, or a newer patched version

Plugin: Currency per Product for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Unauthenticated IP Spoofing
Patched Version: 1.12.11
Recommended Action: Update to version 1.12.11, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘gd_single_tabs’ Shortcode
Patched Version: 2.3.49
Recommended Action: Update to version 2.3.49, or a newer patched version

Plugin: ActiveDEMAND

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 0.2.42
Recommended Action: Update to version 0.2.42, or a newer patched version

Plugin: Fluid Checkout for WooCommerce – Lite

Vulnerability: Cross-Site Request Forgery via dismiss_notice
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: hCaptcha for WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via cf7-hcaptcha Shortcode
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Quick Featured Images

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Thumbnail Deletion/Setting
Patched Version: 13.7.1
Recommended Action: Update to version 13.7.1, or a newer patched version

Plugin: Media Library Folders

Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 6.15.21
Recommended Action: Update to version 6.15.21, or a newer patched version

Plugin: Culqi

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Missing Authorization
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: WordPress Automatic Plugin

Vulnerability: No subtitle
Patched Version: 3.93.0
Recommended Action: Update to version 3.93.0, or a newer patched version

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.0.74
Recommended Action: Update to version 1.0.74, or a newer patched version

Plugin: Regenerate post permalink

Plugin: Easy Property Listings

Vulnerability: Missing Authorization via epl_update_listing_coordinates()
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: LoginPress Pro

Vulnerability: Captcha Bypass
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Citadela Directory

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ARforms

Vulnerability: Missing Authorization to Arbitrary File Deletion
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.3.5.3
Recommended Action: Update to version 1.3.5.3, or a newer patched version

Plugin: Brevo for WooCommerce

Vulnerability: Authenticated (Editor+) Arbitrary File Download and Deletion
Patched Version: 4.0.18
Recommended Action: Update to version 4.0.18, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting via “Social Icons” Block
Patched Version: 4.5.10
Recommended Action: Update to version 4.5.10, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: Reviews Plus

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.34.3
Recommended Action: Update to version 2.34.3, or a newer patched version

Plugin: Performance Lab

Vulnerability: Cross-Site Request Forgery via dismiss-wp-pointer
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: 1.3.5.3
Recommended Action: Update to version 1.3.5.3, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 1.3.972
Recommended Action: Update to version 1.3.972, or a newer patched version

Plugin: Salient Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WP-Lister Lite for eBay

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher

Vulnerability: Missing Authorization
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: Icon Widget

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: RomethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Widget Post Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Expired Title
Patched Version: 2.6.9.5
Recommended Action: Update to version 2.6.9.5, or a newer patched version

Plugin: Cooked – Recipe Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.15.1
Recommended Action: Update to version 1.7.15.1, or a newer patched version

Plugin: ARforms

Vulnerability: Missing Authorization to Arbitrary Option Deletion
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Insecure Direct Object Reference to Menu Access
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Unauthenticated Limited File Upload
Patched Version: 1.3.95
Recommended Action: Update to version 1.3.95, or a newer patched version

Plugin: Slash Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: POEditor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version

Plugin: Zoho Campaigns

Vulnerability: Cross-Site Request Forgery via zcwc_integration_disconnect
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Ultimate 410 Gone Status Code

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: GEO my WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Kimili Flash Embed

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Panel Slider Widget
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: EleSpare: Elementor Newspaper, Magazine and Blog Addons – 35+ Post Grid, Slider, Carousel, List & Tile, 350+ Templates, Drag & Drop Header/Footer and Page Builder, 1-Click Import – No Coding Hassle!

Vulnerability: Missing Authorization to Subscriber+ Arbitrary Post Creation
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Essential Addons for Elementor Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘title_html_tag’
Patched Version: 5.8.12
Recommended Action: Update to version 5.8.12, or a newer patched version

Plugin: Jobs for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook

Plugin: Seers | GDPR & CCPA Cookie Consent & Compliance

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.1
Recommended Action: Update to version 8.1.1, or a newer patched version

Plugin: Advanced iFrame

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2024.3
Recommended Action: Update to version 2024.3, or a newer patched version

Plugin: WP Ultimate Review

Vulnerability: Unauthenticated Review Restriction Bypass
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Unauthenticated SQL Injection
Patched Version: 16.26.6
Recommended Action: Update to version 16.26.6, or a newer patched version

Plugin: Elementor Timeline Widget

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8.4
Recommended Action: Update to version 2.0.8.4, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Stack Group, Photo Stack, & Horizontal Timeline
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Accordion Title Tags
Patched Version: 1.3.972
Recommended Action: Update to version 1.3.972, or a newer patched version

Plugin: UnGallery

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 3.13.3
Recommended Action: Update to version 3.13.3, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Improper Authorization via woolentor_template_store
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.7.2
Recommended Action: Update to version 6.4.7.2, or a newer patched version

Plugin: Newsletters

Vulnerability: Information Exposure via Log files
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: Filter Custom Fields & Taxonomies Light

Plugin: Easy Custom Auto Excerpt

Vulnerability: Sensitive Information Exposure
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Ads.txt Admin

Plugin: ShortPixel Critical CSS

Vulnerability: Missing Authorization
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.6.5
Recommended Action: Update to version 4.2.6.5, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) Arbitrary File Deletion
Patched Version: 21.3.5
Recommended Action: Update to version 21.3.5, or a newer patched version

Plugin: VK Block Patterns

Vulnerability: Missing Authorization
Patched Version: 1.31.1.1
Recommended Action: Update to version 1.31.1.1, or a newer patched version

Plugin: Jotform Online Forms – Drag & Drop Form Builder, Securely Embed Contact Forms

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Citadela Directory

Plugin: AI Infographic Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.8
Recommended Action: Update to version 4.6.8, or a newer patched version

Plugin: Contact Form Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.25
Recommended Action: Update to version 1.1.25, or a newer patched version

Plugin: Language Switcher for Transposh

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Ovic Addon Toolkit

Plugin: Church Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.28
Recommended Action: Update to version 4.0.28, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 16.26.6
Recommended Action: Update to version 16.26.6, or a newer patched version

Plugin: Custom Order Numbers for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated Local File Inclusion via template
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer

Vulnerability: Missing Authorization
Patched Version: 3.10.3
Recommended Action: Update to version 3.10.3, or a newer patched version

Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Bold Timeline Lite

Vulnerability: Missing Authorization to Admin Notice Dismissal
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: AffiEasy

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: WooCommerce Shipping Label

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: USPS Shipping for WooCommerce – Live Rates

Vulnerability: Sensitive Information Exposure
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: Coupon & Discount Code Reveal Button

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.1.9
Recommended Action: Update to version 3.1.9, or a newer patched version

Plugin: Frontend Admin by DynamiApps

Vulnerability: Improper Missing Encryption Exception Handling to Form Manipulation
Patched Version: 3.19.5
Recommended Action: Update to version 3.19.5, or a newer patched version

Plugin: ActiveCampaign – Forms, Site Tracking, Live Chat

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 8.1.15
Recommended Action: Update to version 8.1.15, or a newer patched version

Plugin: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Insecure Direct Object Reference
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Simply Static – The WordPress Static Site Generator

Vulnerability: Unauthenticated Information Exposure
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Image Slider

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.127
Recommended Action: Update to version 1.1.127, or a newer patched version

Plugin: Advanced Floating Content Lite

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: ElementsKit Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘ekit_btn_id’
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.18.1
Recommended Action: Update to version 2.18.1, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Store Cross-Site Scripting via Widget URL Attribute
Patched Version: 5.9.15
Recommended Action: Update to version 5.9.15, or a newer patched version

Plugin: BWL Advanced FAQ Manager

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Product Category Slider and Product Category Showcase for WooCommerce – WooCategory

Vulnerability: Missing Authorization via notice dismissal functionality
Patched Version: 1.4.16
Recommended Action: Update to version 1.4.16, or a newer patched version

Plugin: FG Joomla to WordPress

Vulnerability: Sensitive Information Exposure
Patched Version: 4.21.0
Recommended Action: Update to version 4.21.0, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags
Patched Version: 3.10.6
Recommended Action: Update to version 3.10.6, or a newer patched version

Plugin: Parallax Slider Block

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: External Links – nofollow, noopener & new window

Vulnerability: Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice
Patched Version: 2.58
Recommended Action: Update to version 2.58, or a newer patched version

Plugin: Backup Migration

Vulnerability: Information Exposure via Log Files
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Missing Authorization
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: reCAPTCHA Jetpack

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ARforms

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘colibri_breadcrumb_element’ Shortcode
Patched Version: 1.0.274
Recommended Action: Update to version 1.0.274, or a newer patched version

Plugin: Responsive Slider – Sangar Slider

Plugin: Disable Comments | WPZest

Plugin: Podlove Podcast Publisher

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.15
Recommended Action: Update to version 4.0.15, or a newer patched version

Plugin: Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap

Vulnerability: Missing Authorization
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Accessibility Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP Ultimate Review

Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Missing Authorization
Patched Version: 3.13.3
Recommended Action: Update to version 3.13.3, or a newer patched version

Plugin: WP Social Comments

Vulnerability: Missing Authorization via wpfc_allow_comments()
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Post to Google My Business (Google Business Profile)

Vulnerability: Cross-Site Request Forgery to Dismiss Notification
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version

Plugin: VikRentCar Car Rental Management System

Vulnerability: Information Exposure
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: User Activity Log Pro

Plugin: RestroPress – Online Food Ordering System

Vulnerability: Cross-Site Request Forgery via rpress_orders_list_table_process_bulk_actions
Patched Version: 3.1.2.1
Recommended Action: Update to version 3.1.2.1, or a newer patched version

Plugin: WPC Frequently Bought Together for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 7.0.4
Recommended Action: Update to version 7.0.4, or a newer patched version

Plugin: SAML Single Sign On – SSO Login Standard

Vulnerability: Missing Authorization to notice dismissal
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 5.48.0
Recommended Action: Update to version 5.48.0, or a newer patched version

Plugin: RSS Feed Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version

Plugin: Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.63
Recommended Action: Update to version 3.63, or a newer patched version

Plugin: Login with phone number

Vulnerability: Missing Authorization
Patched Version: 1.6.94
Recommended Action: Update to version 1.6.94, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Captcha Bypass
Patched Version: 1.4.57
Recommended Action: Update to version 1.4.57, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.0.14
Recommended Action: Update to version 4.0.14, or a newer patched version

Plugin: Before And After: Lead Capture Forms For WordPress

Plugin: WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Table Rate Shipping Method for WooCommerce by Flexible Shipping

Vulnerability: Missing Authorization
Patched Version: 4.24.16
Recommended Action: Update to version 4.24.16, or a newer patched version

Plugin: WP Media Category Management

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: WP Client Reports

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version

Plugin: ARforms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.11.1
Recommended Action: Update to version 2.11.1, or a newer patched version

Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Vulnerability: Missing Authorization
Patched Version: 1.9.17
Recommended Action: Update to version 1.9.17, or a newer patched version

Plugin: Mail logging – WP Mail Catcher

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Salient Shortcodes

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Order Limit for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Advanced Search

Plugin: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via alg_wc_ean_product_meta Shortcode
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: Extra Product Options Builder for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.2.105
Recommended Action: Update to version 1.2.105, or a newer patched version

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: Remove Footer Credit

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Church Content – Sermons, Events and More

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.33
Recommended Action: Update to version 3.3.33, or a newer patched version

Plugin: Zoho Campaigns

Vulnerability: Cross-Site Request Forgery via zcwc_optin_save
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Missing Authorization
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Missing Authorization
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via How To and FAQ Blocks
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: Ultimate Before After Image Slider & Gallery – BEAF

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

Vulnerability: Information Exposure
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Frontend Dashboard

Vulnerability: No subtitle
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Leadinfo

Plugin: FV Flowplayer Video Player

Vulnerability: Authenticated (Subscriber+) Server-side Request Forgery
Patched Version: 7.5.45.7212
Recommended Action: Update to version 7.5.45.7212, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.14.1
Recommended Action: Update to version 3.14.1, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.29
Recommended Action: Update to version 3.3.29, or a newer patched version

Plugin: Zoho Campaigns

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: SSL Certificate – Free SSL, HTTPS by SSL Zen

Vulnerability: Sensitive Information Exposure
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version

Plugin: Account Engagement

Vulnerability: Missing Authorization
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Collapse-O-Matic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.5.6
Recommended Action: Update to version 1.8.5.6, or a newer patched version

Plugin: Newsletters

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Missing Authorization
Patched Version: 4.0.29
Recommended Action: Update to version 4.0.29, or a newer patched version

Plugin: Salient Core

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Login With Ajax – Fast Logins, 2FA, Redirects

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: Translate WordPress – Google Language Translator

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 6.0.20
Recommended Action: Update to version 6.0.20, or a newer patched version

Plugin: Replyable – Subscribe to Comments and Reply by Email

Vulnerability: Authenticated (Subscriber+) PHP Object Injection via prompt_dismiss_notice
Patched Version: 2.2.10
Recommended Action: Update to version 2.2.10, or a newer patched version

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Missing Authorization
Patched Version: 3.3.53
Recommended Action: Update to version 3.3.53, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Email Marketing for WooCommerce by Omnisend

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.14.4
Recommended Action: Update to version 1.14.4, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 1.26.3
Recommended Action: Update to version 1.26.3, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.29.0
Recommended Action: Update to version 1.29.0, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘colibri-gallery-slideshow’ Shortcode
Patched Version: 1.0.274
Recommended Action: Update to version 1.0.274, or a newer patched version

Plugin: ARforms

Vulnerability: Missing Authorization to Arbitrary Plugin Activation/Deactivation
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 1.1.13
Recommended Action: Update to version 1.1.13, or a newer patched version

Plugin: Jobs for WordPress

Vulnerability: Reflected Cross-Site Scripting via job-search
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: YITH WooCommerce Compare

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.38.0
Recommended Action: Update to version 2.38.0, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.2.79
Recommended Action: Update to version 2.2.79, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Missing Authorization to Unauthenticated Email Enumeration
Patched Version: 5.1.9
Recommended Action: Update to version 5.1.9, or a newer patched version

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Click to Chat – HoliThemes

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Sensitive Information Exposure via cache files
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.1.9
Recommended Action: Update to version 5.1.9, or a newer patched version

Plugin: Link Library

Vulnerability: Cross-Site Request Forgery via action_admin_init
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Order Delivery Date for WooCommerce

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 3.21.1
Recommended Action: Update to version 3.21.1, or a newer patched version

Plugin: Siteimprove

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: FileOrganizer – Manage WordPress and Website Files

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.