Watch Out Wednesday – April 3, 2024

Home » Watch Out Wednesday – April 3, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: WP-Members Membership Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.4.9.3
Recommended Action: Update to version 3.4.9.3, or a newer patched version

Plugin: User Rights Access Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Falang multilanguage for WordPress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.3.48
Recommended Action: Update to version 1.3.48, or a newer patched version

Plugin: Flo Forms – Easy Drag & Drop Form Builder

Vulnerability: Missing Authorization via flo_send_test_email
Patched Version: 1.0.42
Recommended Action: Update to version 1.0.42, or a newer patched version

Plugin: Alma – Pay in installments or later for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: Crypto Converter ⚡ Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Popup Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Hover Effects – Elementor Addon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘eihe_align’
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: WPFront User Role Editor

Vulnerability: Limited Information Exposure
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: WP-Lister Lite for Amazon

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Missing Authorization via get_players
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Insecure Direct Object Reference to Information Exposure
Patched Version: 3.5.2.5
Recommended Action: Update to version 3.5.2.5, or a newer patched version

Plugin: BoldGrid Easy SEO – Simple and Effective SEO

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Description
Patched Version: 1.6.14
Recommended Action: Update to version 1.6.14, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: Sydney Toolbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via _id
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version

Plugin: Co-marquage service-public.fr

Vulnerability: Reflected Cross-Site Scripting via search_term
Patched Version: 0.5.73
Recommended Action: Update to version 0.5.73, or a newer patched version

Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widgets
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version

Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Tweet Widget
Patched Version: 2.7.19
Recommended Action: Update to version 2.7.19, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Missing Authorization
Patched Version: 4.9.11
Recommended Action: Update to version 4.9.11, or a newer patched version

Plugin: Pz-LinkCard

Vulnerability: Sever-Side Request Forgery
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Slugs Manager: Delete Old Permalinks from WordPress Database

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Print Page block – Print the entire page or Section.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: HeartThis

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Missing Authorization
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Nelio Content – Editorial Calendar & Social Media Scheduling

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Calendarista Basic Edition – WordPress appointment booking system

Vulnerability: Missing Authorization
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.23
Recommended Action: Update to version 1.6.23, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: IP Spoofing
Patched Version: 8.2.1
Recommended Action: Update to version 8.2.1, or a newer patched version

Plugin: WPFront Notification Bar

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: underConstruction

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version

Plugin: Photo Gallery by Supsystic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.15.17
Recommended Action: Update to version 1.15.17, or a newer patched version

Plugin: DX-Watermark

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.3
Recommended Action: Update to version 1.13.3, or a newer patched version

Plugin: Carousel Anything For WPBakery Page Builder – Touch Slider and Carousel

Plugin: Media Library Folders

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 8.1.8
Recommended Action: Update to version 8.1.8, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.76
Recommended Action: Update to version 2.2.76, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.29.1
Recommended Action: Update to version 1.29.1, or a newer patched version

Plugin: Hash Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Custom Content Types and Fields
Patched Version: 2.7.31.2
Recommended Action: Update to one of the following versions, or a newer patched version: 2.7.31.2, 2.8.23.2, 2.9.19.2, 3.0.10.2

Plugin: CGC Maintenance Mode

Vulnerability: IP Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Great Restaurant Menu WP

Vulnerability: Cross-Site Request Forgery via menu_page
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: AI WP Writer – automatic content creator, ChatGPT, GPT-4, Dalle 3, FLUX

Vulnerability: Missing Authorization
Patched Version: 3.6.5.6
Recommended Action: Update to version 3.6.5.6, or a newer patched version

Plugin: Broken Images

Plugin: WPC Badge Management for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Inline Related Posts

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.6.3
Recommended Action: Update to version 6.6.3, or a newer patched version

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Missing Authorization in activate_ai_handler and deactivate_ai_handler
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Contact Form 7 Newsletter

Plugin: Whizzy

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: Layouts for Elementor

Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WP-Eggdrop

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Dropdown multisite selector

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 0.9.2.1
Recommended Action: Update to version 0.9.2.1, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Plugin: PDF Viewer for Elementor

Plugin: Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version

Plugin: Fancy Comments WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.15
Recommended Action: Update to version 1.2.15, or a newer patched version

Plugin: SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0.2
Recommended Action: Update to version 1.2.0.2, or a newer patched version

Plugin: Simply Static – The WordPress Static Site Generator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Add Shortcodes Actions And Filters

Plugin: pageMash > Page Management

Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via *_html_tag*
Patched Version: 2.7.18
Recommended Action: Update to version 2.7.18, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Travelers' Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting via File Upload
Patched Version: 1.29.1
Recommended Action: Update to version 1.29.1, or a newer patched version

Plugin: LionScripts: IP Blocker Lite

Plugin: A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Social Icons Widget & Block by WPZOOM

Vulnerability: Missing Authorization
Patched Version: 4.2.16
Recommended Action: Update to version 4.2.16, or a newer patched version

Plugin: Exchange Rates Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Zotpress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 7.3.8
Recommended Action: Update to version 7.3.8, or a newer patched version

Plugin: WP Cost Estimation & Payment Forms Builder

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 10.1.76
Recommended Action: Update to version 10.1.76, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Widget
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: EnvíaloSimple: Email Marketing y Newsletters

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Wholesale For WooCommerce

Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.7.9
Recommended Action: Update to version 5.7.9, or a newer patched version

Plugin: Pocket News Generator

Plugin: WP-Eggdrop

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: 3.2.26
Recommended Action: Update to version 3.2.26, or a newer patched version

Plugin: WPBakery Page Builder Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Missing Authorization
Patched Version: 1.1.4.4
Recommended Action: Update to version 1.1.4.4, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Team Member Listing
Patched Version: 5.4.2
Recommended Action: Update to version 5.4.2, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Missing Authorization Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sponsors

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3.2
Recommended Action: Update to version 1.3.3.2, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Customer+) Stored Cross-Site Scripting via ‘sms_prefix’
Patched Version: 9.6.3
Recommended Action: Update to version 9.6.3, or a newer patched version

Plugin: Mighty Classic Pros And Cons

Plugin: Creative Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Author+) PHP Object Injection via error_resetpassword
Patched Version: 5.9.14
Recommended Action: Update to version 5.9.14, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.45
Recommended Action: Update to version 2.8.45, or a newer patched version

Plugin: Kanban Boards for WordPress

Plugin: Maintenance Mode

Vulnerability: Information Exposure
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: WP-Lister Lite for Amazon

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version

Plugin: News Wall

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Church Admin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via meta-text
Patched Version: 4.1.18
Recommended Action: Update to version 4.1.18, or a newer patched version

Plugin: Favorites

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: WP Chat App

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Block Image Attribute
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: NextGen Gallery Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: StreamWeasels Twitch Integration

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Responsive flipbook wordpress plugin free download

Plugin: Media Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.5.25
Recommended Action: Update to version 4.5.25, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Request Forgery to Publicly Accessible Form Submission Export
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: LayerSlider

Vulnerability: 7.10.0
Patched Version: 7.10.1
Recommended Action: Update to version 7.10.1, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion in render_raw
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Slider Hero with Video Background, Animation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.7.0
Recommended Action: Update to version 8.7.0, or a newer patched version

Plugin: Chauffeur Taxi Booking System for WordPress

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paid Memberships Pro – Mailchimp Add On

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Woo Viet – WooCommerce for Vietnam

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: SecuPress Free — WordPress Security

Vulnerability: Cross-Site Request Forgery to Banned IP Address
Patched Version: 2.2.5.2
Recommended Action: Update to version 2.2.5.2, or a newer patched version

Plugin: Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version

Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.6.24
Recommended Action: Update to version 1.6.6.24, or a newer patched version

Plugin: WP Express Checkout (Accept PayPal Payments Easily)

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Simple Buttons Creator

Vulnerability: Cross-Site Request Forgery to Arbitrary Button Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bulk NoIndex & NoFollow Toolkit

Vulnerability: Reflected Cross-Site Scripting via tab, order, and orderby
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: Booking Activities

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.20
Recommended Action: Update to version 1.15.20, or a newer patched version

Plugin: DELUCKS SEO

Vulnerability: Missing Authorization
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: Christmas Greetings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Klarna for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via class
Patched Version: 4.7.7
Recommended Action: Update to version 4.7.7, or a newer patched version

Plugin: Church Admin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Link
Patched Version: 1.5.97
Recommended Action: Update to version 1.5.97, or a newer patched version

Plugin: Yoo Slider – Image Slider & Video Slider

Plugin: Lordicon Animated Icons

Plugin: WP Hotel Booking

Vulnerability: Missing Authorization
Patched Version: 2.0.9.3
Recommended Action: Update to version 2.0.9.3, or a newer patched version

Plugin: Advanced Sermons

Vulnerability: Reflected Cross-Site Scripting via s
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: NPS computy

Vulnerability: Cross-Site Request Forgery to Results Deletion
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Sharkdropship Dropshipping & Affiliate for for AliExpress

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Tilda-publishing

Vulnerability: Missing Authorization
Patched Version: 0.3.24
Recommended Action: Update to version 0.3.24, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version

Plugin: Special Box for Content

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Builderall Builder for WordPress

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: VS Contact Form

Vulnerability: CAPTCHA Bypass
Patched Version: 14.8
Recommended Action: Update to version 14.8, or a newer patched version

Plugin: WordPress Page Builder – Zion Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version

Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.26.3
Recommended Action: Update to version 1.26.3, or a newer patched version

Plugin: Prenotazioni

Plugin: Simple Revisions Delete

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: CodeMirror Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authententicated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: Lightbox slider – Responsive Lightbox Gallery

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via video_html_tag
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization
Patched Version: 4.4.10
Recommended Action: Update to version 4.4.10, or a newer patched version

Plugin: ReDi Restaurant Reservation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 24.0303
Recommended Action: Update to version 24.0303, or a newer patched version

Plugin: Shipping with Venipak for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via ‘venipak_labels_link’
Patched Version: 1.19.6
Recommended Action: Update to version 1.19.6, or a newer patched version

Plugin: Custom post types, Custom Fields & more

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Accounting Manager+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Better Elementor Addons

Vulnerability: Missing Authorization
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Mang Board WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Off-Canvas Sidebars & Menus (Slidebars)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.5.8.2
Recommended Action: Update to version 0.5.8.2, or a newer patched version

Plugin: Chatbot for WordPress by Collect.chat ⚡️

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Booking Package

Vulnerability: Unauthenticated Price Manipulation
Patched Version: 1.6.29
Recommended Action: Update to version 1.6.29, or a newer patched version

Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress

Vulnerability: Missing Authorization
Patched Version: 1.6.21
Recommended Action: Update to version 1.6.21, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Missing Authorization
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via settings
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: RoyalSlider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Social Author Bio

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Template Kit – Import

Vulnerability: Authenticated(Author+) Stored Cross-Site Scripting via template upload
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: Post-Plugin Library

Plugin: RevivePress – Keep your Old Content Evergreen

Vulnerability: Missing Authorization
Patched Version: 1.5.6.1
Recommended Action: Update to version 1.5.6.1, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mla_gallery Shortcode
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version

Plugin: WP Twitter Mega Fan Box Widget

Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)

Vulnerability: Authenticated(Subscriber+) Missing Authorization via multiple AJAX actions
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Announcement & Notification Banner – Bulletin

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: GetResponse for WordPress

Plugin: SpiderFAQ

Plugin: Custom WooCommerce Checkout Fields Editor

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.3.5.3
Recommended Action: Update to version 1.3.5.3, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.55
Recommended Action: Update to version 1.2.55, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Authenticated (Shop Manager+) Path Traversal
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: OpenID

Plugin: WooCommerce Bookings Calendar

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.94
Recommended Action: Update to version 1.5.94, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Authenticated (Administrator+) Stored Cross-Site-Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: CubeWP – All-in-One Dynamic Content Framework

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.1.13
Recommended Action: Update to version 1.1.13, or a newer patched version

Plugin: Hacklog Down As PDF

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fb_appid
Patched Version: 6.5.4
Recommended Action: Update to version 6.5.4, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1.8
Recommended Action: Update to version 1.4.1.8, or a newer patched version

Plugin: Coming Soon, Under Construction & Maintenance Mode By Dazzler

Vulnerability: Maintenance Mode Bypass
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: RT Easy Builder – Advanced addons for Elementor

Vulnerability: Missing Authorization
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Landingi Landing Pages

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: WC Builder – WooCommerce Page Builder for WPBakery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Missing Authorization
Patched Version: 6.4.7
Recommended Action: Update to version 6.4.7, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: Tainacan

Vulnerability: Missing Authorization
Patched Version: 0.20.8
Recommended Action: Update to version 0.20.8, or a newer patched version

Plugin: WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing)

Vulnerability: Sensitive Information Exposure via export_users
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Slider by Supsystic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.11
Recommended Action: Update to version 1.8.11, or a newer patched version

Plugin: Verge3D Publishing and E-Commerce

Vulnerability: Authenticated(Subscriber+) Arbitrary File Upload
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.9.1
Recommended Action: Update to version 6.9.1, or a newer patched version

Plugin: OSS Aliyun

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version

Plugin: Platinum SEO

Plugin: iFlyChat – WordPress Chat

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 5.9.14
Recommended Action: Update to version 5.9.14, or a newer patched version

Plugin: Easy Social Share Buttons for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.5
Recommended Action: Update to version 9.5, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ni WooCommerce Sales Report

Vulnerability: Missing Authorization via ajax_sales_order
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: Page Builder Gutenberg Blocks – CoBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Ultimate Social Comments – Email Notification & Lazy Load

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 7.0.8
Recommended Action: Update to version 7.0.8, or a newer patched version

Plugin: Filter Custom Fields & Taxonomies Light

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gutenberg Block Editor Toolkit – EditorsKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.40.5
Recommended Action: Update to version 1.40.5, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version

Plugin: Whizzy

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Twitter Feeds (Twitter widget & shortcode)

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.7.2
Recommended Action: Update to version 6.4.7.2, or a newer patched version

Plugin: WP Responsive Tabs horizontal vertical and accordion Tabs

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.1.18
Recommended Action: Update to version 1.1.18, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.5.2
Recommended Action: Update to version 1.3.5.2, or a newer patched version

Plugin: WP Change Email Sender

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: New Order Notification for Woocommerce

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget
Patched Version: 2.0.5.7
Recommended Action: Update to version 2.0.5.7, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.0.30
Recommended Action: Update to version 9.0.30, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Missing Authorization
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: FlatPM – Ad Manager, AdSense and Custom Code

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.05
Recommended Action: Update to version 3.1.05, or a newer patched version

Plugin: Web Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.0.11
Recommended Action: Update to version 1.0.0.11, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 21.3.6
Recommended Action: Update to version 21.3.6, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Info Table Widget
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.69
Recommended Action: Update to version 1.5.69, or a newer patched version

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: PDF Builder for WPForms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.89
Recommended Action: Update to version 1.2.89, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Cross-Site Request Forgery via editHeader
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Custom Field Bulk Editor

Plugin: Doneren met Mollie

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via search
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 9.5.1
Recommended Action: Update to version 9.5.1, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via link
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: Aesop Story Engine

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated Privilege Escalation via stm_lms_register AJAX Action
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 5.7.9
Recommended Action: Update to version 5.7.9, or a newer patched version

Plugin: Tutor LMS Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.7.2
Recommended Action: Update to version 6.4.7.2, or a newer patched version

Plugin: Site Offline Or Coming Soon Or Maintenance Mode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: iCalendrier

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.81
Recommended Action: Update to version 1.81, or a newer patched version

Plugin: Portfolio Gallery – Image Gallery Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO Backlink Monitor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting via Contact Form Message Settings
Patched Version: 3.2.18
Recommended Action: Update to version 3.2.18, or a newer patched version

Plugin: CoCart – Decoupling Made Easy for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.12.0
Recommended Action: Update to version 3.12.0, or a newer patched version

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Church Admin

Vulnerability: Missing Authorization
Patched Version: 4.1.19
Recommended Action: Update to version 4.1.19, or a newer patched version

Plugin: Themify Event Post

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Missing Authorization
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.5.1.8
Recommended Action: Update to version 1.5.1.8, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Customer+) Stored Cross-Site Scripting
Patched Version: 9.6.3
Recommended Action: Update to version 9.6.3, or a newer patched version

Plugin: Change default login logo,url and title

Plugin: B Slider- Gutenberg Slider Block for WP

Vulnerability: Slider for your block editor <= 1.1.12
Patched Version: 1.1.13
Recommended Action: Update to version 1.1.13, or a newer patched version

Plugin: Stratum – Elementor Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: Easy Appointments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.11.19
Recommended Action: Update to version 3.11.19, or a newer patched version

Plugin: 10Web Map Builder for Google Maps

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 20240216
Recommended Action: Update to version 20240216, or a newer patched version

Plugin: Meta Tag Manager

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.24.6
Recommended Action: Update to version 4.24.6, or a newer patched version

Plugin: Pocket News Generator

Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via force_fit
Patched Version: 2.2.27
Recommended Action: Update to version 2.2.27, or a newer patched version

Plugin: MyBookTable Bookstore by Stormhill Media

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Missing Authorization to Unauthenticated Settings Modification and Export
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.5.6
Recommended Action: Update to version 2.0.5.6, or a newer patched version

Plugin: Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: PrettyLinks – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Reflected Cross-Site Scripting via post_status
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: List category posts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.89.7
Recommended Action: Update to version 0.89.7, or a newer patched version

Plugin: WP CTA – Call To Action Plugin, Sticky CTA, Floating Buttons, Floating Tab Plugin

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 2.2.28
Recommended Action: Update to version 2.2.28, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Reflected Cross-Site Scripting via campaign_id
Patched Version: 5.7.12
Recommended Action: Update to version 5.7.12, or a newer patched version

Plugin: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 0.6.6
Recommended Action: Update to version 0.6.6, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.0.2
Recommended Action: Update to version 7.0.2, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Icons Widget
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Frontend Dashboard

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Debug

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version

Plugin: Spin 360 deg and 3D Model Viewer

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.2
Recommended Action: Update to version 1.13.2, or a newer patched version

Plugin: MailChimp Forms by MailMunch

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: DD Rating

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Podlove Podcast Publisher

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.3.3.1
Recommended Action: Update to version 1.3.3.1, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: Malware Scanner

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version

Plugin: Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: coreActivity: Activity Logging plugin for WordPress

Vulnerability: IP Spoofing
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: All In One Redirection

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.8.6
Recommended Action: Update to version 6.8.6, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9.1
Recommended Action: Update to version 2.6.9.1, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.1.0
Recommended Action: Update to version 5.3.1.0, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version

Plugin: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via process.php
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version

Plugin: Acme Fix Images – Regenerate Thumbnails

Vulnerability: Missing Authorization via acme_fix_images_ajax_callback
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Sticky Anything

Plugin: Appointment Calendar

Plugin: YITH WooCommerce Account Funds Premium

Vulnerability: Missing Authorization
Patched Version: 1.34.0
Recommended Action: Update to version 1.34.0, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Creative Image Slider – Responsive Slider Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Tax Rate Upload

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.7.2
Recommended Action: Update to version 6.4.7.2, or a newer patched version

Plugin: Easy Appointments

Vulnerability: Insufficient Authorization
Patched Version: 3.11.19
Recommended Action: Update to version 3.11.19, or a newer patched version

Plugin: Sliced Invoices – WordPress Invoice Plugin

Vulnerability: Missing Authorization
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: NPS computy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: The Ultimate Video Player For WordPress – by Presto Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Product Import Export for WooCommerce – Import Export Product CSV Suite

Vulnerability: Authenticated(Shop Manager+) Arbitrary File Upload
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Breeze – WordPress Cache Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via breeze_api_token
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Woocommerce Social Media Share Buttons

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pods – Custom Content Types and Fields

Plugin: WordPress CRM Plugin – WP-CRM System

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.9.1
Recommended Action: Update to version 3.2.9.1, or a newer patched version

Plugin: Co-marquage service-public.fr

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 0.5.72
Recommended Action: Update to version 0.5.72, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 12.3.17
Recommended Action: Update to version 12.3.17, or a newer patched version

Plugin: Hot Random Image

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Product Sort and Display for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.5.7
Recommended Action: Update to version 6.5.7, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.270
Recommended Action: Update to version 1.0.270, or a newer patched version

Plugin: LWS Optimize

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Convert Post Types

Plugin: WP Post Disclaimer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Mailster WordPress Newsletter Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Genesis Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Content
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Aparat for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting <= 1.5.68
Patched Version: 1.5.69
Recommended Action: Update to version 1.5.69, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.2.7
Recommended Action: Update to version 4.2.7, or a newer patched version

Plugin: Header Image Slider

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button
Patched Version: 2.8.0.7
Recommended Action: Update to version 2.8.0.7, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Comic Easel

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: PHP Object Injection
Patched Version: 1.33.2
Recommended Action: Update to version 1.33.2, or a newer patched version

Plugin: Button

Vulnerability: Authenticated (Contributor+) PHP Object Injection in button_shortcode
Patched Version: 1.1.28
Recommended Action: Update to version 1.1.28, or a newer patched version

Plugin: Paid Memberships Pro – Payfast Gateway Add On

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.0.27
Recommended Action: Update to version 4.0.27, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (AccountingManager+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated Local File Inclusion via modal
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Weekly Class Schedule

Plugin: Geo Controller

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.6.5
Recommended Action: Update to version 8.6.5, or a newer patched version

Plugin: Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Patched Version: 2.18.1
Recommended Action: Update to version 2.18.1, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Plugin: FG PrestaShop to WooCommerce

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: 4.47.0
Recommended Action: Update to version 4.47.0, or a newer patched version

Plugin: Stackable – Page Builder Gutenberg Blocks

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Posts Block
Patched Version: 3.12.12
Recommended Action: Update to version 3.12.12, or a newer patched version

Plugin: Better Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Clients Widget
Patched Version: 5.4.2
Recommended Action: Update to version 5.4.2, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Text Separator’ and ‘Image Compare’ Widget
Patched Version: 1.13.3
Recommended Action: Update to version 1.13.3, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Pz-LinkCard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.12.11
Recommended Action: Update to version 6.12.11, or a newer patched version

Plugin: Property Hive

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 6.7.9
Recommended Action: Update to version 6.7.9, or a newer patched version

Plugin: W3SPEEDSTER

Vulnerability: Cross-Site Request Forgery via launch
Patched Version: 7.20
Recommended Action: Update to version 7.20, or a newer patched version

Plugin: wp-forecast

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Cross-Site Request Forgery via delHeader
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Better Elementor Addons

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via widget links
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 29.8
Recommended Action: Update to version 29.8, or a newer patched version

Plugin: Thumbs Rating

Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Dracula Dark Mode – Enhanced Accessibility, Dark Mode & Reading Mode for WordPress

Vulnerability: The Revolutionary Dark Mode Plugin For WordPress <= 1.0.8
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.3
Recommended Action: Update to version 5.5.3, or a newer patched version

Plugin: WP Fast Total Search – The Power of Indexed Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via WPFTS Live Search Widget
Patched Version: 1.60.213
Recommended Action: Update to version 1.60.213, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via ratings
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload
Patched Version: 3.20.2
Recommended Action: Update to version 3.20.2, or a newer patched version

Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Tumult Hype Animations

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version

Plugin: Fullscreen Galleria

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.12
Recommended Action: Update to version 1.6.12, or a newer patched version

Plugin: Web Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.0.11
Recommended Action: Update to version 1.0.0.11, or a newer patched version

Plugin: WordPress Simple HTML Sitemap

Vulnerability: Missing Authorization
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: AdsPlace'r – Ad Manager, Inserter, AdSense Ads

Plugin: Locatoraid Store Locator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.9.31
Recommended Action: Update to version 3.9.31, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Accounting Manager+) SQL Injection via id
Patched Version: 1.13.0
Recommended Action: Update to version 1.13.0, or a newer patched version

Plugin: Compact WP Audio Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fileurl
Patched Version: 1.9.10
Recommended Action: Update to version 1.9.10, or a newer patched version

Plugin: Webinar and Video Conference with Jitsi Meet – Create Branded Webinars for WordPress, Meetings & Livestreaming

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Cross-Site Request Forgery via unpublishHeader
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version

Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Sharkdropship Dropshipping & Affiliate for for AliExpress

Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: SEO Title Tag

Plugin: ePoll – Best WordPress Voting Plugin for Poll & Contest

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Missing Authorization via mpg_get_log_by_project_id
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: WooCommerce Multilingual & Multicurrency with WPML

Vulnerability: Missing Authorization
Patched Version: 5.3.5
Recommended Action: Update to version 5.3.5, or a newer patched version

Plugin: Football Pool

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.11.4
Recommended Action: Update to version 2.11.4, or a newer patched version

Plugin: Simple Buttons Creator

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Add Button
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.