Watch Out Wednesday – August 14, 2024

Home » Watch Out Wednesday – August 14, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Gallery
Patched Version: 3.59.3
Recommended Action: Update to version 3.59.3, or a newer patched version

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 20240516
Recommended Action: Update to version 20240516, or a newer patched version

Plugin: Photo Engine (Media Organizer & Lightroom)

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: Leopard – WordPress Offload Media

Vulnerability: WordPress offload media <= 2.0.36
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Modern Events Calendar

Vulnerability: Authenticated (Subscriber+) Server Side Request Forgery
Patched Version: 7.13.0
Recommended Action: Update to version 7.13.0, or a newer patched version

Plugin: Send email only on Reply to My Comment

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Arbitrary Options Update
Patched Version: 1.3.6.2
Recommended Action: Update to version 1.3.6.2, or a newer patched version

Plugin: TOCHAT.BE

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Unite Gallery Lite

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Currency Settings
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Organization chart

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via title_input and node_description Parameters
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.19
Recommended Action: Update to version 2.6.19, or a newer patched version

Plugin: WP Dashboard Notes

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 30.2
Recommended Action: Update to version 30.2, or a newer patched version

Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.15.7
Recommended Action: Update to version 1.15.7, or a newer patched version

Plugin: Timeline Module for Beaver Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Search Analytics for WP

Vulnerability: Missing Authorization
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version

Plugin: Order Export for WooCommerce

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.24
Recommended Action: Update to version 3.24, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Cross-Site Request Forgery to Opt-out
Patched Version: 5.4.0
Recommended Action: Update to version 5.4.0, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version

Plugin: Linkify Text

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-PostRatings

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.91.2
Recommended Action: Update to version 1.91.2, or a newer patched version

Plugin: Slider by Soliloquy – Responsive Image Slider for WordPress

Vulnerability: Missing Authorization to Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Indeed Membership Pro

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 12.8
Recommended Action: Update to version 12.8, or a newer patched version

Plugin: WP Fast Total Search – The Power of Indexed Search

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.69.234
Recommended Action: Update to version 1.69.234, or a newer patched version

Plugin: Robin image optimizer — save money on image compression

Vulnerability: Missing Authorization
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Flaming Forms

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event post

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.9.6
Recommended Action: Update to version 5.9.6, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated Limited Privilege Escalation to Instructor
Patched Version: 3.3.24
Recommended Action: Update to version 3.3.24, or a newer patched version

Plugin: WP MultiTasking – WP Utilities

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Participants Database

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.5.9.3
Recommended Action: Update to version 2.5.9.3, or a newer patched version

Plugin: Wp EMember

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 10.7.0
Recommended Action: Update to version 10.7.0, or a newer patched version

Plugin: WooCommerce – PDF Vouchers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version

Plugin: Smart Online Order for Clover

Vulnerability: Missing Authorization
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Fuse Social Floating Sidebar

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File Upload
Patched Version: 5.4.11
Recommended Action: Update to version 5.4.11, or a newer patched version

Plugin: Compute Links

Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ParcelPanel (Free to install) – Shipment Tracking, Tracking, and Order Tracking for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Obfuscate Email

Plugin: BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Cooked – Recipe Management

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Sign-up Sheets

Vulnerability: Missing Authorization
Patched Version: 2.2.13
Recommended Action: Update to version 2.2.13, or a newer patched version

Plugin: Paid Memberships Pro – Member Directory Add On

Vulnerability: Member Directory Add On < 1.2.6
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Cross-Site Request Forgery to Afilliate Deletion
Patched Version: 6.5.2
Recommended Action: Update to version 6.5.2, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Block
Patched Version: 2.2.88
Recommended Action: Update to version 2.2.88, or a newer patched version

Plugin: Themify Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Docket (WooCommerce Collections / Wishlist / Watchlist)

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post/Page Deletion
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Docket (WooCommerce Collections / Wishlist / Watchlist)

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.26.1
Recommended Action: Update to version 1.26.1, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via onclick events
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via Product Editing
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.45
Recommended Action: Update to version 3.1.45, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Product Designer

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: WPBITS Addons For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Unauthenticated PHP Code Injection to Remote Code Execution
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: PDF Builder for WPForms

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 1.2.117
Recommended Action: Update to version 1.2.117, or a newer patched version

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Message Filter for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via Customer Search
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version

Plugin: WooCommerce Report

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Push Notification for Post and BuddyPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.94
Recommended Action: Update to version 1.94, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.24.8
Recommended Action: Update to version 4.24.8, or a newer patched version

Plugin: Reveal Template

Plugin: Smart Online Order for Clover

Vulnerability: Missing Authorization
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: WooCommerce – PDF Vouchers

Vulnerability: Missing Authorization
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version

Plugin: Leopard – WordPress Offload Media

Vulnerability: WordPress offload media <= 2.0.36
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Seriously Simple Podcasting

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Bug Library

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: EventON

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.15
Recommended Action: Update to version 2.2.15, or a newer patched version

Plugin: Store Locator Plus® for WordPress

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WpStickyBar – Sticky Bar, Sticky Header

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quotes and Tips by BestWebSoft

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version

Plugin: Indeed Membership Pro

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 12.8
Recommended Action: Update to version 12.8, or a newer patched version

Plugin: WP Ajax Contact Form

Vulnerability: Cross-Site Request Forgery to Arbitrary Email Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: If-So Dynamic Content Personalization

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.0.4
Recommended Action: Update to version 1.8.0.4, or a newer patched version

Plugin: پلاگین پرداخت دلخواه

Vulnerability: Cross-Site Request Forgery to Form Setting Reset
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: Viral Signup – limited opt-in with viral refferal sharing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

Vulnerability: Authenticated (contributor+) Local File Inclusion
Patched Version: 2.0.8.7
Recommended Action: Update to version 2.0.8.7, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.0.0.2
Recommended Action: Update to version 6.0.0.2, or a newer patched version

Plugin: Edubin

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chatbot for WordPress by Collect.chat ⚡️

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: WP Ajax Contact Form

Plugin: DL Verification

Plugin: Aruba HiSpeed Cache

Vulnerability: Missing Authorization
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version

Plugin: Better Find and Replace

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: 1.1.7
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Instructor+) Stored Cross-Site Scripting
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Community Events

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Login Page Disclosure
Patched Version: 1.9.16.4
Recommended Action: Update to version 1.9.16.4, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder – Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.10
Recommended Action: Update to version 1.5.10, or a newer patched version

Plugin: Request a Quote

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: VikRentCar Car Rental Management System

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Bit Form Pro

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.6.9
Recommended Action: Update to version 4.2.6.9, or a newer patched version

Plugin: Ultimate WordPress Auction Plugin

Vulnerability: Missing Authorization to Unauthenticated Email Creation
Patched Version: 4.2.8
Recommended Action: Update to version 4.2.8, or a newer patched version

Plugin: Registrations for the Events Calendar – Event Registration Plugin

Vulnerability: Missing Authorization
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Missing Authorization
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Viral Signup – limited opt-in with viral refferal sharing

Plugin: BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript

Vulnerability: Unauthenticated Arbitrary File Uplaod
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.4.1.2
Recommended Action: Update to version 3.4.1.2, or a newer patched version

Plugin: Post Duplicator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.17
Recommended Action: Update to version 2.17, or a newer patched version

Plugin: Buddyboss Platform

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Link on Private Post
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Extensions for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.32
Recommended Action: Update to version 2.0.32, or a newer patched version

Plugin: WHMpress – WHMCS WordPress Integration Plugin

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.11
Recommended Action: Update to version 3.8.11, or a newer patched version

Plugin: Cost Calculator Builder

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version

Plugin: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version

Plugin: Backup and Restore WordPress – Backup Plugin

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Product Table Lite

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Tin Canny Reporting for LearnDash

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.0.8
Recommended Action: Update to version 4.3.0.8, or a newer patched version

Plugin: Simple Local Avatars

Vulnerability: Cross-Site Request Forgery via save_default_avatar_file_id()
Patched Version: 2.7.11
Recommended Action: Update to version 2.7.11, or a newer patched version

Plugin: YaMaps for WordPress Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Missing Authorization via calendar_event_create()
Patched Version: 4.0.4.0
Recommended Action: Update to version 4.0.4.0, or a newer patched version

Plugin: Ultimate Bootstrap Elements for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.12.1
Recommended Action: Update to version 4.12.1, or a newer patched version

Plugin: Kubio AI Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Bit Form Pro

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Feed Gallery

Vulnerability: Missing Authorization
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Ultimate WordPress Auction Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Timetable and Event Schedule by MotoPress

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.4.14
Recommended Action: Update to version 2.4.14, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Contributor+) SQL Injection via order Parameter
Patched Version: 4.2.6.9.4
Recommended Action: Update to version 4.2.6.9.4, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.3.62
Recommended Action: Update to version 2.3.62, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via no_more_items_text Parameter
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Custom 404 Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Authentication Bypass to Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Call Now Accessibility Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Cooked – Recipe Management

Vulnerability: Cross-Site Request Forgery via cooked_get_recipe_ids
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Bitly's WordPress Plugin

Vulnerability: Missing Authorization
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 4.2.6.9
Recommended Action: Update to version 4.2.6.9, or a newer patched version

Plugin: Selection Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Authenticated (Contributor+) SQL Injection via id Parameter
Patched Version: 1.2.58
Recommended Action: Update to version 1.2.58, or a newer patched version

Plugin: Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Brizy – Page Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Send Emails with Mandrill

Vulnerability: Missing Authorization
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: No Update Nag

Plugin: Bit Form Pro

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HTML Forms – Simple WordPress Forms Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.33
Recommended Action: Update to version 1.3.33, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Unauthenticated Information Exposure via ekit_widgetarea_content Function
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: WHMpress – WHMCS WordPress Integration Plugin

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Hostel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.5.3
Recommended Action: Update to version 1.1.5.3, or a newer patched version

Plugin: Icegram Collect – Easy Form, Lead Collection and Subscription plugin

Vulnerability: Missing Authorization
Patched Version: 1.3.15
Recommended Action: Update to version 1.3.15, or a newer patched version

Plugin: Paid Memberships Pro – Membership Maps Add On

Vulnerability: Membership Maps Add On < 0.7
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version

Plugin: weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version

Plugin: Advanced Cron Manager – debug & control

Vulnerability: Missing Authorization
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly

Vulnerability: Missing Authorization
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Cooked – Recipe Management

Vulnerability: Cross-Site Request Forgery to Template Reset
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Hide My WP Ghost – Security & Firewall

Vulnerability: Login Page Disclosure
Patched Version: 5.2.02
Recommended Action: Update to version 5.2.02, or a newer patched version

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.4.3
Recommended Action: Update to version 1.4.4.3, or a newer patched version

Plugin: Cooked – Recipe Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Gallery and Countdown Widgets
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: Smart Image Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.16
Recommended Action: Update to version 2.6.16, or a newer patched version

Plugin: Product Enquiry for WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Create by Mediavine

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Job Board Manager

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.59
Recommended Action: Update to version 2.1.59, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: DL Yandex Metrika

Plugin: Backup and Restore WordPress – Backup Plugin

Plugin: WordPress File Upload

Vulnerability: Missing Authorization
Patched Version: 4.24.8
Recommended Action: Update to version 4.24.8, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting
Patched Version: 2.15.1
Recommended Action: Update to version 2.15.1, or a newer patched version

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: LMS <= 1.11.4
Patched Version: 1.11.5
Recommended Action: Update to version 1.11.5, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag
Patched Version: 5.7.7
Recommended Action: Update to version 5.7.7, or a newer patched version

Plugin: Lightbox & Modal Popup WordPress Plugin – FooBox

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes
Patched Version: 2.7.32
Recommended Action: Update to version 2.7.32, or a newer patched version

Plugin: Social Slider Feed

Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: WPForms User Registration

Vulnerability: Missing Authorization to Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: wpsection

Vulnerability: Authenticated (Contributor+) Local File Inlcusion
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: JetGridBuilder — Grid Builder for Elementor and Gutenberg

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: TrueBooker – Appointment Booking and Scheduler Plugin.

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Missing Authorization
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: CM Tooltip Glossary

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version

Plugin: DL Robots.txt

Plugin: Media Library Assistant

Vulnerability: Authenticated (Author+) Arbitrary File Upload via mla-inline-edit-upload-scripts AJAX Action
Patched Version: 3.19
Recommended Action: Update to version 3.19, or a newer patched version

Plugin: Meta Box

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 5.9.11
Recommended Action: Update to version 5.9.11, or a newer patched version

Plugin: WP Table Builder – WordPress Table Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: WP MultiTasking – WP Utilities

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mail Masta

Vulnerability: Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP MultiTasking – WP Utilities

Vulnerability: Cross-Site Request Forgery to Exit Popup Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress File Upload

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.24.8
Recommended Action: Update to version 4.24.8, or a newer patched version

Plugin: Business Card

Vulnerability: Authenticated (Admin+) Arbitrary File Uplaod
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DN Popup

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: WP Custom Cursors | WordPress Cursor Plugin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.5.9
Recommended Action: Update to version 3.5.9, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1.7
Recommended Action: Update to version 4.1.7, or a newer patched version

Plugin: Mega Addons For Elementor

Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

Vulnerability: Missing Authorization
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: CM Pop-Up Banners for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Shortcodes Ultimate Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: Easy PayPal & Stripe Buy Now Button

Vulnerability: Unauthenticated Open Redirect
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Opti Marketing

Plugin: StreamCast – Radio Player for WordPress

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Christmasify!

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Filter & Grids

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.34
Recommended Action: Update to version 2.8.34, or a newer patched version

Plugin: WpStickyBar – Sticky Bar, Sticky Header

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.27
Recommended Action: Update to version 1.15.27, or a newer patched version

Plugin: Football Pool

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.11.10
Recommended Action: Update to version 2.11.10, or a newer patched version

Plugin: Filr – Secure document library

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update
Patched Version: 4.10.39
Recommended Action: Update to version 4.10.39, or a newer patched version

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: CZ Loan Management

Plugin: MyBookTable Bookstore by Stormhill Media

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: BizCalendar Web

Vulnerability: Reflected Cross-Site Scripting via ‘tab’
Patched Version: 1.1.0.26
Recommended Action: Update to version 1.1.0.26, or a newer patched version

Plugin: Indeed Membership Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 12.8
Recommended Action: Update to version 12.8, or a newer patched version

Plugin: Kodex Posts likes

Plugin: Cooked – Recipe Management

Vulnerability: Authenticated (Contributor+) HTML Injection
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Sign-up Sheets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.13
Recommended Action: Update to version 2.2.13, or a newer patched version

Plugin: WP Bannerize Pro

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Backup and Staging by WP Time Capsule

Vulnerability: Authentication Bypass to Account Takeover
Patched Version: 1.22.21
Recommended Action: Update to version 1.22.21, or a newer patched version

Plugin: WordPress Exit Strategy

Vulnerability: Information Exposure
Patched Version: 1.59
Recommended Action: Update to version 1.59, or a newer patched version

Plugin: Bridge Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Missing Authorization
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: SpiderContacts

Plugin: Black Widgets For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.26.9
Recommended Action: Update to version 1.26.9, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.9.3
Recommended Action: Update to version 1.3.9.3, or a newer patched version

Plugin: Export All URLs

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: WP MultiTasking – WP Utilities

Vulnerability: Cross-Site Request Forgery to SMTP Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.3.78
Recommended Action: Update to version 3.3.78, or a newer patched version

Plugin: WooCommerce – PDF Vouchers

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: LMS <= 1.11.4
Patched Version: 1.11.5
Recommended Action: Update to version 1.11.5, or a newer patched version

Plugin: Event Tickets with Ticket Scanner

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Card Elements for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Filter & Grids

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Graphina – Elementor Charts and Graphs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: Flaming Forms

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: If-So Dynamic Content Personalization

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.0.4
Recommended Action: Update to version 1.8.0.4, or a newer patched version

Plugin: Falang multilanguage for WordPress

Vulnerability: Missing Authorization to Translation Update and Information Exposure
Patched Version: 1.3.53
Recommended Action: Update to version 1.3.53, or a newer patched version

Plugin: MainWP Child Reports

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: TrueBooker – Appointment Booking and Scheduler Plugin.

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.87
Recommended Action: Update to version 2.2.87, or a newer patched version

Plugin: My Custom CSS PHP & ADS

Plugin: HTML Forms – Simple WordPress Forms Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.34
Recommended Action: Update to version 1.3.34, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: Opal Membership

Vulnerability: Authenticated (Subscriber+) Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.2.29
Recommended Action: Update to version 2.2.29, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 10.8
Recommended Action: Update to version 10.8, or a newer patched version

Plugin: Web Directory Free

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Export Products, Order & Customers for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: Mediavine Control Panel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Unauthenticated Information Disclosure via Unprotected Directories
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: WS Contact Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Simple Share

Plugin: ووکامرس فارسی

Vulnerability: Missing Authorization
Patched Version: 9.0.0
Recommended Action: Update to version 9.0.0, or a newer patched version

Plugin: Employee, Leave and Recruitment Management System – Crew HRM

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: BuddyPress Members Only

Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version

Plugin: Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Timeline and History slider

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: robotcpa

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CM WordPress Search And Replace Plugin

Vulnerability: Cross-Site Request Forgery to Plugin Setting Reset
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Chatbot Support AI: Free ChatGPT Chatbot, Woocommerce Chatbot

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Accounting Manager+) SQL Injection via vendor_id
Patched Version: 1.13.1
Recommended Action: Update to version 1.13.1, or a newer patched version

Plugin: Buddyboss Platform

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) Comment on Private Post
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: TypeSquare Webfonts for エックスサーバー

Vulnerability: Missing Authorization via typesquare_admin_init()
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress

Vulnerability: LMS <= 1.11.6
Patched Version: 1.12.0
Recommended Action: Update to version 1.12.0, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.7.29
Recommended Action: Update to version 1.7.29, or a newer patched version

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Missing Authorization
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Community Events

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Agreement Text
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: WordPress Webinar Plugin – WebinarPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.33.21
Recommended Action: Update to version 1.33.21, or a newer patched version

Plugin: BSK Forms Blacklist

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.1
Recommended Action: Update to version 3.8.1, or a newer patched version

Plugin: Web Directory Free

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: WP MultiTasking – WP Utilities

Vulnerability: Cross-Site Request Forgery to Welcome Popup Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Widgets for WooCommerce Products on Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Missing Authorization
Patched Version: 1.0.97
Recommended Action: Update to version 1.0.97, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Missing Authorization to Unauthenticated Media Upload
Patched Version: 3.11.8
Recommended Action: Update to version 3.11.8, or a newer patched version

Plugin: Search & Filter Pro

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.18
Recommended Action: Update to version 2.5.18, or a newer patched version

Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.9
Recommended Action: Update to version 3.5.9, or a newer patched version

Plugin: Opal Membership

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.27
Recommended Action: Update to version 5.9.27, or a newer patched version

Plugin: Page Builder Gutenberg Blocks – CoBlocks

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.1.13
Recommended Action: Update to version 3.1.13, or a newer patched version

Plugin: Bit Form Pro

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: House Manager – Easy Renter Management System for WordPress

Plugin: WP QuickLaTeX

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.8
Recommended Action: Update to version 3.8.8, or a newer patched version

Plugin: Accept Stripe Payments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via accept_stripe_payment_ng Shortcode
Patched Version: 2.0.87
Recommended Action: Update to version 2.0.87, or a newer patched version

Plugin: WooCommerce – Social Login

Vulnerability: Social Login <= 2.7.5
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Send email only on Reply to My Comment

Plugin: Football Pool

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.12.1
Recommended Action: Update to version 2.12.1, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Missing Authorization
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: WP eStore

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.12.14
Recommended Action: Update to version 1.12.14, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Backup and Restore WordPress – Backup Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.1.0
Recommended Action: Update to version 9.1.0, or a newer patched version

Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.11
Recommended Action: Update to version 3.4.11, or a newer patched version

Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.